Edit tour

Windows Analysis Report
WmtuqNHPM2.exe

Overview

General Information

Sample Name:	WmtuqNHPM2.exe
Analysis ID:	798888
MD5:	bbe4ba566d229a405da3af72193d297f
SHA1:	ffb73821d698bc2e32f1a32c7adf95e66520c7a8
SHA256:	aeb8e080b996a75f85bb82e2e7a42d0302735713f34fb95fff1bfb97a030e107
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Drops executable to a common third party application directory

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

WmtuqNHPM2.exe (PID: 4748 cmdline: C:\Users\user\Desktop\WmtuqNHPM2.exe MD5: BBE4BA566D229A405DA3AF72193D297F)

powershell.exe (PID: 1224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WmtuqNHPM2.exe (PID: 1804 cmdline: C:\Users\user\Desktop\WmtuqNHPM2.exe MD5: BBE4BA566D229A405DA3AF72193D297F)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "19b525d2-02f6-47c5-b606-1d038212", "Group": "Set", "Domain1": "rcontrol4sec.ddnsgeek.com", "Domain2": "127.0.0.1", "Port": 5080, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27b0b:$a1: NanoCore.ClientPluginHost 0x27ae2:$a2: NanoCore.ClientPlugin 0x2cb36:$b7: LogClientException 0x27af8:$b9: IClientLoggingHost
00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5598f:$a: NanoCore 0x55a79:$a: NanoCore 0x568f0:$a: NanoCore 0x5da27:$a: NanoCore 0x5da71:$a: NanoCore 0x5dc5b:$a: NanoCore 0x654d7:$a: NanoCore 0x65538:$a: NanoCore 0x6557b:$a: NanoCore 0x655bb:$a: NanoCore 0x657f7:$a: NanoCore 0x65897:$a: NanoCore 0x6606f:$a: NanoCore 0x66662:$a: NanoCore 0x667b3:$a: NanoCore 0x6760d:$a: NanoCore 0x67874:$a: NanoCore 0x67889:$a: NanoCore 0x678a8:$a: NanoCore 0x707ab:$a: NanoCore 0x707d4:$a: NanoCore
00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5598f:$a1: NanoCore.ClientPluginHost 0x5da27:$a1: NanoCore.ClientPluginHost 0x657f7:$a1: NanoCore.ClientPluginHost 0x707d4:$a1: NanoCore.ClientPluginHost 0x7c576:$a1: NanoCore.ClientPluginHost 0xa147a:$a1: NanoCore.ClientPluginHost 0xb08ba:$a1: NanoCore.ClientPluginHost 0x55a79:$a2: NanoCore.ClientPlugin 0x5da71:$a2: NanoCore.ClientPlugin 0x65897:$a2: NanoCore.ClientPlugin 0x707ab:$a2: NanoCore.ClientPlugin 0x7c54d:$a2: NanoCore.ClientPlugin 0xa1451:$a2: NanoCore.ClientPlugin 0xb0895:$a2: NanoCore.ClientPlugin 0xb08ab:$b4: IClientAppHost 0x572d2:$b7: LogClientException 0x665ed:$b7: LogClientException 0x7e8bf:$b7: LogClientException 0xa64a5:$b7: LogClientException 0xb4d9a:$b7: LogClientException 0x568e5:$b8: PipeExists
00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x121c4d:$x1: NanoCore.ClientPluginHost 0x121c8a:$x2: IClientNetworkHost 0x1257bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1219b5:$a: NanoCore 0x1219c5:$a: NanoCore 0x121bf9:$a: NanoCore 0x121c0d:$a: NanoCore 0x121c4d:$a: NanoCore 0x121a14:$b: ClientPlugin 0x121c16:$b: ClientPlugin 0x121c56:$b: ClientPlugin 0x121b3b:$c: ProjectData 0x122542:$d: DESCrypto 0x129f0e:$e: KeepAlive 0x127efc:$g: LogClientMessage 0x1240f7:$i: get_Connected 0x122878:$j: #=q 0x1228a8:$j: #=q 0x1228c4:$j: #=q 0x1228f4:$j: #=q 0x122910:$j: #=q 0x12292c:$j: #=q 0x12295c:$j: #=q 0x122978:$j: #=q
00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x121c4d:$a1: NanoCore.ClientPluginHost 0x121c0d:$a2: NanoCore.ClientPlugin 0x123b66:$b1: get_BuilderSettings 0x121a69:$b2: ClientLoaderForm.resources 0x123286:$b3: PluginCommand 0x121c3e:$b4: IClientAppHost 0x12c0be:$b5: GetBlockHash 0x1241be:$b6: AddHostEntry 0x127eb1:$b7: LogClientException 0x12412b:$b8: PipeExists 0x121c77:$b9: IClientLoggingHost
00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost
00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x1660:$b9: IClientLoggingHost
00000000.00000002.373170392.0000000005690000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbb97:$a: NanoCore 0xbbf8:$a: NanoCore 0xbc3b:$a: NanoCore 0xbc7b:$a: NanoCore 0xbeb7:$a: NanoCore 0xbf57:$a: NanoCore 0xc72f:$a: NanoCore 0xcd22:$a: NanoCore 0xce73:$a: NanoCore 0xdccd:$a: NanoCore 0xdf34:$a: NanoCore 0xdf49:$a: NanoCore 0xdf68:$a: NanoCore 0xbc0d:$b: ClientPlugin 0xbec0:$b: ClientPlugin 0xbf60:$b: ClientPlugin 0xc6fb:$c: ProjectData 0xc89c:$g: LogClientMessage 0xc86f:$i: get_Connected 0xc9b:$j: #=q 0xcb7:$j: #=q
00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbeb7:$a1: NanoCore.ClientPluginHost 0xbf57:$a2: NanoCore.ClientPlugin 0x3142:$b7: LogClientException 0xccad:$b7: LogClientException 0xbed1:$b9: IClientLoggingHost
00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a7393:$name: DotNetInject 0x19444e:$compile: AssemblyTitle
00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x112521:$x1: NanoCore.ClientPluginHost 0x11255e:$x2: IClientNetworkHost 0x116091:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x112289:$a: NanoCore 0x112299:$a: NanoCore 0x1124cd:$a: NanoCore 0x1124e1:$a: NanoCore 0x112521:$a: NanoCore 0x1122e8:$b: ClientPlugin 0x1124ea:$b: ClientPlugin 0x11252a:$b: ClientPlugin 0x11240f:$c: ProjectData 0x112e16:$d: DESCrypto 0x1149cb:$i: get_Connected 0x11314c:$j: #=q 0x11317c:$j: #=q 0x113198:$j: #=q 0x1131c8:$j: #=q 0x1131e4:$j: #=q 0x113200:$j: #=q 0x113230:$j: #=q 0x11324c:$j: #=q 0x113290:$j: #=q 0x1132ac:$j: #=q
00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x112521:$a1: NanoCore.ClientPluginHost 0x1124e1:$a2: NanoCore.ClientPlugin 0x11443a:$b1: get_BuilderSettings 0x11233d:$b2: ClientLoaderForm.resources 0x113b5a:$b3: PluginCommand 0x112512:$b4: IClientAppHost 0x114a92:$b6: AddHostEntry 0x1149ff:$b8: PipeExists 0x11254b:$b9: IClientLoggingHost
00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b4e7:$a: NanoCore 0x1b50d:$a: NanoCore 0x1b569:$a: NanoCore 0x283cf:$a: NanoCore 0x28428:$a: NanoCore 0x2845b:$a: NanoCore 0x28687:$a: NanoCore 0x28703:$a: NanoCore 0x28d1c:$a: NanoCore 0x28e65:$a: NanoCore 0x29339:$a: NanoCore 0x29620:$a: NanoCore 0x29637:$a: NanoCore 0x324e7:$a: NanoCore 0x32563:$a: NanoCore 0x34e46:$a: NanoCore 0x3a41d:$a: NanoCore 0x3a497:$a: NanoCore 0x40400:$a: NanoCore 0x4044a:$a: NanoCore 0x410a4:$a: NanoCore
00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1b50d:$a1: NanoCore.ClientPluginHost 0x28687:$a1: NanoCore.ClientPluginHost 0x324e7:$a1: NanoCore.ClientPluginHost 0x3a41d:$a1: NanoCore.ClientPluginHost 0x40400:$a1: NanoCore.ClientPluginHost 0x49e7b:$a1: NanoCore.ClientPluginHost 0x51f36:$a1: NanoCore.ClientPluginHost 0x59d17:$a1: NanoCore.ClientPluginHost 0x64d09:$a1: NanoCore.ClientPluginHost 0x70abf:$a1: NanoCore.ClientPluginHost 0x7c816:$a1: NanoCore.ClientPluginHost 0x1b4e7:$a2: NanoCore.ClientPlugin 0x28703:$a2: NanoCore.ClientPlugin 0x32563:$a2: NanoCore.ClientPlugin 0x3a497:$a2: NanoCore.ClientPlugin 0x4044a:$a2: NanoCore.ClientPlugin 0x49f65:$a2: NanoCore.ClientPlugin 0x51f80:$a2: NanoCore.ClientPlugin 0x59db7:$a2: NanoCore.ClientPlugin 0x64ce0:$a2: NanoCore.ClientPlugin 0x70a96:$a2: NanoCore.ClientPlugin
00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe711:$a1: NanoCore.ClientPluginHost 0x271d5:$a1: NanoCore.ClientPluginHost 0xe6dc:$a2: NanoCore.ClientPlugin 0x271a0:$a2: NanoCore.ClientPlugin 0x13657:$b1: get_BuilderSettings 0x2c11b:$b1: get_BuilderSettings 0x135c6:$b7: LogClientException 0x2c08a:$b7: LogClientException 0xe72b:$b9: IClientLoggingHost 0x271ef:$b9: IClientLoggingHost
00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x37825:$x1: NanoCore.ClientPluginHost 0x5f845:$x1: NanoCore.ClientPluginHost 0x37862:$x2: IClientNetworkHost 0x5f882:$x2: IClientNetworkHost 0x3b395:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x633b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3758d:$a: NanoCore 0x3759d:$a: NanoCore 0x377d1:$a: NanoCore 0x377e5:$a: NanoCore 0x37825:$a: NanoCore 0x5f5ad:$a: NanoCore 0x5f5bd:$a: NanoCore 0x5f7f1:$a: NanoCore 0x5f805:$a: NanoCore 0x5f845:$a: NanoCore 0x375ec:$b: ClientPlugin 0x377ee:$b: ClientPlugin 0x3782e:$b: ClientPlugin 0x5f60c:$b: ClientPlugin 0x5f80e:$b: ClientPlugin 0x5f84e:$b: ClientPlugin 0x37713:$c: ProjectData 0x5f733:$c: ProjectData 0x3811a:$d: DESCrypto 0x6013a:$d: DESCrypto 0x3fae6:$e: KeepAlive
00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x37825:$a1: NanoCore.ClientPluginHost 0x5f845:$a1: NanoCore.ClientPluginHost 0x377e5:$a2: NanoCore.ClientPlugin 0x5f805:$a2: NanoCore.ClientPlugin 0x3973e:$b1: get_BuilderSettings 0x6175e:$b1: get_BuilderSettings 0x37641:$b2: ClientLoaderForm.resources 0x5f661:$b2: ClientLoaderForm.resources 0x38e5e:$b3: PluginCommand 0x60e7e:$b3: PluginCommand 0x37816:$b4: IClientAppHost 0x5f836:$b4: IClientAppHost 0x41c96:$b5: GetBlockHash 0x69cb6:$b5: GetBlockHash 0x39d96:$b6: AddHostEntry 0x61db6:$b6: AddHostEntry 0x3da89:$b7: LogClientException 0x65aa9:$b7: LogClientException 0x39d03:$b8: PipeExists 0x61d23:$b8: PipeExists 0x3784f:$b9: IClientLoggingHost
00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10865:$x1: NanoCore.ClientPluginHost 0x108a2:$x2: IClientNetworkHost 0x143d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x105cd:$a: NanoCore 0x105dd:$a: NanoCore 0x10811:$a: NanoCore 0x10825:$a: NanoCore 0x10865:$a: NanoCore 0x1062c:$b: ClientPlugin 0x1082e:$b: ClientPlugin 0x1086e:$b: ClientPlugin 0x10753:$c: ProjectData 0x1115a:$d: DESCrypto 0x18b26:$e: KeepAlive 0x16b14:$g: LogClientMessage 0x12d0f:$i: get_Connected 0x11490:$j: #=q 0x114c0:$j: #=q 0x114dc:$j: #=q 0x1150c:$j: #=q 0x11528:$j: #=q 0x11544:$j: #=q 0x11574:$j: #=q 0x11590:$j: #=q
00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10865:$a1: NanoCore.ClientPluginHost 0x10825:$a2: NanoCore.ClientPlugin 0x1277e:$b1: get_BuilderSettings 0x10681:$b2: ClientLoaderForm.resources 0x11e9e:$b3: PluginCommand 0x10856:$b4: IClientAppHost 0x1acd6:$b5: GetBlockHash 0x12dd6:$b6: AddHostEntry 0x16ac9:$b7: LogClientException 0x12d43:$b8: PipeExists 0x1088f:$b9: IClientLoggingHost
00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32cc7:$a: NanoCore 0x32d20:$a: NanoCore 0x32d5d:$a: NanoCore 0x32dd6:$a: NanoCore 0x46096:$a: NanoCore 0x460bb:$a: NanoCore 0x46114:$a: NanoCore 0x32d29:$b: ClientPlugin 0x32d66:$b: ClientPlugin 0x33664:$b: ClientPlugin 0x33671:$b: ClientPlugin 0x45e8d:$b: ClientPlugin 0x45e9e:$b: ClientPlugin 0x45ece:$b: ClientPlugin 0x4609f:$b: ClientPlugin 0x460c4:$b: ClientPlugin 0x45fd0:$c: ProjectData 0x331b1:$g: LogClientMessage 0x33131:$i: get_Connected 0x466da:$j: #=q 0x466f6:$j: #=q
00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x32d5d:$a1: NanoCore.ClientPluginHost 0x460bb:$a1: NanoCore.ClientPluginHost 0x32d20:$a2: NanoCore.ClientPlugin 0x46096:$a2: NanoCore.ClientPlugin 0x330f4:$b1: get_BuilderSettings 0x49a58:$b1: get_BuilderSettings 0x32dab:$b4: IClientAppHost 0x460ac:$b4: IClientAppHost 0x33165:$b6: AddHostEntry 0x331d4:$b7: LogClientException 0x33149:$b8: PipeExists 0x32d98:$b9: IClientLoggingHost
Process Memory Space: WmtuqNHPM2.exe PID: 4748	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x81286:$x1: NanoCore.ClientPluginHost 0x8bd9d:$x1: NanoCore.ClientPluginHost 0x11da0f:$x1: NanoCore.ClientPluginHost 0x812c3:$x2: IClientNetworkHost 0x8bdda:$x2: IClientNetworkHost 0x11da4c:$x2: IClientNetworkHost 0x84da0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x88b7b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8f8cb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9a951:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12153d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12c5c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1379ff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: WmtuqNHPM2.exe PID: 4748	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: WmtuqNHPM2.exe PID: 4748	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: WmtuqNHPM2.exe PID: 4748	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x80f5c:$a: NanoCore 0x80f6c:$a: NanoCore 0x81022:$a: NanoCore 0x81031:$a: NanoCore 0x81232:$a: NanoCore 0x81246:$a: NanoCore 0x81286:$a: NanoCore 0x851e5:$a: NanoCore 0x851f7:$a: NanoCore 0x85233:$a: NanoCore 0x8ba6a:$a: NanoCore 0x8ba7a:$a: NanoCore 0x8bb39:$a: NanoCore 0x8bb48:$a: NanoCore 0x8bd49:$a: NanoCore 0x8bd5d:$a: NanoCore 0x8bd9d:$a: NanoCore 0x96fbb:$a: NanoCore 0x96fcd:$a: NanoCore 0x97009:$a: NanoCore 0x11d6dc:$a: NanoCore
Process Memory Space: WmtuqNHPM2.exe PID: 4748	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x81286:$a1: NanoCore.ClientPluginHost 0x8bd9d:$a1: NanoCore.ClientPluginHost 0x11da0f:$a1: NanoCore.ClientPluginHost 0x81246:$a2: NanoCore.ClientPlugin 0x8bd5d:$a2: NanoCore.ClientPlugin 0x11d9cf:$a2: NanoCore.ClientPlugin 0x83150:$b1: get_BuilderSettings 0x8dc74:$b1: get_BuilderSettings 0x11f8e6:$b1: get_BuilderSettings 0x81007:$b2: ClientLoaderForm.resources 0x8bb1e:$b2: ClientLoaderForm.resources 0x11d790:$b2: ClientLoaderForm.resources 0x82870:$b3: PluginCommand 0x8d394:$b3: PluginCommand 0x11f006:$b3: PluginCommand 0x81277:$b4: IClientAppHost 0x8bd8e:$b4: IClientAppHost 0x11da00:$b4: IClientAppHost 0x961c7:$b5: GetBlockHash 0x127e39:$b5: GetBlockHash 0x837a1:$b6: AddHostEntry
Process Memory Space: WmtuqNHPM2.exe PID: 1804	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x23835:$x1: NanoCore.ClientPluginHost 0x3d836:$x1: NanoCore.ClientPluginHost 0x79417:$x1: NanoCore.ClientPluginHost 0x82e6a:$x1: NanoCore.ClientPluginHost 0x9e3e8:$x1: NanoCore.ClientPluginHost 0xd1f7b:$x1: NanoCore.ClientPluginHost 0xee476:$x1: NanoCore.ClientPluginHost 0xff745:$x1: NanoCore.ClientPluginHost 0x123f2c:$x1: NanoCore.ClientPluginHost 0x145720:$x1: NanoCore.ClientPluginHost 0x163e22:$x1: NanoCore.ClientPluginHost 0x16ab0d:$x1: NanoCore.ClientPluginHost 0x183e32:$x1: NanoCore.ClientPluginHost 0x19b8ab:$x1: NanoCore.ClientPluginHost 0x1c6ad6:$x1: NanoCore.ClientPluginHost 0x2384f:$x2: IClientNetworkHost 0x3d98e:$x2: IClientNetworkHost 0x82ea7:$x2: IClientNetworkHost 0x9e415:$x2: IClientNetworkHost 0xee490:$x2: IClientNetworkHost 0xff77e:$x2: IClientNetworkHost
Process Memory Space: WmtuqNHPM2.exe PID: 1804	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: WmtuqNHPM2.exe PID: 1804	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237f4:$a: NanoCore 0x2380c:$a: NanoCore 0x23835:$a: NanoCore 0x2862d:$a: NanoCore 0x28643:$a: NanoCore 0x2866a:$a: NanoCore 0x3d836:$a: NanoCore 0x3d920:$a: NanoCore 0x3e752:$a: NanoCore 0x3f8fb:$a: NanoCore 0x3f9d6:$a: NanoCore 0x40748:$a: NanoCore 0x41f3a:$a: NanoCore 0x4227a:$a: NanoCore 0x422c0:$a: NanoCore 0x42487:$a: NanoCore 0x42f1d:$a: NanoCore 0x42f35:$a: NanoCore 0x42f67:$a: NanoCore 0x42f99:$a: NanoCore 0x43636:$a: NanoCore
Process Memory Space: WmtuqNHPM2.exe PID: 1804	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23835:$a1: NanoCore.ClientPluginHost 0x3d836:$a1: NanoCore.ClientPluginHost 0x79417:$a1: NanoCore.ClientPluginHost 0x82e6a:$a1: NanoCore.ClientPluginHost 0x9e3e8:$a1: NanoCore.ClientPluginHost 0xd1f7b:$a1: NanoCore.ClientPluginHost 0xee476:$a1: NanoCore.ClientPluginHost 0xff745:$a1: NanoCore.ClientPluginHost 0x123f2c:$a1: NanoCore.ClientPluginHost 0x145720:$a1: NanoCore.ClientPluginHost 0x163e22:$a1: NanoCore.ClientPluginHost 0x16ab0d:$a1: NanoCore.ClientPluginHost 0x183e32:$a1: NanoCore.ClientPluginHost 0x19b8ab:$a1: NanoCore.ClientPluginHost 0x1c6ad6:$a1: NanoCore.ClientPluginHost 0x2380c:$a2: NanoCore.ClientPlugin 0x3d920:$a2: NanoCore.ClientPlugin 0x79461:$a2: NanoCore.ClientPlugin 0x82e45:$a2: NanoCore.ClientPlugin 0x9e3c2:$a2: NanoCore.ClientPlugin 0xd1fc5:$a2: NanoCore.ClientPlugin
Click to see the 100 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5640000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5640000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5640000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5640000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d50000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d50000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d50000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.6d50000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d70000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d70000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d70000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.WmtuqNHPM2.exe.6d70000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.WmtuqNHPM2.exe.442f6d8.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5630000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5630000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5630000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.WmtuqNHPM2.exe.5630000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.WmtuqNHPM2.exe.43b7698.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6da0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6da0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6da0000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6da0000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.5690000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.WmtuqNHPM2.exe.2c70968.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c70968.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c70968.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.2c70968.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost
3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x1660:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.WmtuqNHPM2.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.2.WmtuqNHPM2.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.2.WmtuqNHPM2.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.3325394.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.3325394.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.3325394.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.WmtuqNHPM2.exe.3325394.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
0.2.WmtuqNHPM2.exe.3325394.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x108fe:$b6: AddHostEntry 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x37f15:$x1: NanoCore Client 0x37f25:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x3816d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x381ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x38162:$i1: IClientApp 0x10163:$i2: IClientData 0x38183:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x3818f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x3819e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x381c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x381d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x381ad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x3816d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x3a0c6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x37fc9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x397e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x3819e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4261e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x3a71e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x3e411:$b7: LogClientException 0x1266b:$b8: PipeExists 0x3a68b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c13:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c48:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c07:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c29:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c38:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c62:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c75:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c88:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c96:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cb2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c48:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c13:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b8e:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28afd:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c62:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.WmtuqNHPM2.exe.43df6b8.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc0000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6dc0000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6dc0000.33.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6dc0000.33.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x126fe:$b6: AddHostEntry 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x1: NanoCore.ClientPluginHost 0xa041:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost 0xa07a:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x2: NanoCore.ClientPluginHost 0xa041:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0xa15c:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0xa05b:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0xa0bb:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0xa041:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0xa0d1:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0xa05b:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0xa07a:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x9ddb:$s1: ClientPlugin 0xa0c4:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0xa041:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0xa0bb:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0xa7dc:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost 0xa05b:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost 0x9416:$x1: NanoCore.ClientPluginHost 0x143f3:$x1: NanoCore.ClientPluginHost 0x20195:$x1: NanoCore.ClientPluginHost 0x45099:$x1: NanoCore.ClientPluginHost 0x544d9:$x1: NanoCore.ClientPluginHost 0x944f:$x2: IClientNetworkHost 0x1440d:$x2: IClientNetworkHost 0x201af:$x2: IClientNetworkHost 0x450b3:$x2: IClientNetworkHost 0x54516:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x9416:$x2: NanoCore.ClientPluginHost 0x143f3:$x2: NanoCore.ClientPluginHost 0x20195:$x2: NanoCore.ClientPluginHost 0x45099:$x2: NanoCore.ClientPluginHost 0x544d9:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x9561:$s4: PipeCreated 0x15428:$s4: PipeCreated 0x21f40:$s4: PipeCreated 0x483d6:$s4: PipeCreated 0x5792c:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x9430:$s5: IClientLoggingHost 0x143e0:$s5: IClientLoggingHost 0x20182:$s5: IClientLoggingHost 0x45086:$s5: IClientLoggingHost 0x54503:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x94b6:$x2: NanoCore.ClientPlugin 0x143ca:$x2: NanoCore.ClientPlugin 0x2016c:$x2: NanoCore.ClientPlugin 0x45070:$x2: NanoCore.ClientPlugin 0x544b4:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x9416:$x3: NanoCore.ClientPluginHost 0x143f3:$x3: NanoCore.ClientPluginHost 0x20195:$x3: NanoCore.ClientPluginHost 0x45099:$x3: NanoCore.ClientPluginHost 0x544d9:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x94cc:$i3: IClientNetwork 0x143bb:$i3: IClientNetwork 0x2015d:$i3: IClientNetwork 0x45061:$i3: IClientNetwork 0x544a5:$i3: IClientNetwork 0x544ca:$i4: IClientAppHost 0x946e:$i5: IClientDataHost 0x544f3:$i5: IClientDataHost
3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x90f6:$a: NanoCore 0x9157:$a: NanoCore 0x919a:$a: NanoCore 0x91da:$a: NanoCore 0x9416:$a: NanoCore 0x94b6:$a: NanoCore 0x9c8e:$a: NanoCore 0xa281:$a: NanoCore 0xa3d2:$a: NanoCore 0xb22c:$a: NanoCore 0xb493:$a: NanoCore 0xb4a8:$a: NanoCore 0xb4c7:$a: NanoCore 0x143ca:$a: NanoCore 0x143f3:$a: NanoCore 0x2016c:$a: NanoCore 0x20195:$a: NanoCore 0x45058:$a: NanoCore
3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x9416:$a1: NanoCore.ClientPluginHost 0x143f3:$a1: NanoCore.ClientPluginHost 0x20195:$a1: NanoCore.ClientPluginHost 0x45099:$a1: NanoCore.ClientPluginHost 0x544d9:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x94b6:$a2: NanoCore.ClientPlugin 0x143ca:$a2: NanoCore.ClientPlugin 0x2016c:$a2: NanoCore.ClientPlugin 0x45070:$a2: NanoCore.ClientPlugin 0x544b4:$a2: NanoCore.ClientPlugin 0x544ca:$b4: IClientAppHost 0xa20c:$b7: LogClientException 0x224de:$b7: LogClientException 0x4a0c4:$b7: LogClientException 0x589b9:$b7: LogClientException 0x1660:$b9: IClientLoggingHost 0x9430:$b9: IClientLoggingHost 0x143e0:$b9: IClientLoggingHost 0x20182:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.2c22500.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c22500.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6d80000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6d80000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c22500.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.2c22500.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.WmtuqNHPM2.exe.6d80000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.WmtuqNHPM2.exe.6d80000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c48a28.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3c48a28.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c48a28.15.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.3c48a28.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.3c48a28.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5380000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5380000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5380000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5380000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.4824760.1.raw.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a7393:$name: DotNetInject 0x19444e:$compile: AssemblyTitle
3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fb7f:$x1: NanoCore.ClientPluginHost 0x27ab5:$x1: NanoCore.ClientPluginHost 0x2da98:$x1: NanoCore.ClientPluginHost 0x37513:$x1: NanoCore.ClientPluginHost 0x3f5ce:$x1: NanoCore.ClientPluginHost 0x473af:$x1: NanoCore.ClientPluginHost 0x523a1:$x1: NanoCore.ClientPluginHost 0x5e157:$x1: NanoCore.ClientPluginHost 0x69eae:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fbb8:$x2: IClientNetworkHost 0x27aee:$x2: IClientNetworkHost 0x37670:$x2: IClientNetworkHost 0x473e8:$x2: IClientNetworkHost 0x523bb:$x2: IClientNetworkHost 0x5e171:$x2: IClientNetworkHost 0x69eeb:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d9b:$x2: NanoCore.ClientPlugin 0x1fbfb:$x2: NanoCore.ClientPlugin 0x27b2f:$x2: NanoCore.ClientPlugin 0x2dae2:$x2: NanoCore.ClientPlugin 0x375fd:$x2: NanoCore.ClientPlugin 0x3f618:$x2: NanoCore.ClientPlugin 0x4744f:$x2: NanoCore.ClientPlugin 0x52378:$x2: NanoCore.ClientPlugin 0x5e12e:$x2: NanoCore.ClientPlugin 0x69e89:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d1f:$x3: NanoCore.ClientPluginHost 0x1fb7f:$x3: NanoCore.ClientPluginHost 0x27ab5:$x3: NanoCore.ClientPluginHost 0x2da98:$x3: NanoCore.ClientPluginHost 0x37513:$x3: NanoCore.ClientPluginHost 0x3f5ce:$x3: NanoCore.ClientPluginHost 0x473af:$x3: NanoCore.ClientPluginHost 0x523a1:$x3: NanoCore.ClientPluginHost 0x5e157:$x3: NanoCore.ClientPluginHost
3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fb7f:$a: NanoCore 0x1fbfb:$a: NanoCore 0x224de:$a: NanoCore 0x27ab5:$a: NanoCore 0x27b2f:$a: NanoCore 0x2da98:$a: NanoCore 0x2dae2:$a: NanoCore 0x2e73c:$a: NanoCore
3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d1f:$a1: NanoCore.ClientPluginHost 0x1fb7f:$a1: NanoCore.ClientPluginHost 0x27ab5:$a1: NanoCore.ClientPluginHost 0x2da98:$a1: NanoCore.ClientPluginHost 0x37513:$a1: NanoCore.ClientPluginHost 0x3f5ce:$a1: NanoCore.ClientPluginHost 0x473af:$a1: NanoCore.ClientPluginHost 0x523a1:$a1: NanoCore.ClientPluginHost 0x5e157:$a1: NanoCore.ClientPluginHost 0x69eae:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d9b:$a2: NanoCore.ClientPlugin 0x1fbfb:$a2: NanoCore.ClientPlugin 0x27b2f:$a2: NanoCore.ClientPlugin 0x2dae2:$a2: NanoCore.ClientPlugin 0x375fd:$a2: NanoCore.ClientPlugin 0x3f618:$a2: NanoCore.ClientPlugin 0x4744f:$a2: NanoCore.ClientPlugin 0x52378:$a2: NanoCore.ClientPlugin 0x5e12e:$a2: NanoCore.ClientPlugin
3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6df0000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.6df0000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.6df0000.34.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.6df0000.34.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0xda41:$x1: NanoCore.ClientPluginHost 0x13a24:$x1: NanoCore.ClientPluginHost 0x1d49f:$x1: NanoCore.ClientPluginHost 0x2555a:$x1: NanoCore.ClientPluginHost 0x2d33b:$x1: NanoCore.ClientPluginHost 0x3832d:$x1: NanoCore.ClientPluginHost 0x440e3:$x1: NanoCore.ClientPluginHost 0x4fe3a:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0xda7a:$x2: IClientNetworkHost 0x1d5fc:$x2: IClientNetworkHost 0x2d374:$x2: IClientNetworkHost 0x38347:$x2: IClientNetworkHost 0x440fd:$x2: IClientNetworkHost 0x4fe77:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0xdabb:$x2: NanoCore.ClientPlugin 0x13a6e:$x2: NanoCore.ClientPlugin 0x1d589:$x2: NanoCore.ClientPlugin 0x255a4:$x2: NanoCore.ClientPlugin 0x2d3db:$x2: NanoCore.ClientPlugin 0x38304:$x2: NanoCore.ClientPlugin 0x440ba:$x2: NanoCore.ClientPlugin 0x4fe15:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0xda41:$x3: NanoCore.ClientPluginHost 0x13a24:$x3: NanoCore.ClientPluginHost 0x1d49f:$x3: NanoCore.ClientPluginHost 0x2555a:$x3: NanoCore.ClientPluginHost 0x2d33b:$x3: NanoCore.ClientPluginHost 0x3832d:$x3: NanoCore.ClientPluginHost 0x440e3:$x3: NanoCore.ClientPluginHost 0x4fe3a:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0xdad1:$i3: IClientNetwork 0x13a84:$i3: IClientNetwork
3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xda41:$a: NanoCore 0xdabb:$a: NanoCore 0x13a24:$a: NanoCore 0x13a6e:$a: NanoCore 0x146c8:$a: NanoCore 0x1d49f:$a: NanoCore 0x1d589:$a: NanoCore 0x1e400:$a: NanoCore 0x2555a:$a: NanoCore 0x255a4:$a: NanoCore 0x2578e:$a: NanoCore 0x2d01b:$a: NanoCore 0x2d07c:$a: NanoCore 0x2d0bf:$a: NanoCore 0x2d0ff:$a: NanoCore 0x2d33b:$a: NanoCore 0x2d3db:$a: NanoCore 0x2dbb3:$a: NanoCore
3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0xda41:$a1: NanoCore.ClientPluginHost 0x13a24:$a1: NanoCore.ClientPluginHost 0x1d49f:$a1: NanoCore.ClientPluginHost 0x2555a:$a1: NanoCore.ClientPluginHost 0x2d33b:$a1: NanoCore.ClientPluginHost 0x3832d:$a1: NanoCore.ClientPluginHost 0x440e3:$a1: NanoCore.ClientPluginHost 0x4fe3a:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0xdabb:$a2: NanoCore.ClientPlugin 0x13a6e:$a2: NanoCore.ClientPlugin 0x1d589:$a2: NanoCore.ClientPlugin 0x255a4:$a2: NanoCore.ClientPlugin 0x2d3db:$a2: NanoCore.ClientPlugin 0x38304:$a2: NanoCore.ClientPlugin 0x440ba:$a2: NanoCore.ClientPlugin 0x4fe15:$a2: NanoCore.ClientPlugin 0x4fe2b:$b4: IClientAppHost 0x6710:$b7: LogClientException 0xe1dc:$b7: LogClientException
3.2.WmtuqNHPM2.exe.3be9930.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3be9930.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3be9930.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.3be9930.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.5370000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.5370000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.WmtuqNHPM2.exe.5370000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.5370000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x141d3:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x141fd:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x141d3:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x16083:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x141ae:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x141d3:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x1419f:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0x141c4:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x141ed:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x141fd:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0x14210:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0x14235:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin
3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x141ae:$a: NanoCore 0x141d3:$a: NanoCore 0x1422c:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x13fa5:$b: ClientPlugin 0x13fb6:$b: ClientPlugin 0x13fe6:$b: ClientPlugin 0x141b7:$b: ClientPlugin 0x141dc:$b: ClientPlugin 0x140e8:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x147f2:$j: #=q 0x1480e:$j: #=q
3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x141d3:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x141ae:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x17b70:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x141c4:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x31c3fb:$name: DotNetInject 0x107e8:$compile: AssemblyTitle 0x3094b6:$compile: AssemblyTitle
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xbfb5d:$x1: NanoCore.ClientPluginHost 0xbfb9a:$x2: IClientNetworkHost 0xc36cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xbf8c5:$x1: NanoCore Client 0xbf8d5:$x1: NanoCore Client 0xbfb1d:$x2: NanoCore.ClientPlugin 0xbfb5d:$x3: NanoCore.ClientPluginHost 0xbfb12:$i1: IClientApp 0xbfb33:$i2: IClientData 0xbfb3f:$i3: IClientNetwork 0xbfb4e:$i4: IClientAppHost 0xbfb77:$i5: IClientDataHost 0xbfb87:$i6: IClientLoggingHost 0xbfb9a:$i7: IClientNetworkHost 0xbfbad:$i8: IClientUIHost 0xbfbbb:$i9: IClientNameObjectCollection 0xbfbd7:$i10: IClientReadOnlyNameObjectCollection 0xbf924:$s1: ClientPlugin 0xbfb26:$s1: ClientPlugin 0xc001a:$s2: EndPoint 0xc0023:$s3: IPAddress 0xc002d:$s4: IPEndPoint 0xc1a63:$s6: get_ClientSettings 0xc2007:$s7: get_Connected
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbf8c5:$a: NanoCore 0xbf8d5:$a: NanoCore 0xbfb09:$a: NanoCore 0xbfb1d:$a: NanoCore 0xbfb5d:$a: NanoCore 0xbf924:$b: ClientPlugin 0xbfb26:$b: ClientPlugin 0xbfb66:$b: ClientPlugin 0xbfa4b:$c: ProjectData 0xc0452:$d: DESCrypto 0xc7e1e:$e: KeepAlive 0xc5e0c:$g: LogClientMessage 0xc2007:$i: get_Connected 0xc0788:$j: #=q 0xc07b8:$j: #=q 0xc07d4:$j: #=q 0xc0804:$j: #=q 0xc0820:$j: #=q 0xc083c:$j: #=q 0xc086c:$j: #=q 0xc0888:$j: #=q
0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbfb5d:$a1: NanoCore.ClientPluginHost 0xbfb1d:$a2: NanoCore.ClientPlugin 0xc1a76:$b1: get_BuilderSettings 0xbf979:$b2: ClientLoaderForm.resources 0xc1196:$b3: PluginCommand 0xbfb4e:$b4: IClientAppHost 0xc9fce:$b5: GetBlockHash 0xc20ce:$b6: AddHostEntry 0xc5dc1:$b7: LogClientException 0xc203b:$b8: PipeExists 0xbfb87:$b9: IClientLoggingHost
0.2.WmtuqNHPM2.exe.4824760.1.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a5593:$name: DotNetInject 0x19264e:$compile: AssemblyTitle
3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0xb543:$x1: NanoCore.ClientPluginHost 0x13479:$x1: NanoCore.ClientPluginHost 0x1945c:$x1: NanoCore.ClientPluginHost 0x22ed7:$x1: NanoCore.ClientPluginHost 0x2af92:$x1: NanoCore.ClientPluginHost 0x32d73:$x1: NanoCore.ClientPluginHost 0x3dd65:$x1: NanoCore.ClientPluginHost 0x49b1b:$x1: NanoCore.ClientPluginHost 0x55872:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb57c:$x2: IClientNetworkHost 0x134b2:$x2: IClientNetworkHost 0x23034:$x2: IClientNetworkHost 0x32dac:$x2: IClientNetworkHost 0x3dd7f:$x2: IClientNetworkHost 0x49b35:$x2: IClientNetworkHost 0x558af:$x2: IClientNetworkHost
3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5bf:$x2: NanoCore.ClientPlugin 0x134f3:$x2: NanoCore.ClientPlugin 0x194a6:$x2: NanoCore.ClientPlugin 0x22fc1:$x2: NanoCore.ClientPlugin 0x2afdc:$x2: NanoCore.ClientPlugin 0x32e13:$x2: NanoCore.ClientPlugin 0x3dd3c:$x2: NanoCore.ClientPlugin 0x49af2:$x2: NanoCore.ClientPlugin 0x5584d:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb543:$x3: NanoCore.ClientPluginHost 0x13479:$x3: NanoCore.ClientPluginHost 0x1945c:$x3: NanoCore.ClientPluginHost 0x22ed7:$x3: NanoCore.ClientPluginHost 0x2af92:$x3: NanoCore.ClientPluginHost 0x32d73:$x3: NanoCore.ClientPluginHost 0x3dd65:$x3: NanoCore.ClientPluginHost 0x49b1b:$x3: NanoCore.ClientPluginHost 0x55872:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork
3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb543:$a: NanoCore 0xb5bf:$a: NanoCore 0xdea2:$a: NanoCore 0x13479:$a: NanoCore 0x134f3:$a: NanoCore 0x1945c:$a: NanoCore 0x194a6:$a: NanoCore 0x1a100:$a: NanoCore 0x22ed7:$a: NanoCore 0x22fc1:$a: NanoCore 0x23e38:$a: NanoCore
3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb543:$a1: NanoCore.ClientPluginHost 0x13479:$a1: NanoCore.ClientPluginHost 0x1945c:$a1: NanoCore.ClientPluginHost 0x22ed7:$a1: NanoCore.ClientPluginHost 0x2af92:$a1: NanoCore.ClientPluginHost 0x32d73:$a1: NanoCore.ClientPluginHost 0x3dd65:$a1: NanoCore.ClientPluginHost 0x49b1b:$a1: NanoCore.ClientPluginHost 0x55872:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5bf:$a2: NanoCore.ClientPlugin 0x134f3:$a2: NanoCore.ClientPlugin 0x194a6:$a2: NanoCore.ClientPlugin 0x22fc1:$a2: NanoCore.ClientPlugin 0x2afdc:$a2: NanoCore.ClientPlugin 0x32e13:$a2: NanoCore.ClientPlugin 0x3dd3c:$a2: NanoCore.ClientPlugin 0x49af2:$a2: NanoCore.ClientPlugin 0x5584d:$a2: NanoCore.ClientPlugin 0x55863:$b4: IClientAppHost
0.2.WmtuqNHPM2.exe.5800000.9.raw.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a7393:$name: DotNetInject 0x19444e:$compile: AssemblyTitle
0.2.WmtuqNHPM2.exe.45a4740.4.raw.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a7393:$name: DotNetInject 0x19444e:$compile: AssemblyTitle
0.2.WmtuqNHPM2.exe.5800000.9.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a5593:$name: DotNetInject 0x19264e:$compile: AssemblyTitle
0.2.WmtuqNHPM2.exe.45a4740.4.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x1a5593:$name: DotNetInject 0x19264e:$compile: AssemblyTitle
0.2.WmtuqNHPM2.exe.4464720.2.raw.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x2e73b3:$name: DotNetInject 0x2d446e:$compile: AssemblyTitle
Click to see the 279 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WmtuqNHPM2.exe, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WmtuqNHPM2.exe, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WmtuqNHPM2.exe, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WmtuqNHPM2.exe, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.858565532834936 02/05/23-22:13:01.009276
SID:	2834936
Source Port:	58565
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969650802025019 02/05/23-22:12:42.607812
SID:	2025019
Source Port:	49696
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969850802816766 02/05/23-22:12:55.969019
SID:	2816766
Source Port:	49698
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.852239532834936 02/05/23-22:13:07.004800
SID:	2834936
Source Port:	52239
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859683532834936 02/05/23-22:12:48.706302
SID:	2834936
Source Port:	59683
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970250802816766 02/05/23-22:13:21.381361
SID:	2816766
Source Port:	49702
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.855570532834936 02/05/23-22:13:46.917410
SID:	2834936
Source Port:	55570
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970350802025019 02/05/23-22:13:26.785835
SID:	2025019
Source Port:	49703
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970750802025019 02/05/23-22:13:53.371030
SID:	2025019
Source Port:	49707
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970850802816766 02/05/23-22:14:01.617464
SID:	2816766
Source Port:	49708
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969550802816766 02/05/23-22:12:36.467761
SID:	2816766
Source Port:	49695
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.856807532834936 02/05/23-22:13:13.564883
SID:	2834936
Source Port:	56807
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859446532834936 02/05/23-22:14:00.808827
SID:	2834936
Source Port:	59446
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970850802025019 02/05/23-22:14:01.155093
SID:	2025019
Source Port:	49708
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.860686532834936 02/05/23-22:13:26.675466
SID:	2834936
Source Port:	60686
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970150802025019 02/05/23-22:13:13.802670
SID:	2025019
Source Port:	49701
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969550802025019 02/05/23-22:12:34.327373
SID:	2025019
Source Port:	49695
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969950802025019 02/05/23-22:13:01.066179
SID:	2025019
Source Port:	49699
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 185.81.157.236 - Destination IP: 192.168.2.4

Timestamp:	185.81.157.236192.168.2.45080496982810290 02/05/23-22:12:55.383837
SID:	2810290
Source Port:	5080
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.861124532834936 02/05/23-22:13:33.702804
SID:	2834936
Source Port:	61124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970050802025019 02/05/23-22:13:07.182076
SID:	2025019
Source Port:	49700
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970350802816766 02/05/23-22:13:28.533812
SID:	2816766
Source Port:	49703
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970150802816718 02/05/23-22:13:14.238501
SID:	2816718
Source Port:	49701
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970450802025019 02/05/23-22:13:33.759288
SID:	2025019
Source Port:	49704
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970750802816766 02/05/23-22:13:55.082898
SID:	2816766
Source Port:	49707
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970250802025019 02/05/23-22:13:20.465789
SID:	2025019
Source Port:	49702
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970050802816766 02/05/23-22:13:08.202184
SID:	2816766
Source Port:	49700
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.850911532834936 02/05/23-22:12:42.244175
SID:	2834936
Source Port:	50911
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969850802025019 02/05/23-22:12:54.927420
SID:	2025019
Source Port:	49698
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969650802816766 02/05/23-22:12:43.716857
SID:	2816766
Source Port:	49696
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.856572532834936 02/05/23-22:12:33.158126
SID:	2834936
Source Port:	56572
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 185.81.157.236 - Destination IP: 192.168.2.4

Timestamp:	185.81.157.236192.168.2.45080496982841753 02/05/23-22:12:59.968145
SID:	2841753
Source Port:	5080
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969950802816766 02/05/23-22:13:02.138518
SID:	2816766
Source Port:	49699
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970550802025019 02/05/23-22:13:40.652150
SID:	2025019
Source Port:	49705
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970450802816766 02/05/23-22:13:34.738607
SID:	2816766
Source Port:	49704
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.861007532834936 02/05/23-22:13:20.247193
SID:	2834936
Source Port:	61007
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970650802816766 02/05/23-22:13:47.957729
SID:	2816766
Source Port:	49706
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970150802816766 02/05/23-22:13:15.190241
SID:	2816766
Source Port:	49701
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969750802816766 02/05/23-22:12:49.673877
SID:	2816766
Source Port:	49697
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.864906532834936 02/05/23-22:13:53.251157
SID:	2834936
Source Port:	64906
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364969750802025019 02/05/23-22:12:48.883083
SID:	2025019
Source Port:	49697
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859444532834936 02/05/23-22:13:40.377957
SID:	2834936
Source Port:	59444
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970550802816766 02/05/23-22:13:41.829847
SID:	2816766
Source Port:	49705
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.864167532834936 02/05/23-22:12:54.870549
SID:	2834936
Source Port:	64167
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 185.81.157.236

Timestamp:	192.168.2.4185.81.157.2364970650802025019 02/05/23-22:13:46.971431
SID:	2025019
Source Port:	49706
Destination Port:	5080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: WmtuqNHPM2.exe	ReversingLabs: Detection: 36%
Source: WmtuqNHPM2.exe	Virustotal: Detection: 46%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: WmtuqNHPM2.exe

Avira: detected

Antivirus detection for URL or domain

Source: rcontrol4sec.ddnsgeek.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	Virustotal: Detection: 46%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR

Machine Learning detection for sample

Source: WmtuqNHPM2.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Joe Sandbox ML: detected

Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.WmtuqNHPM2.exe.d50000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack	Avira: Label: TR/NanoCore.fadte

Source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "19b525d2-02f6-47c5-b606-1d038212", "Group": "Set", "Domain1": "rcontrol4sec.ddnsgeek.com", "Domain2": "127.0.0.1", "Port": 5080, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: WmtuqNHPM2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WmtuqNHPM2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WmtuqNHPM2.exe, 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

0_2_0189E5D8

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:56572 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49695 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49695 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:50911 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49696 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49696 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:59683 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49697 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49697 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:64167 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 185.81.157.236:5080 -> 192.168.2.4:49698
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 185.81.157.236:5080 -> 192.168.2.4:49698
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:58565 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49699 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49699 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:52239 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49700 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49700 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:56807 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49701 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49701 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49701 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:61007 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49702 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:60686 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49703 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49703 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:61124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49704 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49704 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:59444 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49705 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49705 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:55570 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49706 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49706 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:64906 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49707 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49707 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2834936 ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com) 192.168.2.4:59446 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49708 -> 185.81.157.236:5080
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49708 -> 185.81.157.236:5080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rcontrol4sec.ddnsgeek.com
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: Joe Sandbox View

ASN Name: INU-ASFR INU-ASFR

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 185.81.157.236:5080

Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WmtuqNHPM2.exe, 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: WmtuqNHPM2.exe, 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: rcontrol4sec.ddnsgeek.com

Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

.NET source code contains very large array initializations

Source: WmtuqNHPM2.exe, WindowsFormsApp95/Fox.cs

Large array initialization: ToBuffers: array initializer size 1339758

Source: WmtuqNHPM2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5640000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d70000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5630000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6dce8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6dc4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d50000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3bf81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d60000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.3325394.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5370000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.51e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f37e0c.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6dc0000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.3325394.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5640000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.3f323e1.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c22500.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6d80000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3ec24cc.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5380000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6da0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3bee5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.4824760.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5620000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c70968.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5380000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.6df0000.34.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5630000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c8a9dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.3be9930.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.5370000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c12ee8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.WmtuqNHPM2.exe.3f40c3b.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.4824760.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.WmtuqNHPM2.exe.2c84fa4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.WmtuqNHPM2.exe.5800000.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 0.2.WmtuqNHPM2.exe.45a4740.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 0.2.WmtuqNHPM2.exe.5800000.9.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 0.2.WmtuqNHPM2.exe.45a4740.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 0.2.WmtuqNHPM2.exe.4464720.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_01891118	0_2_01891118
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_018913C1	0_2_018913C1
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_018913D0	0_2_018913D0
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_0575236C	0_2_0575236C
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057CE6D3	0_2_057CE6D3
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C1278	0_2_057C1278
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C9200	0_2_057C9200
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C2BE8	0_2_057C2BE8
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057CC589	0_2_057CC589
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057CE749	0_2_057CE749
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C91F1	0_2_057C91F1
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C935D	0_2_057C935D
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A94780	0_2_05A94780
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A9A840	0_2_05A9A840
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A9A4CD	0_2_05A9A4CD
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A94757	0_2_05A94757
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A94DB5	0_2_05A94DB5
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A9A830	0_2_05A9A830
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_06E03970	3_2_06E03970
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_06DF46D3	3_2_06DF46D3
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_06DF42EB	3_2_06DF42EB
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_06DF3324	3_2_06DF3324
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_02B6E480	3_2_02B6E480
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_02B6E471	3_2_02B6E471
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_02B6BBD4	3_2_02B6BBD4
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_0512F5F8	3_2_0512F5F8
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_05129788	3_2_05129788
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_0512A5D0	3_2_0512A5D0
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_0512A5E3	3_2_0512A5E3

Source: WmtuqNHPM2.exe, 00000000.00000000.295986420.0000000000E9C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDS Signee.exe" vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDrwkpobwonymr.dll" vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDrwkpobwonymr.dll" vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000000.00000002.377491458.000000000666C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDS Signee.exe" vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004824000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDrwkpobwonymr.dll" vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579551612.0000000006DE8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579396651.0000000006DA8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000003.372540102.0000000000DD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579753153.0000000006DFE000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs WmtuqNHPM2.exe
Source: WmtuqNHPM2.exe	Binary or memory string: OriginalFilenameDS Signee.exe" vs WmtuqNHPM2.exe

Source: WmtuqNHPM2.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Flash Player.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WmtuqNHPM2.exe	ReversingLabs: Detection: 36%
Source: WmtuqNHPM2.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File read: C:\Users\user\Desktop\WmtuqNHPM2.exe

Jump to behavior

Source: WmtuqNHPM2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WmtuqNHPM2.exe C:\Users\user\Desktop\WmtuqNHPM2.exe
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Users\user\Desktop\WmtuqNHPM2.exe C:\Users\user\Desktop\WmtuqNHPM2.exe
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Users\user\Desktop\WmtuqNHPM2.exe C:\Users\user\Desktop\WmtuqNHPM2.exe	Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwewao31.inp.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/11@14/1

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: WmtuqNHPM2.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{19b525d2-02f6-47c5-b606-1d038212d191}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01

Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WmtuqNHPM2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WmtuqNHPM2.exe

Static file information: File size 1346560 > 1048576

Source: WmtuqNHPM2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WmtuqNHPM2.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x148200

Source: WmtuqNHPM2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WmtuqNHPM2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WmtuqNHPM2.exe, 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.5690000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373170392.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR

.NET source code contains potential unpacker

Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_01895261 push cs; ret	0_2_01895262
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_057C4B3E push eax; iretd	0_2_057C4B3F
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A9AFC8 pushad ; ret	0_2_05A9AFC9
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 0_2_05A9AFCB push esp; ret	0_2_05A9AFD1
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_05120331 push ecx; retf	3_2_05120333
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Code function: 3_2_051269F8 pushad ; retf	3_2_051269F9

Source: WmtuqNHPM2.exe

Static PE information: 0xB1B15392 [Fri Jun 20 11:54:58 2064 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.998830102245729
Source: initial sample	Static PE information: section name: .text entropy: 7.998830102245729

Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File written: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

File opened: C:\Users\user\Desktop\WmtuqNHPM2.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2040	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe TID: 4768	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9405	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Window / User API: threadDelayed 9526	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Window / User API: foregroundWindowGot 657	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Window / User API: foregroundWindowGot 745	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual?hal9th@johndoe

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: Base64 decoded start-sleep -seconds 20			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Memory written: C:\Users\user\Desktop\WmtuqNHPM2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==			Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Process created: C:\Users\user\Desktop\WmtuqNHPM2.exe C:\Users\user\Desktop\WmtuqNHPM2.exe			Jump to behavior

Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.580165209.000000000739C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: WmtuqNHPM2.exe, 00000003.00000002.580540079.0000000007B1B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.000000000300E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.000000000313B000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.00000000031E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager,$*
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.000000000300E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: WmtuqNHPM2.exe, 00000003.00000002.580659397.0000000007E5E000.00000004.00000010.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.580592628.0000000007C5C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager 4L0s

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Users\user\Desktop\WmtuqNHPM2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Users\user\Desktop\WmtuqNHPM2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe

Code function: 3_2_06E03180 GetSystemTimes,

3_2_06E03180

Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\WmtuqNHPM2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: WmtuqNHPM2.exe, 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: WmtuqNHPM2.exe, 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: WmtuqNHPM2.exe, 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: WmtuqNHPM2.exe, 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: WmtuqNHPM2.exe, 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c4d051.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43b7698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c3458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.43df6b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.53b4629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.WmtuqNHPM2.exe.3c48a28.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.442f6d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WmtuqNHPM2.exe.426f0f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 4748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmtuqNHPM2.exe PID: 1804, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WmtuqNHPM2.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
WmtuqNHPM2.exe	46%	Virustotal		Browse
WmtuqNHPM2.exe	100%	Avira	TR/Dropper.MSIL.Gen
WmtuqNHPM2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe	46%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.WmtuqNHPM2.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.0.WmtuqNHPM2.exe.d50000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
3.2.WmtuqNHPM2.exe.53b0000.19.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

Source	Detection	Scanner	Label	Link
rcontrol4sec.ddnsgeek.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
127.0.0.1	0%	Avira URL Cloud	safe
rcontrol4sec.ddnsgeek.com	100%	Avira URL Cloud	malware
rcontrol4sec.ddnsgeek.com	2%	Virustotal		Browse
127.0.0.1	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rcontrol4sec.ddnsgeek.com	185.81.157.236	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rcontrol4sec.ddnsgeek.com	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
127.0.0.1	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.nuget.org/packages/Newtonsoft.Json.Bson	WmtuqNHPM2.exe, 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004824000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	false		high
http://google.com	WmtuqNHPM2.exe, 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WmtuqNHPM2.exe, 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	WmtuqNHPM2.exe, 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	WmtuqNHPM2.exe, 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, WmtuqNHPM2.exe, 00000000.00000002.361584928.0000000004824000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.81.157.236	rcontrol4sec.ddnsgeek.com	France		198375	INU-ASFR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	798888
Start date and time:	2023-02-05 22:11:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	WmtuqNHPM2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/11@14/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 301 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:12:08	API Interceptor	45x Sleep call for process: powershell.exe modified
22:12:31	API Interceptor	780x Sleep call for process: WmtuqNHPM2.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INU-ASFR	document.vbs	Get hash	malicious	Browse	185.81.157.186
	file.exe	Get hash	malicious	Browse	185.81.157.202
	Package-Amazon.wsf	Get hash	malicious	Browse	185.81.157.71
	S99TFoVa0v.elf	Get hash	malicious	Browse	91.234.104.231
	infected.ps1	Get hash	malicious	Browse	185.81.157.14
	1.ps1	Get hash	malicious	Browse	185.81.157.59
	Info-Relev#U00e9-fiscal.vbs	Get hash	malicious	Browse	185.81.157.213
	Info-Releve-fiscal.vbs	Get hash	malicious	Browse	185.81.157.213
	ReleveID0021558606.vbs	Get hash	malicious	Browse	185.81.157.33
	InfoReleveID0012551586503.vbs	Get hash	malicious	Browse	185.81.157.136
	Info_Releve_ID00215002501.vbs	Get hash	malicious	Browse	185.81.157.136
	InfoReleveID00215002504.vbs	Get hash	malicious	Browse	185.81.157.136
	InfoReleveID002155207.vbs	Get hash	malicious	Browse	185.81.157.210
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	185.81.157.59
	Info_Releve_ID21002502.vbs	Get hash	malicious	Browse	185.81.157.65
	Info_Releve_ID0021558010.vbs	Get hash	malicious	Browse	185.81.157.117
	Info_Releve_ID002155802.vbs	Get hash	malicious	Browse	185.81.157.117
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	185.81.157.59
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	185.81.157.59
	Info_Releve_ID00215001.vbs	Get hash	malicious	Browse	185.81.157.136

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1039
Entropy (8bit):	5.3436815157474165
Encrypted:	false
SSDEEP:	24:ML9E4Ks2EAE4Kzr7RKDE4KhK3VZ9pKhyE4KdE4KBLWE4Ks:MxHKXEAHKzvRYHKhQnoyHKdHKBqHKs
MD5:	20799406D8EAB97C5485A916A278ED0D
SHA1:	8547571BD0A17ED48FBECDE6D5E4749A66933D53
SHA-256:	BDDBB29FA099BDEB1C409FE844BDA2820D0550E0C97F7A64E01A0EAE4DBDF067
SHA-512:	CA887D0283B3B65BDFA91C90FAAD4C485B3861EEE54C1E6C3A7563DA77DD0D59AC20207259084E2A85E8FC25A48EB805E86904DA60B4C165B03B4A7D758C7506
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutra

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.902247628650607
Encrypted:	false
SSDEEP:	96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
MD5:	F948233D40FE29A0FFB67F9BB2F050B5
SHA1:	9A815D3F218A9374788F3ECF6BE3445F14B414D8
SHA-256:	C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
SHA-512:	FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16592
Entropy (8bit):	5.542066179027588
Encrypted:	false
SSDEEP:	384:gte/Y7sH/gBEZJQlTz+pkLSBxnHgjuVtiJ9gGSJ3uzi13Yv:lfga6L4xHgSVBGcu1v
MD5:	65DBB4F037A4303ADEFFF74F62BC61BB
SHA1:	61ADB67BDE41C4008BD1BF79C5D786CD7777A917
SHA-256:	31B9A26860543E3DD81BB61D069FE78697026BFF2DDBC9E416405018D80C8720
SHA-512:	9E3A4F3F3578F8A318BD1EC8DA983CDE6941EC9E5F4DB0A5A3D47A82D58B70AD13CF1E3C1389BA4B58DB26A85869CB245AF5A64E97CA8D0B3DF45B1D21FCC57D
Malicious:	false
Reputation:	low
Preview:	@...e...........................2...:................@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwewao31.inp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n31va3q2.xzf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1346560
Entropy (8bit):	7.9984379769425455
Encrypted:	true
SSDEEP:	24576:8ixNAopnJcU4TgHosbIY95AcS1h9VOzYJ0Natxb:8iFpnx4TUosbIYEcSGQ06
MD5:	BBE4BA566D229A405DA3AF72193D297F
SHA1:	FFB73821D698BC2E32F1A32C7ADF95E66520C7A8
SHA-256:	AEB8E080B996A75F85BB82E2E7A42D0302735713F34FB95FFF1BFB97A030E107
SHA-512:	A3BA9225B2719F482F807FE91217CDCCBB9C415D54A8CD4531960BF20456868BA7FB1BE2E473C26F306C33B74615A6F5192F0C852DCA25C66E6D63A4CBB25529
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 46%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S................0............../... ........@.. ....................................`................................../..O.......l...........................x/............................................... ............... ..H............text...\.... ...................... ..`.rsrc...l...........................@..@.reloc..............................@..B................./......H........#..p............................................................(......(......0..~.........+q. nq.......%.....(......s.....s.......s....s.........o........,...o......o.......%.,..o......,..o.....&........X...2.......4....6..@........(..V........".>`..........ej..........(......0..........r...p.....(......"...%......(.....%......(.....%..$...(.....%..$...(..........(....s......o......~....o.....~ ....'...(....r...pr...p.(!....."...%......(.....("....o#....~$...o

C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
MD5:	061E700FE27D852034A5A44BF5985CCF
SHA1:	15B072DE6D6FDD92AE36F074345FA41985833E8D
SHA-256:	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
SHA-512:	CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..O*V..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:v6:y
MD5:	964A446FF1715498B235D5D011A2109D
SHA1:	B1D766A26CFFE4C9893B99A117416019832808CE
SHA-256:	802FDDABB05B022050C084069665F1055AF2516F320B85D3429DA1A2727EF48E
SHA-512:	F87AF7D409E0FCADD24AA454F013707381A4AE0A71770944CA3DF734C8E573E4055685C0005030B60D796E05915D08216AD93B500C7AB102923567A6178DB9D7
Malicious:	true
Preview:	.......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\WmtuqNHPM2.exe
File Type:	data
Category:	dropped
Size (bytes):	329840
Entropy (8bit):	7.999431858086539
Encrypted:	true
SSDEEP:	6144:2JUYKN0AL336OXchpvDZhPsrBmnKF/CMnFWxayceW6wElU16sY8:SxKN0S6OshPKrBTF/C9cycepwE3b8
MD5:	9288D88823EFAAD00763F5F9128459FF
SHA1:	78BDD07D4B419E49DCCC3924A41AD92E3B397B23
SHA-256:	5A7678C34A7502234C3151E49D68917F3C68CB83087A5ED9EA8829183D51FBAD
SHA-512:	2A7204479E453A4857A10870A450783C548CD784AB3EA29516B8FF4816EF30841346C4CE3B2ABCD3C24410AFE71903B3C632C408B05FF4F5A2DBCD78A167C35D
Malicious:	false
Preview:	.A.<.-.K......59.. b.FDn..J.y...#.;).x#.4...$..h.a.N.2m....uG..]7........JTv..1..'.Ke.R..z...%!.1.Wo%.%....u..xdCy!d+....\|Y..k.(....XL.../Z..W'......1o._40.......f.ii6[..g.j@m+..{:&).N...+l{.hQ+.......(FF._.Y.u.....l...U..J..EA.5k...(.......L...qB#e.[.2P:B.W.r..;...KV)Yj....{..N...........R.z.t/.K..A....G.wkZ..&(....r.)..zt..?kK.$3&B!f.=.4..^..3...~..u.+%....n.RV.n....[.&......n.......v..,...]).<a.D)....>%./...O0...C...b.Ul.>....h..8......I..Fm.G5K....4H......,.3....0zf......[.../....."..c...-.7F).bXq..$7...C...OT.M.u........,3..,......v..-..G.....N....wf0!............ ."..:..(..,?.S...<F$.]..2.....n..IV[....k...x)E._.../x...'6.f...Z\....:.X..}...t..R.m...I. .s........T.q......"t<.!....s.9..V..:......1.b/..x.A....7.>..j~...e...wT.U$O.Y` .R..C...&.-v.8...:....8..<&R...X...B...w...........c.>...=m.......C.<...K....A....{........Xdx.X..O2.~.3X..'x.~B..}LD`.@cC.Do.F..P......!dp...W.....U3..V..w..^...\)...:.M...I.K.!.s;.,^.v...c......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9984379769425455
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WmtuqNHPM2.exe
File size:	1346560
MD5:	bbe4ba566d229a405da3af72193d297f
SHA1:	ffb73821d698bc2e32f1a32c7adf95e66520c7a8
SHA256:	aeb8e080b996a75f85bb82e2e7a42d0302735713f34fb95fff1bfb97a030e107
SHA512:	a3ba9225b2719f482f807fe91217cdccbb9c415d54a8cd4531960bf20456868ba7fb1be2e473c26f306c33b74615a6f5192f0c852dca25c66e6d63a4cbb25529
SSDEEP:	24576:8ixNAopnJcU4TgHosbIY95AcS1h9VOzYJ0Natxb:8iFpnx4TUosbIYEcSGQ06
TLSH:	7455332539A0AD74E234847C892BF74C2561F101F984A88FE49FD7EBCD8A78457B392D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S................0............../... ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x402fe6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB1B15392 [Fri Jun 20 11:54:58 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
pop ds
mov ecx, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
fdiv st(5), st(0)
pop es
jl 00007F60551507B6h
lds edi, edi
aas
mov gs, di
out dx, al
pop ebp
test dword ptr [eax], edx
mov dl, 49h
dec eax
inc edx
jmp far EB05h : 00F394A2h
fiadd word ptr [ecx+161B0580h]
push esp
aam 60h
and eax, 12091748h
inc eax
movsb
lodsb
pop eax
mov cl, 00h
bound edx, dword ptr [edi+44h]
inc esp
adc al, 15h
inc ebp
inc eax
inc ecx
lds eax, fword ptr [esi+11h]
mov al, 8Bh
fcomp dword ptr [ebx]
mov cl, F7h
div byte ptr [esi-068D2D60h]
int F3h
xor eax, 9BB33BBBh
mov ebp, CFDF2C10h
push ecx
out C1h, eax
in eax, E6h
cmpsw
mov esp, 79AF35E6h
mov ebp, BD7AF35Eh
out B8h, al
shl dword ptr [edi+2Bh], cl
and dword ptr [ebp+51h], eax
retn D3ECh
shl byte ptr [eax-01EAD4D8h], 1
scasd
mov bh, B2h
jmp 00007F6055150821h
rcr eax, cl
daa
cmpsd
test eax, E645651Ch
imul ebp, dword ptr [ebp+57h], AAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f94	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14c000	0x56c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2f78	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14815c	0x148200	False	0.9945498511904762	data	7.998830102245729	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14c000	0x56c	0x600	False	0.4010416666666667	data	3.94255191885509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14e000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x14c090	0x2dc	data
RT_MANIFEST	0x14c37c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.48.8.8.858565532834936 02/05/23-22:13:01.009276	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	58565	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364969650802025019 02/05/23-22:12:42.607812	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49696	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969850802816766 02/05/23-22:12:55.969019	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49698	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.852239532834936 02/05/23-22:13:07.004800	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	52239	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.859683532834936 02/05/23-22:12:48.706302	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	59683	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970250802816766 02/05/23-22:13:21.381361	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.855570532834936 02/05/23-22:13:46.917410	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	55570	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970350802025019 02/05/23-22:13:26.785835	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49703	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970750802025019 02/05/23-22:13:53.371030	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970850802816766 02/05/23-22:14:01.617464	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969550802816766 02/05/23-22:12:36.467761	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49695	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.856807532834936 02/05/23-22:13:13.564883	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	56807	53	192.168.2.4	8.8.8.8
192.168.2.48.8.8.859446532834936 02/05/23-22:14:00.808827	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	59446	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970850802025019 02/05/23-22:14:01.155093	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49708	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.860686532834936 02/05/23-22:13:26.675466	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	60686	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970150802025019 02/05/23-22:13:13.802670	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49701	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969550802025019 02/05/23-22:12:34.327373	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49695	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969950802025019 02/05/23-22:13:01.066179	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49699	5080	192.168.2.4	185.81.157.236
185.81.157.236192.168.2.45080496982810290 02/05/23-22:12:55.383837	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	5080	49698	185.81.157.236	192.168.2.4
192.168.2.48.8.8.861124532834936 02/05/23-22:13:33.702804	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	61124	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970050802025019 02/05/23-22:13:07.182076	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49700	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970350802816766 02/05/23-22:13:28.533812	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970150802816718 02/05/23-22:13:14.238501	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49701	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970450802025019 02/05/23-22:13:33.759288	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49704	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970750802816766 02/05/23-22:13:55.082898	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970250802025019 02/05/23-22:13:20.465789	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49702	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970050802816766 02/05/23-22:13:08.202184	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49700	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.850911532834936 02/05/23-22:12:42.244175	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	50911	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364969850802025019 02/05/23-22:12:54.927420	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969650802816766 02/05/23-22:12:43.716857	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49696	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.856572532834936 02/05/23-22:12:33.158126	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	56572	53	192.168.2.4	8.8.8.8
185.81.157.236192.168.2.45080496982841753 02/05/23-22:12:59.968145	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	5080	49698	185.81.157.236	192.168.2.4
192.168.2.4185.81.157.2364969950802816766 02/05/23-22:13:02.138518	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49699	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970550802025019 02/05/23-22:13:40.652150	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970450802816766 02/05/23-22:13:34.738607	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.861007532834936 02/05/23-22:13:20.247193	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	61007	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970650802816766 02/05/23-22:13:47.957729	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364970150802816766 02/05/23-22:13:15.190241	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49701	5080	192.168.2.4	185.81.157.236
192.168.2.4185.81.157.2364969750802816766 02/05/23-22:12:49.673877	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49697	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.864906532834936 02/05/23-22:13:53.251157	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	64906	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364969750802025019 02/05/23-22:12:48.883083	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49697	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.859444532834936 02/05/23-22:13:40.377957	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	59444	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970550802816766 02/05/23-22:13:41.829847	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	5080	192.168.2.4	185.81.157.236
192.168.2.48.8.8.864167532834936 02/05/23-22:12:54.870549	UDP	2834936	ETPRO TROJAN Observed DNS Query to Abused DDNS (ddnsgeek .com)	64167	53	192.168.2.4	8.8.8.8
192.168.2.4185.81.157.2364970650802025019 02/05/23-22:13:46.971431	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	5080	192.168.2.4	185.81.157.236

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 5, 2023 22:12:33.382641077 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:33.415704966 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:33.415920019 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:34.327373028 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:34.364419937 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:34.364609003 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:34.457401037 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:34.476407051 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:34.509838104 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:34.560023069 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.393512964 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.468734980 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.470374107 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.549987078 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.570312977 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.570358992 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.570386887 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.570415020 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.570554018 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.603595972 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603631973 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603657961 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603682041 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603708029 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603729010 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.603734970 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603729010 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.603763103 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603791952 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.603792906 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.603843927 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.637763977 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637797117 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637823105 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637846947 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637871027 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637896061 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637922049 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637923002 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.637923002 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.637947083 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637972116 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.637994051 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.637994051 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.637996912 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638024092 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638046980 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.638050079 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638072968 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638096094 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638117075 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638124943 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.638143063 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.638154030 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.638192892 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671045065 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671080112 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671106100 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671139956 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671165943 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671189070 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671216011 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671215057 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671215057 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671241999 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671278000 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671289921 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671289921 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671320915 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671346903 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671370029 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671370983 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671399117 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671413898 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671423912 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671448946 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671466112 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671473980 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671500921 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671534061 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671544075 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671571016 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671590090 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671595097 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671622038 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671638012 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671653986 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671679974 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671695948 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671706915 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671734095 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671749115 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671758890 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671783924 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671802998 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671809912 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671837091 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671866894 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671880960 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671907902 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671924114 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.671933889 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.671983957 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.704895020 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.704933882 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.704957962 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.704982996 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705018997 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705046892 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705059052 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705059052 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705074072 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705099106 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705121994 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705125093 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705142975 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705152988 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705178976 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705197096 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705204964 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705231905 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705245972 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705257893 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705284119 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705300093 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705312014 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705337048 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705360889 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705367088 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705387115 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705401897 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705414057 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705440998 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705466032 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705496073 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705543041 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705555916 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705591917 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705616951 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705632925 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705641985 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705673933 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705696106 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705698967 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705724955 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705739021 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705749989 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705775976 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705790997 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705801010 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705825090 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705840111 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705848932 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705876112 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705888033 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705902100 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705925941 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705941916 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.705951929 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705979109 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.705991030 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706005096 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706031084 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706046104 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706056118 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706080914 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706104040 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706104040 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706130028 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706145048 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706154108 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706178904 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706196070 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706203938 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706229925 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706267118 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.706280947 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.706326962 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.738945961 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739025116 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739059925 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739085913 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739109993 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739137888 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739141941 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739137888 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739167929 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739197016 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739197969 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739223957 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739248037 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739248991 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739275932 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739291906 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739303112 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739327908 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739341974 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739353895 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739379883 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739392996 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739408016 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739433050 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739448071 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739459038 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739485979 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739500999 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739511013 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739537001 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739550114 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739562988 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739588976 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739599943 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739614964 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739639997 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739671946 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739694118 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739728928 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739737034 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739756107 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739783049 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739794016 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739818096 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739845991 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739865065 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739876032 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739902020 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739918947 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739926100 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739949942 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.739964962 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.739974976 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740001917 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740015984 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740031004 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740056038 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740071058 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740081072 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740108013 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740123987 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740144014 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740170002 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740184069 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740196943 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740233898 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740257025 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740257978 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740283012 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740299940 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740309000 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740334034 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740351915 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.740360975 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.740403891 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773341894 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773394108 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773417950 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773443937 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773472071 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773498058 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773525000 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773534060 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773534060 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773534060 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773550987 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773578882 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773606062 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773607016 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773637056 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773648024 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773664951 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773691893 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773705959 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773718119 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773756027 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773767948 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773785114 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773813963 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773828030 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773840904 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773868084 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773881912 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773894072 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773921013 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773932934 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.773947954 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773974895 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.773999929 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774027109 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774065018 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774077892 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774091005 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774127007 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774135113 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774153948 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774180889 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774195910 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774207115 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774235010 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774247885 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774260044 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774286032 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774301052 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774312019 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774338961 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774353981 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774363995 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774390936 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774405003 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774416924 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774444103 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774467945 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774471045 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774497032 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774513006 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774523973 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774550915 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774564028 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774576902 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774605036 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774621010 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774633884 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774679899 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774705887 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774744987 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774771929 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774790049 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.774804115 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.774852991 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.807732105 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807768106 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807792902 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807816982 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807841063 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807866096 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807889938 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807888031 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.807888031 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.807914972 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807943106 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807956934 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.807956934 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.807967901 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.807995081 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808037996 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808052063 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808087111 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808098078 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808111906 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808156013 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808176041 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808201075 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808243990 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808263063 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808281898 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808307886 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808321953 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808332920 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808357954 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808372974 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808382988 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808408022 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808420897 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808433056 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808459044 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808474064 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808485031 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808511972 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808526039 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808537006 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808562994 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808578968 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808588982 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808618069 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808631897 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808665991 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808698893 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808710098 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808726072 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808751106 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808769941 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808784008 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808811903 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808837891 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808845997 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808866024 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808881044 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808892965 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808919907 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808933020 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.808943987 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808970928 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.808988094 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809015989 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809045076 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809060097 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809077024 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809103966 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809127092 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809149981 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809181929 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809205055 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809206963 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809235096 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809267998 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809290886 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809319019 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809339046 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809350014 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809380054 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809395075 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809406042 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809433937 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809447050 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809467077 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809492111 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809513092 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809518099 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809545994 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809561968 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809571981 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809600115 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809613943 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809626102 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809652090 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809669018 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809678078 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809704065 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809720993 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809730053 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809756041 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809772968 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809782982 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809812069 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809823990 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809837103 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809863091 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809880018 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.809890032 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809911966 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:35.809935093 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:35.856981993 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:36.467761040 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:36.555270910 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:37.156367064 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:37.243690968 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:37.316512108 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:37.450824976 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:37.483881950 CET	5080	49695	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:37.504720926 CET	49695	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.572110891 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.605088949 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.605268002 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.607811928 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.646173954 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.647952080 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.681041956 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.707570076 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.798422098 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.859947920 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.864592075 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.897524118 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.927321911 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.960539103 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:42.960766077 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:42.994153976 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:43.045073986 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:43.276485920 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:43.370824099 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:43.370951891 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:43.450834036 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:43.716856956 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:43.815443039 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:44.550232887 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:44.629807949 CET	5080	49696	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:44.655561924 CET	49696	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:48.849288940 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:48.882442951 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:48.882559061 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:48.883083105 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:48.921649933 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:48.921953917 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:48.955208063 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:48.963589907 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.052500963 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:49.126878023 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:49.127686024 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.160753965 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:49.161895037 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.195107937 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:49.195215940 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.228461981 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:49.279930115 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.673877001 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:49.760862112 CET	5080	49697	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:50.824850082 CET	49697	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:54.891769886 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:54.924448013 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:54.926917076 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:54.927419901 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:54.967257023 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:54.969041109 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.001918077 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.002201080 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.103447914 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.103579044 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.203318119 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.244081974 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.284116983 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.316962957 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.317847967 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.350879908 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.351093054 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.383836985 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:55.514967918 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:55.969018936 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:56.055821896 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:56.968462944 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:12:59.968144894 CET	5080	49698	185.81.157.236	192.168.2.4
Feb 5, 2023 22:12:59.968274117 CET	49698	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.031160116 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.064424038 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.065469980 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.066179037 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.104737043 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.115374088 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.149880886 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.202846050 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.280864954 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.357812881 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.448510885 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.454072952 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.487360001 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.489830017 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.523441076 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.523566008 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:01.557029009 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:01.609194040 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:02.138518095 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:02.231971025 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:02.533210993 CET	5080	49699	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:02.578049898 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:02.977060080 CET	49699	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.148288965 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.181394100 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.181499004 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.182075977 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.220442057 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.221782923 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.255911112 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.265765905 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.349011898 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.419994116 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.421005964 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.455277920 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.456147909 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.489711046 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.489841938 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:07.523161888 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:07.578344107 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:08.202183962 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:08.288276911 CET	5080	49700	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:09.536371946 CET	49700	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.765964031 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.798835993 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:13.802145004 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.802670002 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.840825081 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:13.842699051 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.875579119 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:13.888735056 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:13.964051962 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.045680046 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.047278881 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:14.079709053 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.081732035 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:14.114471912 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.116936922 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:14.149602890 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.152987003 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:14.237390041 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:14.238501072 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:14.317420959 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:15.190241098 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:15.289038897 CET	5080	49701	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:16.189913988 CET	49701	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.426532984 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.460441113 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.463074923 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.465789080 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.504157066 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.507392883 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.540591002 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.550985098 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.635417938 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.710206985 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.751302958 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.760224104 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.784410954 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.829489946 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.859173059 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.859260082 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.892425060 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:20.938817978 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:20.971827030 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:21.016974926 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:21.278027058 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:21.365154028 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:21.381361008 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:21.467243910 CET	5080	49702	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:22.653599977 CET	49702	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.697273016 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.731620073 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:26.732153893 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.785835028 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.824615955 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:26.827075958 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.859966993 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:26.908078909 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.915710926 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:26.991786003 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:27.073147058 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:27.078341007 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:27.112935066 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:27.117264032 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:27.152654886 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:27.155699015 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:27.190320969 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:27.236262083 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:27.540205002 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:27.626666069 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:28.533812046 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:28.614098072 CET	5080	49703	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:29.561822891 CET	49703	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.725107908 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.758358002 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:33.758553982 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.759288073 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.799480915 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:33.799746037 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.833126068 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:33.842880011 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:33.924288034 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.025516987 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.026376009 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.061079979 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.075555086 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.111661911 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.111804962 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.147957087 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.189956903 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.653119087 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:34.705687046 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.738606930 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:34.823585987 CET	5080	49704	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:35.722256899 CET	49704	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.594877005 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.628144979 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.628271103 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.652149916 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.690810919 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.691131115 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.724350929 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.738033056 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.824398041 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.827621937 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.894556046 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.895436049 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.928275108 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.929043055 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.962373972 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:40.962513924 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:40.995579958 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:41.049906969 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:41.829847097 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:41.918634892 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:42.703579903 CET	5080	49705	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:42.753209114 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:42.891860962 CET	49705	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:46.937424898 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:46.970738888 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:46.970993042 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:46.971431017 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.010767937 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.011148930 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.044526100 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.052253962 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.132530928 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.223341942 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.224592924 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.257715940 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.258765936 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.292031050 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.292161942 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.327442884 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:47.378513098 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:47.957729101 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:48.050895929 CET	5080	49706	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:49.037152052 CET	49706	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.335163116 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.367995024 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.368109941 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.371030092 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.408638000 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.428280115 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.461266994 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.504019022 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.552114010 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.638508081 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.710020065 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.754041910 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.779504061 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.786926985 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.832393885 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.858500957 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.858598948 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.891694069 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:53.941540003 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:53.974332094 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:54.019726038 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:54.067627907 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:54.153403044 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:55.082897902 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:13:55.161259890 CET	5080	49707	185.81.157.236	192.168.2.4
Feb 5, 2023 22:13:56.145503044 CET	49707	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.028206110 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.061233044 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.065242052 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.155092955 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.194160938 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.237660885 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.242541075 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.275535107 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.315820932 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.529416084 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.617338896 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.617464066 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.697112083 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.704050064 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.817284107 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.850191116 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:01.857019901 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:01.940085888 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:03.050784111 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:03.083966970 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:03.137468100 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:04.540910006 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:04.542819977 CET	49708	5080	192.168.2.4	185.81.157.236
Feb 5, 2023 22:14:04.574131012 CET	5080	49708	185.81.157.236	192.168.2.4
Feb 5, 2023 22:14:04.593862057 CET	49708	5080	192.168.2.4	185.81.157.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 5, 2023 22:12:33.158126116 CET	56572	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:12:33.335684061 CET	53	56572	8.8.8.8	192.168.2.4
Feb 5, 2023 22:12:42.244174957 CET	50911	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:12:42.421756983 CET	53	50911	8.8.8.8	192.168.2.4
Feb 5, 2023 22:12:48.706301928 CET	59683	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:12:48.843491077 CET	53	59683	8.8.8.8	192.168.2.4
Feb 5, 2023 22:12:54.870548964 CET	64167	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:12:54.890508890 CET	53	64167	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:01.009275913 CET	58565	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:01.029556036 CET	53	58565	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:07.004800081 CET	52239	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:07.146991968 CET	53	52239	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:13.564882994 CET	56807	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:13.739322901 CET	53	56807	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:20.247193098 CET	61007	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:20.418184996 CET	53	61007	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:26.675466061 CET	60686	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:26.695624113 CET	53	60686	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:33.702804089 CET	61124	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:33.723865032 CET	53	61124	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:40.377957106 CET	59444	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:40.521933079 CET	53	59444	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:46.917409897 CET	55570	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:46.935590982 CET	53	55570	8.8.8.8	192.168.2.4
Feb 5, 2023 22:13:53.251157045 CET	64906	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:13:53.271231890 CET	53	64906	8.8.8.8	192.168.2.4
Feb 5, 2023 22:14:00.808826923 CET	59446	53	192.168.2.4	8.8.8.8
Feb 5, 2023 22:14:00.829329014 CET	53	59446	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 5, 2023 22:12:33.158126116 CET	192.168.2.4	8.8.8.8	0x6f9c	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:42.244174957 CET	192.168.2.4	8.8.8.8	0x455b	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:48.706301928 CET	192.168.2.4	8.8.8.8	0xcff3	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:54.870548964 CET	192.168.2.4	8.8.8.8	0x2599	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:01.009275913 CET	192.168.2.4	8.8.8.8	0xe949	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:07.004800081 CET	192.168.2.4	8.8.8.8	0x3ddb	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:13.564882994 CET	192.168.2.4	8.8.8.8	0xd97b	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:20.247193098 CET	192.168.2.4	8.8.8.8	0x37e1	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:26.675466061 CET	192.168.2.4	8.8.8.8	0x161c	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:33.702804089 CET	192.168.2.4	8.8.8.8	0x611c	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:40.377957106 CET	192.168.2.4	8.8.8.8	0x53ac	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:46.917409897 CET	192.168.2.4	8.8.8.8	0x5b7a	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:53.251157045 CET	192.168.2.4	8.8.8.8	0xc6f	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:14:00.808826923 CET	192.168.2.4	8.8.8.8	0xf7db	Standard query (0)	rcontrol4sec.ddnsgeek.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 5, 2023 22:12:33.335684061 CET	8.8.8.8	192.168.2.4	0x6f9c	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:42.421756983 CET	8.8.8.8	192.168.2.4	0x455b	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:48.843491077 CET	8.8.8.8	192.168.2.4	0xcff3	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:12:54.890508890 CET	8.8.8.8	192.168.2.4	0x2599	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:01.029556036 CET	8.8.8.8	192.168.2.4	0xe949	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:07.146991968 CET	8.8.8.8	192.168.2.4	0x3ddb	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:13.739322901 CET	8.8.8.8	192.168.2.4	0xd97b	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:20.418184996 CET	8.8.8.8	192.168.2.4	0x37e1	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:26.695624113 CET	8.8.8.8	192.168.2.4	0x161c	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:33.723865032 CET	8.8.8.8	192.168.2.4	0x611c	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:40.521933079 CET	8.8.8.8	192.168.2.4	0x53ac	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:46.935590982 CET	8.8.8.8	192.168.2.4	0x5b7a	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:13:53.271231890 CET	8.8.8.8	192.168.2.4	0xc6f	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false
Feb 5, 2023 22:14:00.829329014 CET	8.8.8.8	192.168.2.4	0xf7db	No error (0)	rcontrol4sec.ddnsgeek.com	185.81.157.236	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	22:12:00
Start date:	05/02/2023
Path:	C:\Users\user\Desktop\WmtuqNHPM2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\WmtuqNHPM2.exe
Imagebase:	0xd50000
File size:	1346560 bytes
MD5 hash:	BBE4BA566D229A405DA3AF72193D297F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.361584928.000000000420D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.373170392.0000000005690000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: HKTL_NET_NAME_DotNetInject, Description: Detects .NET red/black-team tools via name, Source: 00000000.00000002.373707879.0000000005800000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.360372340.0000000003223000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.361584928.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.361584928.000000000442F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	22:12:06
Start date:	05/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Imagebase:	0xbd0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	22:12:06
Start date:	05/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	22:12:29
Start date:	05/02/2023
Path:	C:\Users\user\Desktop\WmtuqNHPM2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\WmtuqNHPM2.exe
Imagebase:	0x760000
File size:	1346560 bytes
MD5 hash:	BBE4BA566D229A405DA3AF72193D297F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.573280284.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.576770822.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.576971415.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579066865.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.573280284.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.577664511.0000000005640000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579159635.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579551612.0000000006DC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.573280284.0000000003EBA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.577604617.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.567097554.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579206321.0000000006D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.573280284.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.576714825.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579100921.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.576657661.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579257158.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.577562971.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.563508459.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579396651.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.567097554.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	8

Executed Functions

Function 057C1278 Relevance: 2.6, Strings: 1, Instructions: 1339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 057C2263

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 3584b32be89c4b10f11377174dc0bae6aad4ff24567edbcde4e38e1c59e3cbf7
Instruction ID: 1690fa9bd6a834192286b0b981920b5f26b48482a8dbed59f930e7a8c1880bed
Opcode Fuzzy Hash: 3584b32be89c4b10f11377174dc0bae6aad4ff24567edbcde4e38e1c59e3cbf7
Instruction Fuzzy Hash: 01E2D678A006698FCB64DF68D9947AEBBB6FB8C301F1081E9D909A7355DB305E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 057C9200 Relevance: 1.7, Strings: 1, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 057C957D

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 3b035b9be18f3426c52f5a87757a8c4eb9e128273589b84abbe3c1aa70b3ecba
Instruction ID: 222315e926cce15888dfc133efc68ddcf652a72d4b0f7f8ad91b112d852d5c69
Opcode Fuzzy Hash: 3b035b9be18f3426c52f5a87757a8c4eb9e128273589b84abbe3c1aa70b3ecba
Instruction Fuzzy Hash: 7B12C271E046598FDB54CFAAC980A9DFBF2BF88304F28C169D518EB219D730A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0575236C Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

=T*l, xrefs: 057528C2

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: =T*l
API String ID: 0-1675597911
Opcode ID: 6cba726e2dd4e0617b72467d9f0430b970b4923b7ac3f8a8e3e097159dc8c0ff
Instruction ID: 60434d1dbe3a2369278c4691078f93631d6769e3fc988b395f57df7be92e2e24
Opcode Fuzzy Hash: 6cba726e2dd4e0617b72467d9f0430b970b4923b7ac3f8a8e3e097159dc8c0ff
Instruction Fuzzy Hash: 06312A74A011089FC744DF69E495AAD77F6FB99300F9490A9E41AEB351EF34AD41CF00

Uniqueness

Uniqueness Score: -1.00%

Function 057C2BE8 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12add332a5f9518fe40e727be7405642270d92bcf5ae348005a06cdb6b9b5d
Instruction ID: 07e50dba008a32be4b160d01ea94ce4fcaa5d3b063c6f86181a16f03869fe745
Opcode Fuzzy Hash: 9e12add332a5f9518fe40e727be7405642270d92bcf5ae348005a06cdb6b9b5d
Instruction Fuzzy Hash: E452B574A046298FCB64DF28C984BAABBB6FB48301F1085D9D90DA7355DB31AE81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05A94780 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbb586136e64a21dbf487bf6a77fa23e6df1bca78d1e7d6e9c9f895f3af0f99
Instruction ID: 5013b4f030e05b20e59063cd3fd189df0f10eb7b2180eb81813ddf0cbb91b936
Opcode Fuzzy Hash: 9bbb586136e64a21dbf487bf6a77fa23e6df1bca78d1e7d6e9c9f895f3af0f99
Instruction Fuzzy Hash: 88E1E674A052588FDF58DFA8D854BAEBBF6FB89304F10906AE509A7394CB345D82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A94757 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6184d2254eee7415e9bae887f2d79229b0902e49d0d6f051b62bde54bafa2190
Instruction ID: 34d11586fe7c6801b0d980d6fca50a8be36aca09e07e96b3b61661860422f130
Opcode Fuzzy Hash: 6184d2254eee7415e9bae887f2d79229b0902e49d0d6f051b62bde54bafa2190
Instruction Fuzzy Hash: A7D12974A052588FDF54DFA8D854BAEBBF6FB89300F10806AE509AB395CB345D82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A94DB5 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ea8cf9771adee78253816300fec6a76369192098bb78853b111bfd2e9912be
Instruction ID: cb9119a7c1f78788491980ffc6685797379e701d2a1f435aaf444b7fee768e9b
Opcode Fuzzy Hash: f9ea8cf9771adee78253816300fec6a76369192098bb78853b111bfd2e9912be
Instruction Fuzzy Hash: FEC1E774A052588FDF54DFA8D854BAEBBF6FB49304F1090A9E509A7394CB345D82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A4CD Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b747d781ba809b5447eda8733cb214538e509163cdb49295231e75f71c967a
Instruction ID: 51e630b5d85bff815e098c3602151ed0719c10f632c5958cb8f8254cc38917c1
Opcode Fuzzy Hash: 91b747d781ba809b5447eda8733cb214538e509163cdb49295231e75f71c967a
Instruction Fuzzy Hash: 4781D978A05218CFDB48DFA8D554AFEBBF6FB88300F10902AD509AB355DB74AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A840 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9045b5d7948f8e6da1e241566a06300d0d702dcb38323eb468885c86d5368f7c
Instruction ID: d08c8d1164cef7c09b83ae8ed98d59defbf3ca0299965ab38bbc11fe4b81daf6
Opcode Fuzzy Hash: 9045b5d7948f8e6da1e241566a06300d0d702dcb38323eb468885c86d5368f7c
Instruction Fuzzy Hash: FE711874E04228DFDB18DFA5D854AAEBBF6FF89300F10806AD419AB355CB745986CF41

Uniqueness

Uniqueness Score: -1.00%

Function 057CE6D3 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a0d900fad564bb4752012c46ad2ce64495685a2ac3e7960f82d2e0e6019b8e
Instruction ID: 4a10d8cb7bca7f753a8151ac26c28461c6f15543f3607639cd469861ec1e350b
Opcode Fuzzy Hash: 56a0d900fad564bb4752012c46ad2ce64495685a2ac3e7960f82d2e0e6019b8e
Instruction Fuzzy Hash: 4F712474E05209CFDB09CFA9D144AEEBBFAFF88304F15A0A9D804AB251D774A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A830 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656d3db427a1150d7fbe5408a9a71ef84ac4d7f231e9c748ac6ddfddbef59c2a
Instruction ID: 95f9e135d3d7e449f1feaff43e6d862afeb2cc668cb5c5feeda1493905899f3b
Opcode Fuzzy Hash: 656d3db427a1150d7fbe5408a9a71ef84ac4d7f231e9c748ac6ddfddbef59c2a
Instruction Fuzzy Hash: F8510374E05228DFDF18CFAAD954AAEBBF2BF89300F10C06AD459AB254DB741946CF41

Uniqueness

Uniqueness Score: -1.00%

Function 057CE749 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067dc807c01d3a015c79666ad236bbd787afb30d5acc726275d0dd6e0939e15f
Instruction ID: e81995ca10fbb1e80aa6a8ba92ea32659eb2dcad7311ddb6fe0d897b45995372
Opcode Fuzzy Hash: 067dc807c01d3a015c79666ad236bbd787afb30d5acc726275d0dd6e0939e15f
Instruction Fuzzy Hash: 6351E174E092098FDB05CFA9C144AEEBBF6FF8C304F15A0A9D804AB265D774A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 057C91F1 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5135e798be833bcede48f530ec71293cc46b1bf4882838af01a0aa30fe311
Instruction ID: 0e2e67a8e1db13d9fb2a241075fc7cd03021d40117d78ab1b76e8026bfc47024
Opcode Fuzzy Hash: bec5135e798be833bcede48f530ec71293cc46b1bf4882838af01a0aa30fe311
Instruction Fuzzy Hash: ED4168B5E016199BDB18CFABC94469EFBF3BFC8300F14C07AD918AB264EB3459458B54

Uniqueness

Uniqueness Score: -1.00%

Function 057543F8 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 0575445F
RtlDecodePointer.NTDLL ref: 057544A4
RtlEncodePointer.NTDLL(00000000), ref: 0575450F
RtlDecodePointer.NTDLL(-000000FC), ref: 05754559
RtlEncodePointer.NTDLL(00000000), ref: 05754599
RtlDecodePointer.NTDLL ref: 057545DF
RtlDecodePointer.NTDLL ref: 05754623

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 3b8b34f47d8d1b584aef20c38d7f620d47a2057e0af6ac3cc01a15997d8f759e
Instruction ID: 418752ce24ef3e916ac563a2f2a1e4fa2e6d536967aee139581d60ff1ba6caf2
Opcode Fuzzy Hash: 3b8b34f47d8d1b584aef20c38d7f620d47a2057e0af6ac3cc01a15997d8f759e
Instruction Fuzzy Hash: A78115B5C05258DFCF21CFA9E18879CBFF6AB08324F24804AE809B7291D7B55984DF61

Uniqueness

Uniqueness Score: -1.00%

Function 057543EA Relevance: 10.7, APIs: 7, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 0575445F
RtlDecodePointer.NTDLL ref: 057544A4
RtlEncodePointer.NTDLL(00000000), ref: 0575450F
RtlDecodePointer.NTDLL(-000000FC), ref: 05754559
RtlEncodePointer.NTDLL(00000000), ref: 05754599
RtlDecodePointer.NTDLL ref: 057545DF
RtlDecodePointer.NTDLL ref: 05754623

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: ca98ccc94622e053570a6c86ba5d42a9db07f36083b2cdd38044807d4cdf71df
Instruction ID: 7519e3f6e7837ed7611e1537f03a17d0d27683c3b6b5d3cca018aa8656f5ac65
Opcode Fuzzy Hash: ca98ccc94622e053570a6c86ba5d42a9db07f36083b2cdd38044807d4cdf71df
Instruction Fuzzy Hash: 747106B4C05258DFCB21CFA9E18879CBFF6AB18324F24814AE809B7391D7B55984DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05753746 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05753A17

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 489e40389cc25e124b9c16aa5707301f2dabcacdb04a5b7759e455adf15be9b5
Instruction ID: 40bdff1538350c53440dad98d2ce47333fcca91d5a0d13fab08d6a06e14c20aa
Opcode Fuzzy Hash: 489e40389cc25e124b9c16aa5707301f2dabcacdb04a5b7759e455adf15be9b5
Instruction Fuzzy Hash: 3DC159B1D0025D8FDB24CFA8C844BEDBBB1BF44314F0095A9E859B7250DBB49A85DF94

Uniqueness

Uniqueness Score: -1.00%

Function 05753750 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05753A17

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 77fa34a9b484039c25951925cb5286b047fb5fbf55d51024b46c7c340b3d3161
Instruction ID: 1e4607d8ca8d7bc5d212a47f9cb3743104829f5e585b5788cf5dad1900ca749a
Opcode Fuzzy Hash: 77fa34a9b484039c25951925cb5286b047fb5fbf55d51024b46c7c340b3d3161
Instruction Fuzzy Hash: D6C159B1D0025D8FDB24CFA8C844BEDBBB1BF08314F0095A9E859B7250DBB49A85DF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A98790 Relevance: 1.7, Strings: 1, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 05A989E3

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a8600517a753d41ee9a042303ca9b389bdd20d7303264176a2a5225ad17cf043
Instruction ID: be8303de2338bb4686f1bd1268aceaa3567bcea5cc6d46e3d13590fab9b62e8f
Opcode Fuzzy Hash: a8600517a753d41ee9a042303ca9b389bdd20d7303264176a2a5225ad17cf043
Instruction Fuzzy Hash: 2AF18A346006168FCB18CF29C484D6ABBF2FF89310B15C669D46A9B766DB34FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05753118 Relevance: 1.6, APIs: 1, Instructions: 131
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0575320F

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 421511246281baa401dbbb23f7ebbfaff251b8e16ec8d286b4d9360cc096e8f8
Instruction ID: 34d183f71e92aaa9144f56b754a88a721feb5a331fd42cab962460855a1b99a8
Opcode Fuzzy Hash: 421511246281baa401dbbb23f7ebbfaff251b8e16ec8d286b4d9360cc096e8f8
Instruction Fuzzy Hash: CE4153B5C042889FCB10CFA9D984AEEBFB0FF09364F14846AE804BB251D7789946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05753442 Relevance: 1.6, APIs: 1, Instructions: 121
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0575355B

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1ecde675442980c1494f80e26cb3b3d84355d0a8eb6058e80eea6e90034e9f80
Instruction ID: e0d12ea86d8a640ca1b744d69f9d131bec4f99bbf79b53406bedee06c9c6f933
Opcode Fuzzy Hash: 1ecde675442980c1494f80e26cb3b3d84355d0a8eb6058e80eea6e90034e9f80
Instruction Fuzzy Hash: F84110B5D042488FCF01CFA9D884AEEBBF1BF49310F14A42AE815B7250D778AA45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 05753480 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0575355B

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6156882074046294acf3e71619aecda0cb2dfb4519f80e78ab2c9694556d8d11
Instruction ID: afca36a59bd38ad2fad7c5c23275c182c1b3a17c9f0c0c6ddaa72d70553ae052
Opcode Fuzzy Hash: 6156882074046294acf3e71619aecda0cb2dfb4519f80e78ab2c9694556d8d11
Instruction Fuzzy Hash: 1D419AB5D012589FCF00CFA9D984AEEFBF1BB09314F14942AE819B7250D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05753488 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0575355B

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dd55d1efa15d4c9eecedc9f956e7103f94a3039bde76f8cb8df97406dff04047
Instruction ID: c87799680b2b8d231c09a65e19826c9055833c8d11291be58c9ef02e0241422f
Opcode Fuzzy Hash: dd55d1efa15d4c9eecedc9f956e7103f94a3039bde76f8cb8df97406dff04047
Instruction Fuzzy Hash: E1419CB5D012589FCF00CFAAD984ADEFBF1BB49314F14942AE819B7210D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05753330 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057533DA

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 041e0376124d59c060008d53ee8f7954e2e3a372fbda15b77845686230e1e1c1
Instruction ID: 3d5db38bc0adc95747c7fef1dfcf17abf880ea0832fe80e5092c56c8d5e75d46
Opcode Fuzzy Hash: 041e0376124d59c060008d53ee8f7954e2e3a372fbda15b77845686230e1e1c1
Instruction Fuzzy Hash: 3C3188B5D002589FCF10CFA9D980ADEBBB5FB59320F10942AE815B7210D775A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0575332A Relevance: 1.6, APIs: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057533DA

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1c7241b22f8e9608e6d5751f343caee27ed262028c88ca07573026833074350
Instruction ID: e81773831c0896dadefee496b5c71c1000be1762d7d4457736dc80988b6e671c
Opcode Fuzzy Hash: e1c7241b22f8e9608e6d5751f343caee27ed262028c88ca07573026833074350
Instruction Fuzzy Hash: C7318AB9D002589FCF10CFA9D980AEEBBB5BB19320F10942AE815B7210D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0189EA18 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0189EABC

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d65fb0b572d0d9b7ca78289ac70e173094b577164c708af2905d2d678f6538b7
Instruction ID: 4845197cb88d7aebb54dbf7b614ff53dfd6855eea8d6d865707599f640e4b93f
Opcode Fuzzy Hash: d65fb0b572d0d9b7ca78289ac70e173094b577164c708af2905d2d678f6538b7
Instruction Fuzzy Hash: C931A7B4D002589FCF10CFAAD884AEEFBB5FB59310F14902AE815B7210D738A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05753160 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0575320F

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0933cf424564cd0b8fe164ceb85ccb5088f13c741de5d2f5d586bbd745c847e5
Instruction ID: 926e8c4870b4936c433bec48f649c7ec172a9d01c4aae0746fa4667a6ef49e0e
Opcode Fuzzy Hash: 0933cf424564cd0b8fe164ceb85ccb5088f13c741de5d2f5d586bbd745c847e5
Instruction Fuzzy Hash: 3F31BCB4D012589FCB10CFAAD884AEEBBF1FF49324F14842AE815B7250D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0189ECD8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0189ED56

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 91ec29b54e15740933b2ec66e25fd75f21302176d67fe4dca72f42a0bb6a8f17
Instruction ID: 439a51d33ef01e5dffa07faa22211f8aa227dea83249c5febf0597e1f329fa31
Opcode Fuzzy Hash: 91ec29b54e15740933b2ec66e25fd75f21302176d67fe4dca72f42a0bb6a8f17
Instruction Fuzzy Hash: FA31ABB4D012589FCF14CFAAD884ADEFBB5AF49314F14942AE815B7310D734A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 057CB839 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

}, xrefs: 057CB840

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 050a430b43466e6a4e2a11a60159409dbb65610985a96af781b4e4e991ce7b40
Instruction ID: 249201fb91ce53729d366c579cd2caf5d754f429f7184970bc6b07048cecef3d
Opcode Fuzzy Hash: 050a430b43466e6a4e2a11a60159409dbb65610985a96af781b4e4e991ce7b40
Instruction Fuzzy Hash: 5D813474E05208CFDB14CFA8D899BADBBB6BB89300FA0906DE40DAB355DB749845DF40

Uniqueness

Uniqueness Score: -1.00%

Function 057CA4AE Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

(, xrefs: 057CB37A

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 8af873b61e23272e1947fd9cbbda9918e504c35752b01fbc571192d69c979949
Instruction ID: ef13ca2ca470a9b6e76e4fb5a4bc41906879841c8aee48f9c4ad10984a9b358f
Opcode Fuzzy Hash: 8af873b61e23272e1947fd9cbbda9918e504c35752b01fbc571192d69c979949
Instruction Fuzzy Hash: 4121E2789052688FDBA1CF68D558BF9BBB2FB99305F0050E9A80DA7385CB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 057CB4F8 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

/, xrefs: 057CB4FF

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 265d846d961e2757d883e0c54862aac67c3b348336e21951cc908ea2e49cf194
Instruction ID: 5c86382541817da908cd7a3c8da3f983cb0823e77e528b62e553f165b8a89b5d
Opcode Fuzzy Hash: 265d846d961e2757d883e0c54862aac67c3b348336e21951cc908ea2e49cf194
Instruction Fuzzy Hash: 45D05E3000425CCBEB00CB90D40CBB9BF72F7C5306F04802C94072B184CB790C44EB14

Uniqueness

Uniqueness Score: -1.00%

Function 031B90C0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360227865.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c217ae8641475de5640c6046d1b63285950150bf8a39b7a21b89e9b2954279
Instruction ID: 7fa29daa1bb6d9e260cb3f219e656e041b7277adf344d85b190ad48ee6a7a30d
Opcode Fuzzy Hash: 41c217ae8641475de5640c6046d1b63285950150bf8a39b7a21b89e9b2954279
Instruction Fuzzy Hash: BDC1D270909384AFCB16CB78CC58BEE7FB5EF0A300F1940DAE544AB2A6C3785945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F160 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945abcac714e638c361d8ec073905b68cf2d51f8231108d4e2be3a90971736d3
Instruction ID: 782ebec614b16ba9d0ef53c8ce79dd645d3a998adeb3b9cb6edf56afc5b9ccc0
Opcode Fuzzy Hash: 945abcac714e638c361d8ec073905b68cf2d51f8231108d4e2be3a90971736d3
Instruction Fuzzy Hash: 05D1D378A04218CFDB54DFA8D954BAEBBF6FB88300F108169D909A7395DB346D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F151 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6ad69c91e4475602eb8680c33b55b68b873bda1ae2a397279dd3d44e41ff33
Instruction ID: bf1c1f289d107e7fbce48b9598576204c60e82a2f614dc48b768f4cdd0d92bf1
Opcode Fuzzy Hash: 0e6ad69c91e4475602eb8680c33b55b68b873bda1ae2a397279dd3d44e41ff33
Instruction Fuzzy Hash: D8D1E478A04218CFDB54DFA8D954BAEBBF6FB88300F108169D909A7395CB346D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F1F4 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbc5e07cae986fa631ce0ab7997d41732469a13becba9f038076ab27de7abc6
Instruction ID: 9071b7ce834d11c950be5bee2c10a7142f42cbd34b1413ead909dd2723499ef1
Opcode Fuzzy Hash: 3cbc5e07cae986fa631ce0ab7997d41732469a13becba9f038076ab27de7abc6
Instruction Fuzzy Hash: B6D1D578A04218CFDB54DFA8D554BAEBBF6FB88300F104169E909A7395CB74AD81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F25D Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0950e53e18860fcdf32aab98ff82a1348c28520ca20dff89ecada2556b3bd5cd
Instruction ID: a5510f399005f46c73c295e724f477da9974fbecc476bfc81db1424a0f1bb9b2
Opcode Fuzzy Hash: 0950e53e18860fcdf32aab98ff82a1348c28520ca20dff89ecada2556b3bd5cd
Instruction Fuzzy Hash: 11D1D478A04218CFDB54DFA8D954BAEBBF6FB88300F108169D909A7395CB746D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F1C6 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2431eb84b927e7eda4235a7df55d1880df0999200dddd09fc0acfca7882a68
Instruction ID: 503e4fff1b7c49c8ac2c495bb594f1cf3f35c53889153dfcbdc23dafcc9338ef
Opcode Fuzzy Hash: 5f2431eb84b927e7eda4235a7df55d1880df0999200dddd09fc0acfca7882a68
Instruction Fuzzy Hash: 19D1D478A04218CFDB54DFA8D554BAEBBF6FB88300F108169D909A7395CB746D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9295F Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584af65884b058719b8c1bd5953ddc7f249ee9de76bcde73d85b1ea6695c35ba
Instruction ID: cc89be8b93e80339b9fa10988f4113c4e3e0fa778f98e4e8821d28cc09eab9a2
Opcode Fuzzy Hash: 584af65884b058719b8c1bd5953ddc7f249ee9de76bcde73d85b1ea6695c35ba
Instruction Fuzzy Hash: 6AC1D378E002189FDB54DFA8D994AADBBF6FF88300F508169E909AB355DB306D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A92988 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f37e5e87350c79a6eefdd2a3993c9ba42a31c298c5899767bdf0ed6e5b3121
Instruction ID: e2e080739c06b650ab0d417d714f57b4ad4ea2b7e1d2b61900ee6e033b34d37d
Opcode Fuzzy Hash: c7f37e5e87350c79a6eefdd2a3993c9ba42a31c298c5899767bdf0ed6e5b3121
Instruction Fuzzy Hash: 7FB1D378E002189FDB54DFA8D994AADBBF6FF88300F508169E909AB355DB306D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 057CB848 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0915c85337740c9e45a17c362e43afaae07db8f049d89975e2befb65f3d0d574
Instruction ID: a5561d2223bc8b473b6e269195bc42657dcbce52a398430940a6da624fd49e62
Opcode Fuzzy Hash: 0915c85337740c9e45a17c362e43afaae07db8f049d89975e2befb65f3d0d574
Instruction Fuzzy Hash: 54812574E05208CFDB14CFA9D499BADBBB6BB89300FA0906DE80DAB355DB745845DF40

Uniqueness

Uniqueness Score: -1.00%

Function 057CBBC1 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0809b1ea7b4540a0563709462557913059b22293ff7682c3c925f06a58710d5
Instruction ID: 30bbf9093499016b27a3b15c3a1ed13d0fa58d285bb87f10078d3ee8c5d11fdf
Opcode Fuzzy Hash: e0809b1ea7b4540a0563709462557913059b22293ff7682c3c925f06a58710d5
Instruction Fuzzy Hash: 9F811474A09208CFCB10CFA8D499BADBBB6FB49300FA091ADE409AB355DB749D45DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A98E68 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce94b911cb46d3ab0a18687a082b4d1e223ef3da3a659f981d4adf96f10efe7
Instruction ID: 548950147b3cfdc1fd357c5e78992524164ec2db3879345079168ab16f5165ef
Opcode Fuzzy Hash: 2ce94b911cb46d3ab0a18687a082b4d1e223ef3da3a659f981d4adf96f10efe7
Instruction Fuzzy Hash: 82810474E04219CFDB04DFA8D954AEEBBF6FB89300F104029D905A7394DB74AD86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A904DD Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2d35e90eaf3228be326f5849e42e2d8fb04b7d4331b0543c90a31e10f85710
Instruction ID: 73e4a326d3f7a5bfd98d8b5f13d45ff8049f93389e21e478fe70aaa225a41d07
Opcode Fuzzy Hash: 8a2d35e90eaf3228be326f5849e42e2d8fb04b7d4331b0543c90a31e10f85710
Instruction Fuzzy Hash: A481C474A00109DFCB49EFA4E498AADBBB2FF89340F508429D51AAB354CF756D06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D518 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8dfbf9e0d5e76e1302763fbd5a36e65d709efaf5cded101507093358cb377d
Instruction ID: 7c78b87a33f912127fb9256e3c1e0e75b4040aa8d8ad4c93040073960a0da034
Opcode Fuzzy Hash: 0e8dfbf9e0d5e76e1302763fbd5a36e65d709efaf5cded101507093358cb377d
Instruction Fuzzy Hash: D5811874A10259CFDB04DFA8D554AEEBBF2FF88304F509129E415A73A8DB746885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A95D50 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41973d8a2dd0b35e73fec3c995377cbbc28353b13278146e8ce01179c85e24f6
Instruction ID: 0b02ee2dcabfd8f6b7d62b547a1461ccf9a8d0f52a6424b1fc2242fc32692d43
Opcode Fuzzy Hash: 41973d8a2dd0b35e73fec3c995377cbbc28353b13278146e8ce01179c85e24f6
Instruction Fuzzy Hash: 5D810678E05258CFDB55DFA8C958BAEBBB6FF88300F1080A9D40AAB354DB345985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A90438 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ab51ae18cfa59e87bd00eb2b8de4b31484d7ec8680a1391895e8a00c795a03
Instruction ID: 711643626605a4be2152e8b524a6dd61dca01681b011104207d37fbcf3b55d1e
Opcode Fuzzy Hash: c2ab51ae18cfa59e87bd00eb2b8de4b31484d7ec8680a1391895e8a00c795a03
Instruction Fuzzy Hash: 14611974E00109EFCB49EBA8E498AADBBB3FF99340F508468D51AA7254CF752D01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D50B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26e9f00623d1f173d0504ac8818ac46f9ba4d74510cafd338606158976eab4c
Instruction ID: e71b2b5656f71fba69d7f4ceb64f50a70df1414d5c5bf37667eaf1df1a9cdd31
Opcode Fuzzy Hash: c26e9f00623d1f173d0504ac8818ac46f9ba4d74510cafd338606158976eab4c
Instruction Fuzzy Hash: 06612A74A10159CFDB04DFA8D959AEEBBF2FF88304F408129E415A7398DB346886CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A99D40 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505fd472ff2ea2c90af4e2f3b57ecd744281f49f4f3f9436ea06ee3e713b1d6e
Instruction ID: edef09d357088615a021abedd0c7019e5c580715c9140d0ae38b17d3ea6538aa
Opcode Fuzzy Hash: 505fd472ff2ea2c90af4e2f3b57ecd744281f49f4f3f9436ea06ee3e713b1d6e
Instruction Fuzzy Hash: E861B375E002299FDF04DFA9D584AEEFBF2FB88311F14802AE915A7354D734A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A477 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae3f2857e0d9088786a8ded20afcf2668fb7cb34446ce05d23caaad8f5ae240
Instruction ID: a5b6dac57fde4214191672a7712ce0e79eb3e024b23d96c5d26abd7e041d6e8c
Opcode Fuzzy Hash: 4ae3f2857e0d9088786a8ded20afcf2668fb7cb34446ce05d23caaad8f5ae240
Instruction Fuzzy Hash: F461F778A05219CFDB44DFA8D595AEEBBF6FB88300F119026E509AB354DB34AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05A90448 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8308c288b809a13988f0af2d49ee2b5a6698f282bd1321ab16f764b5975d1380
Instruction ID: fed6bd1025793a8c7dbd68d63c5f42ddcd4f2f9e6f019aa61e9798a84723b4c9
Opcode Fuzzy Hash: 8308c288b809a13988f0af2d49ee2b5a6698f282bd1321ab16f764b5975d1380
Instruction Fuzzy Hash: 4151D774E10109EFCB49EBA4E498AADBBB3FF89340F508428E51AA7254CF752D01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A98E58 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbee056ebfd279f362b6ecfedafe1765d3c143f0755b7a462e08a322222b4b32
Instruction ID: 07308dd5cb0f8b21fff5e92c9e50af327cb1951a6c83f4f87acfcd6cc6e599ba
Opcode Fuzzy Hash: cbee056ebfd279f362b6ecfedafe1765d3c143f0755b7a462e08a322222b4b32
Instruction Fuzzy Hash: 71511679E00259CFDF04DFA8D954AEEBBB6FB88311F10402AD906AB394DB746D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95E65 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680944eea7af9a515a5469381894a2f87130e64644db314b5905a3e9121f44a8
Instruction ID: 5a3c05f8fd1952da797b40737d9487e52076f5d885f6e5db7bcde1b495c6d777
Opcode Fuzzy Hash: 680944eea7af9a515a5469381894a2f87130e64644db314b5905a3e9121f44a8
Instruction Fuzzy Hash: D061F878A05258CFDB54DF98D598BADBBB6FF8D300F1040A9D50AAB254CB346D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 057C4249 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be44d4334a721dd269f4214f77433c7aff965828db1529248b681e86025ef785
Instruction ID: 109054f8740e58627056ff5c293f91385cd66a400d2a4cc9e06e3c5709e5b1af
Opcode Fuzzy Hash: be44d4334a721dd269f4214f77433c7aff965828db1529248b681e86025ef785
Instruction Fuzzy Hash: 1851C778E00249DFCB44DFA8D454AAEBBB2FF8C301F208069D805AB398DB356D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 057C4258 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbd7cb6204493704c6b733bfbadc339532ca58f824ae1d0721fdf5d08ff1f7a
Instruction ID: 79998f9c32d096ace2debecdbcc4f42baa2994801a02b88934a5f9c8609d3c9c
Opcode Fuzzy Hash: 3cbd7cb6204493704c6b733bfbadc339532ca58f824ae1d0721fdf5d08ff1f7a
Instruction Fuzzy Hash: 3D51B778E00248DFDB44DFA8D5549AEBBB6FF8C311F208029D805AB398DB356D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 057C42A5 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce70f5d8876ebf4f4dc9389df5da16c1073fec5e35c9486c7636035f943784e2
Instruction ID: d341cf77af9e89fa8be784fc873ce9abfed09499c4b64f4f810943175299f18f
Opcode Fuzzy Hash: ce70f5d8876ebf4f4dc9389df5da16c1073fec5e35c9486c7636035f943784e2
Instruction Fuzzy Hash: 9D519778E002499FDB44DFE8D5589AEBBB6FF9C301F108029D815A7398DB356D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95D41 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c1f2e1db6db9bf6cac8b7e1bf1ea0318539162a916043e55ee3232abea1005
Instruction ID: 6e472beb366a853b5bc5b2820319fefe82e02711fd39c500c76c914415dc3d26
Opcode Fuzzy Hash: a5c1f2e1db6db9bf6cac8b7e1bf1ea0318539162a916043e55ee3232abea1005
Instruction Fuzzy Hash: 89511E78E05258CFDB55DF98D858BAEBBB6FF88300F1081A9D50AAB354CB345985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9190B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853a5e1428b9dff2d68eb4b6a425c35e777a826946a6ecac269dd21ccb9b229c
Instruction ID: 83a2f6d88fd5e6e27a0ddfad914f1870b0ef3513bcff33defa95a6563e66be3c
Opcode Fuzzy Hash: 853a5e1428b9dff2d68eb4b6a425c35e777a826946a6ecac269dd21ccb9b229c
Instruction Fuzzy Hash: FD511A74E0421ADFCF48EFA9D488AFDBBF6FB89300F408469D519A7254DB746A41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9AC31 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6a31ac76c4e344fdb0ea9098d31ee7574bc7649e5c6cf177740c010fb010c4
Instruction ID: 378c584353e4474fce16a2bed2784e045584b71b181ebddbd85a54a867edc471
Opcode Fuzzy Hash: bd6a31ac76c4e344fdb0ea9098d31ee7574bc7649e5c6cf177740c010fb010c4
Instruction Fuzzy Hash: 67510278E04228CFDF14DFA5D458BAEBBF2FB89300F10906AD41AAB644CB745982CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F9C0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae50cd8409924c983ec031691752ec3465dea62e22f189e77f14d7986e2df7f8
Instruction ID: 9bb36446c3a4df74d6042d4cd105d2036a770d406aa320673885544cb4a6058d
Opcode Fuzzy Hash: ae50cd8409924c983ec031691752ec3465dea62e22f189e77f14d7986e2df7f8
Instruction Fuzzy Hash: 6941EE74E05228DFCF09DFA9E594AEEBBF2FB88310F248029D405A7254DB35AD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05A98780 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8773dc5d9188bbb4a3669118e1823a250205cb9f620661d0474351b28c177e
Instruction ID: bdcc53a50dbef80cadbb09c461af743365e9a5b902c29de3f2cfd167523497dc
Opcode Fuzzy Hash: aa8773dc5d9188bbb4a3669118e1823a250205cb9f620661d0474351b28c177e
Instruction Fuzzy Hash: B0414A35B006168FDB18CF69C484DAAFBF2FF89310B15C569D469AB751DB34E802CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A99A80 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ace856c4de2155418e943d8d3a5215688ddc8846cf1793c7c77fa2e23f55a6
Instruction ID: 45407ca7703663a912e5fdd1b54f4b872e0bb9430aae2cee75ebd3785cea0aa2
Opcode Fuzzy Hash: 38ace856c4de2155418e943d8d3a5215688ddc8846cf1793c7c77fa2e23f55a6
Instruction Fuzzy Hash: CE41F374A00229DFCF08DBA9E584EAEBBF6FB88310F108469D405AB750DB38A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 057C8BB4 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99844519dccbf7d10bb14ec264f3798b3db909ab558f3d028e06ebd214fa4c2
Instruction ID: 525cd9cd4341f38ad7880b7c35d40e1a2021145c4a66fb20a2e1c71cdfef0040
Opcode Fuzzy Hash: c99844519dccbf7d10bb14ec264f3798b3db909ab558f3d028e06ebd214fa4c2
Instruction Fuzzy Hash: F441F674E05219CFDB04DFA9C4886EEFBB2FB89301F1480AEC406AB294D7345982DF52

Uniqueness

Uniqueness Score: -1.00%

Function 05A95EC0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825bda72055d88e4de3f5cc6c72560f93ac69ba9d993fdf6224c44c9d0618ab3
Instruction ID: 68898a25241b10513da02efa7cdac04baa47e1302e95bc55a6ca35e91cdbd109
Opcode Fuzzy Hash: 825bda72055d88e4de3f5cc6c72560f93ac69ba9d993fdf6224c44c9d0618ab3
Instruction Fuzzy Hash: 2E51E778A05258CFDB54DF98D958BADBBB6FF88310F1080A9D50AAB254CB346D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B438 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7e82048d0f76aadb3846addeb3162b3f961d8dd3b6592d78bbb79edc6bfd0
Instruction ID: 84c3737686750f5c57002eb743ac774dfcd42e34486b2303dc12da725743ee46
Opcode Fuzzy Hash: e6f7e82048d0f76aadb3846addeb3162b3f961d8dd3b6592d78bbb79edc6bfd0
Instruction Fuzzy Hash: 2C516F79E04218DFCF04DF99D494AADBBF1FB88360F14806AE915AB354DB34A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F9B1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4730526de6c1e9980a5c601ee9c776544a107ce62d57990fa96a4ebf5ebcc6b4
Instruction ID: bfae2d4d3b63e90a1b93de3a917fde79d6d74ba80a830f90f1c6ff76b194144b
Opcode Fuzzy Hash: 4730526de6c1e9980a5c601ee9c776544a107ce62d57990fa96a4ebf5ebcc6b4
Instruction Fuzzy Hash: 3841E074E05228DFDB09CFA9E594AEDBBF2FB88300F248029D805A7354DB75AD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A8C7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8181a63cc104ca9d5f02834a69880e97d2c34526187a18494a248ac12e0eef
Instruction ID: 8764da8430e02d5f6ec44d69f0e357ab00fd8d1de9f0f3b1c2a88fb0c7cf1871
Opcode Fuzzy Hash: 1b8181a63cc104ca9d5f02834a69880e97d2c34526187a18494a248ac12e0eef
Instruction Fuzzy Hash: 2C414374E0422CDFDF18CBA9D458BEEBBB2BB99300F10906AD4566B645CB741986CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A90C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62728c8780c998409b3be93d4d8e92570b9313e9280bb3be0612adbd36b0564
Instruction ID: 00f740417b059c6ace93426dde107c5f7e42f82868670298b375e4ab55edeb45
Opcode Fuzzy Hash: c62728c8780c998409b3be93d4d8e92570b9313e9280bb3be0612adbd36b0564
Instruction Fuzzy Hash: ED410174E0422CDFDF18CBA5D458BEEBBF2BB89301F10946AD41AA7244CB745986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9ADA8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acee734883d80a7f667fd5a0fa7c7e41ca0533bf316f77b48350042854723a1
Instruction ID: 7a8939676a0c7d1b2eb62b0c072baffdebb43d858b70d908fcece63ab1fde71c
Opcode Fuzzy Hash: 2acee734883d80a7f667fd5a0fa7c7e41ca0533bf316f77b48350042854723a1
Instruction Fuzzy Hash: A9414174E0522CDFCF18CBA5D858BAEBBB2FB99300F00905AD4566B245CB741986CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9AD6F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae83f21dc7e0c97a5957edd786bd0e04c8aa6f63cf7bfffbf637101cfc306301
Instruction ID: 8075ced2427a8a88861362cba32391498ddb7024b0d05177015b1a853a8d2087
Opcode Fuzzy Hash: ae83f21dc7e0c97a5957edd786bd0e04c8aa6f63cf7bfffbf637101cfc306301
Instruction Fuzzy Hash: F7412274E0422CDFDF14CFA5D898BEEBBB2BB89300F00905AE4156B644CBB41986CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9AB20 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e15129d07040b5966ab743fba711d6d003614c983a818354ee9949b41dd014b
Instruction ID: beb8bf43489354c9d58ec4e64a3daabef2e8bee57b919f727d04073baa48f855
Opcode Fuzzy Hash: 1e15129d07040b5966ab743fba711d6d003614c983a818354ee9949b41dd014b
Instruction Fuzzy Hash: D3415478E0422CDFCF18CFA5D454BEEBBB2BB99300F10945AD45667245CB741986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 057CA2DF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f128f5c61180b1de1e4f3f45d7965dce2067deaab3a354aa526f7795c37892
Instruction ID: 380f6194e737f0f4c9045e406dc2af5b9f7de6cef7b27b888e5f308270275a72
Opcode Fuzzy Hash: 33f128f5c61180b1de1e4f3f45d7965dce2067deaab3a354aa526f7795c37892
Instruction Fuzzy Hash: B751E878A011588FDBA1DF28D9547FABBB2FB98300F1091E9990DA7394CB355D81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A964EB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0602010f45c936e16f8219d8d31ceacbfd342c95b2da7820c38b260a406cbd8d
Instruction ID: 478edb686b5ef7d7b3fe3af4d1827600d083a4155860ac60609c2b95dacbfb08
Opcode Fuzzy Hash: 0602010f45c936e16f8219d8d31ceacbfd342c95b2da7820c38b260a406cbd8d
Instruction Fuzzy Hash: F3411678E05258CFDB54DF98D498BADBBB6FF88300F1080A9D50AAB294CB346D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A99C18 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ee7537800cf0bed8aac3d60c2b3da6d613716339eb49e2d6d6471caae02ab
Instruction ID: 2a60cab067889f98884e277fc3055b6cfec49acecb359132ad696d483236156b
Opcode Fuzzy Hash: 7a7ee7537800cf0bed8aac3d60c2b3da6d613716339eb49e2d6d6471caae02ab
Instruction Fuzzy Hash: D2419375E102299FCF04DBA9D484AEEBBF1FB88311F14802AE915A7354DB349945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A91918 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa70a02a4c6bce4b3462370eba2f93702381847396d3a6c5ba3f3e74ca5385d6
Instruction ID: 6dc28d57185c6786af6f568ca076f6e490fc87453f99dd428544bf80ec0c0177
Opcode Fuzzy Hash: fa70a02a4c6bce4b3462370eba2f93702381847396d3a6c5ba3f3e74ca5385d6
Instruction Fuzzy Hash: D3313874E0021ADFCF48EFA9D488ABDBBF6FB89304F408468D519B7254CB786A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 057CA943 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f338b88e6e46674000c35039de5cb270e7e462c085728373f5d3e9f3ce0f22b
Instruction ID: 0c31e2a19d9201b1dcf6a46908cee0b62ac95b40851e73b090d853bb900ab8cf
Opcode Fuzzy Hash: 9f338b88e6e46674000c35039de5cb270e7e462c085728373f5d3e9f3ce0f22b
Instruction Fuzzy Hash: A9412678904258CFDB60DF68D8587ADBBB2FB99301F1090ADE909A7395DB385E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 057CC328 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad809fe749f858d6c2d88766bea3cc9c99f28da5dc454c448b36d3e5299c19b
Instruction ID: 3f6a3e2d1fb950dc06a5528534a0596b7947a109908e0de159d02638e91e0a15
Opcode Fuzzy Hash: bad809fe749f858d6c2d88766bea3cc9c99f28da5dc454c448b36d3e5299c19b
Instruction Fuzzy Hash: 1531CFB5D0D3C48FCB02DBB8D8646EE7FB5AF1B314F0440EAC89597296E6344904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 057CEC08 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7657f11b300c8b33bfd355cf00c9d1077a1ef4c4adeecd64a3bb574a0eb850dc
Instruction ID: c56367fc2815d73a744e03fcd96816cb456468a45cc6a6c7cc97a617d34ea73b
Opcode Fuzzy Hash: 7657f11b300c8b33bfd355cf00c9d1077a1ef4c4adeecd64a3bb574a0eb850dc
Instruction Fuzzy Hash: B0315A70E052498BCB16DBA8D548AFEBBFAFB89300F5040ADD805A7250DB756D41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B350 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ce351023933a7b52ff99e62a619362310602ed8cc73257263f5e29de9945ed
Instruction ID: a3e3243c5100dc270cda76ca7322b5018127d1f9e1e3a4cb2032ee459cebe04c
Opcode Fuzzy Hash: 07ce351023933a7b52ff99e62a619362310602ed8cc73257263f5e29de9945ed
Instruction Fuzzy Hash: 8A31B475E042299FCF04DF99D484AEEBBF1FB88321F049026E914A7344D734A985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A91B00 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d036f65f4030e581bf3faff6e5448fe5ba1703960bd970501c34b5a691305c09
Instruction ID: d766c35fed8d6869a289d33cfc8f70deb1540f6d8ed581d5f3297abd7b578130
Opcode Fuzzy Hash: d036f65f4030e581bf3faff6e5448fe5ba1703960bd970501c34b5a691305c09
Instruction Fuzzy Hash: 9C215CB4E0121ADFCF08EFA9D588ABDBBF6FB89300F408469D105A7254DF786946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B433 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09300a45769efa008650866c6c3d25a707098284e0c2225bf8e065bd2c4dd64b
Instruction ID: bdf5122745e9e2b4d2b320843ecffa0de76c90b99190675d51074d1829dc9da4
Opcode Fuzzy Hash: 09300a45769efa008650866c6c3d25a707098284e0c2225bf8e065bd2c4dd64b
Instruction Fuzzy Hash: C231C274E04219DFCB18DF99D494AADBBF5FF88310F14802AE915A7360DB34A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 057CE0D7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913e1bd5dc2a4f209257ceda17fe2ae985dfb3f39cf3b793ac37d8da960bcfe4
Instruction ID: 3c267bf743ac8956bdf1d0f5adda47ec16022e4c1857ea90ffad5ed139180ae9
Opcode Fuzzy Hash: 913e1bd5dc2a4f209257ceda17fe2ae985dfb3f39cf3b793ac37d8da960bcfe4
Instruction Fuzzy Hash: CD31F4B4D15209DFDB41DFA8D4446AEBFF6FB88300F1080AED808A7654DB345A95DB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CD922 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c763a26d002111b4ecbd928c18f3f945989f71ce21e292b8f998185e44754a5c
Instruction ID: 4632de1aa656550edbe20ab16a2551eccc5404fa59b9e4e398640d6afa0c8a27
Opcode Fuzzy Hash: c763a26d002111b4ecbd928c18f3f945989f71ce21e292b8f998185e44754a5c
Instruction Fuzzy Hash: 8F216BB8E00248CFDB14DF99D448AFDBBB6FB88304F109069D80AAB344DB349846DF40

Uniqueness

Uniqueness Score: -1.00%

Function 057CD9E5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7939fa31bea8048d2751eebd553161987e7d7915fec5136f64754620e5878e95
Instruction ID: f19ff8bdec8a119e5ee6da3a72e11055889019618cc2c343999eef9d4f979a1f
Opcode Fuzzy Hash: 7939fa31bea8048d2751eebd553161987e7d7915fec5136f64754620e5878e95
Instruction Fuzzy Hash: 7631F878E00248CFDB14DFA8D498AEDBBB6FB89304F109069D80AAB344DB346846CF54

Uniqueness

Uniqueness Score: -1.00%

Function 057CF51A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98437d7107d12448dc61e88df9ad8679cd87fb5472f3fdbf1f8a8a541eb2ecce
Instruction ID: f196f7dc22ade324e2bfc97b6f54fb1562c32191b74a3ff99b85a105483c240a
Opcode Fuzzy Hash: 98437d7107d12448dc61e88df9ad8679cd87fb5472f3fdbf1f8a8a541eb2ecce
Instruction Fuzzy Hash: 90310974E00209DFCB45EFA8D4949AEBBB1FF49300F10859AD815AB361DB34AE41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B5D8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf38a2322fa4e8e0f165c0486d6ec2116b658a645ea43a45e30e4a010bee6e7
Instruction ID: 475bdf236b900c1cc9157bea4d36e06ff823d3b67d2c1ca863360bc243187904
Opcode Fuzzy Hash: 9cf38a2322fa4e8e0f165c0486d6ec2116b658a645ea43a45e30e4a010bee6e7
Instruction Fuzzy Hash: 13218639E0421CEFCF44DFA8D580BADBBF0EB48320F1480A6E815A7254D731AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 057CE0E8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afbb2fb195a7ab73d8514957bd1bb5afe817dc628fe12f372ee2d7ec984048b
Instruction ID: 04dc926ea69bb86376914b4568fadbc6e107efd2ef4ea52ca292250d50e50aae
Opcode Fuzzy Hash: 9afbb2fb195a7ab73d8514957bd1bb5afe817dc628fe12f372ee2d7ec984048b
Instruction Fuzzy Hash: 9D31F4B4D14209DFCB41CFA9D4446BEBFFAFB88300F1090ADD808A7244DB345A91CB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CDD50 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc234c5c313f792f47f3b230e0a9a0462ad7cd22b8542f00e0650f98fe6361b
Instruction ID: 7b45801c8d358591e34ea56ace9e8e5d76c00b447a1372b712eedd0528336943
Opcode Fuzzy Hash: 4cc234c5c313f792f47f3b230e0a9a0462ad7cd22b8542f00e0650f98fe6361b
Instruction Fuzzy Hash: 5F31CEB4D05259DFCB54DFA9D4446BEBFF6EB88300F1080AA9918A7254EB745A818B81

Uniqueness

Uniqueness Score: -1.00%

Function 057CDD43 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e03108aa20dad2a8e1c88a1f1ef6b57c61818d0ace1599f9ff0e3b87b68c2f
Instruction ID: f358a88e8775c69341f216cb1bb24d9e3b15d6c9c075d7b3662a4517e332f0dd
Opcode Fuzzy Hash: b1e03108aa20dad2a8e1c88a1f1ef6b57c61818d0ace1599f9ff0e3b87b68c2f
Instruction Fuzzy Hash: 0531E0B4E01249DFDB54DFA9D5847BEBFF6FB88300F1080AAD518A7254EB745A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05A90E48 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cb98f3db928cc18c5a7f3c27af6c02bda100d64b1a0fd3ac30b31e353f06a8
Instruction ID: 9fc1008019364ea3c646069d82c012dbd020f61f915aa2d54da64b4aed70a18f
Opcode Fuzzy Hash: b7cb98f3db928cc18c5a7f3c27af6c02bda100d64b1a0fd3ac30b31e353f06a8
Instruction Fuzzy Hash: FA216474E00209DFCB44EFA8D4959AEBBF1FF49300F5085A9D815AB364DB34AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A90E43 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e554908c431e6941bc92299f0af08fe8de846a0802c8ea2b0dda03aee3e8c9c0
Instruction ID: 9e8589ec98d2140881c8ed8086e5160b120662ce11684db85a6ade7cbec0071f
Opcode Fuzzy Hash: e554908c431e6941bc92299f0af08fe8de846a0802c8ea2b0dda03aee3e8c9c0
Instruction Fuzzy Hash: 25217574E00209DFCB44EFA8D495AAEBBF1FF49300F5095AAD415AB365DB34AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 057CF530 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef7f97a702a87a8771bf5316561e18422981aaffc24fb6361cc9743edd4ee22
Instruction ID: e287463cd256d4f9b81ad7d0d451947216368378aa33918560cbe738b4abeba0
Opcode Fuzzy Hash: 7ef7f97a702a87a8771bf5316561e18422981aaffc24fb6361cc9743edd4ee22
Instruction Fuzzy Hash: BB318374E00209DFCB44EFA8D4949AEBBB2FB49300F5085A9D815AB364DB34AE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A968A1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6632a06bc383d23a84d7d3ed6bb37275076d864c33ad70bda26274e2b053b4f6
Instruction ID: a69da9d0dd22fca62475e2a338a816257026ce850e21e886dc3711d86b2329ea
Opcode Fuzzy Hash: 6632a06bc383d23a84d7d3ed6bb37275076d864c33ad70bda26274e2b053b4f6
Instruction Fuzzy Hash: 93115C34E041199BCF08DF9AC404BEEBBFAEF88300F04C06AD515A7250DB349A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A968B0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02db2e1bad00887e31fb17d758c4705aeb2693b8cb137430599894d0b71fb66
Instruction ID: 4d024e4786847758b9c7e9b222c822317a507969ba3ba06f4b9f61a1de6de6b2
Opcode Fuzzy Hash: b02db2e1bad00887e31fb17d758c4705aeb2693b8cb137430599894d0b71fb66
Instruction Fuzzy Hash: EF112935E04129CBCF08DFAAD404AEEBBFAEF88311F04C0AAD515A3254DB349A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 057CEB20 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f77083287064920c798c0f50a4ae24b3790c5d02e5344fd93586e3b18902f0
Instruction ID: 63ab9c872f8d1ee29598d49477048f40c430d767828e0744d04fbff53721df03
Opcode Fuzzy Hash: c0f77083287064920c798c0f50a4ae24b3790c5d02e5344fd93586e3b18902f0
Instruction Fuzzy Hash: 2621AE34905609CFCB01DF98E848ABEBFBAFF89300F0054ADD80AA7255DB742E49DB50

Uniqueness

Uniqueness Score: -1.00%

Function 057CC9E1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe88a7e93bc7c5ff44bfbdffa4f67ffc77cb4fc0c29b62c76c2ffb77081eb66d
Instruction ID: 4461e487d2bb6bbf44c35cdd084023a559381dcd02bbaeef40e854dea7ee500a
Opcode Fuzzy Hash: fe88a7e93bc7c5ff44bfbdffa4f67ffc77cb4fc0c29b62c76c2ffb77081eb66d
Instruction Fuzzy Hash: 7E21A374D15209DFCB45DF98D498AAEBBF5FF48300F108099E855A7360DB34AA80DF90

Uniqueness

Uniqueness Score: -1.00%

Function 057CEB30 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aceb239c7c5de38fdc5e653f17e151f5bd6f6b8ec34ce06123ce1a01bf92b78
Instruction ID: 6459b6f0110a743f7d388170e20d53bf78f176350aa054e10a32c8c4c5a182e0
Opcode Fuzzy Hash: 3aceb239c7c5de38fdc5e653f17e151f5bd6f6b8ec34ce06123ce1a01bf92b78
Instruction Fuzzy Hash: 02116A30905609CFCB05EF98E848FBEBBBAFB89300F0054ACD90AA7255DB742D49DB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CC9F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838c695c0a6e0faef7fdbd9342e4943d17f53fc4fab66a26d1f0376a22e9d419
Instruction ID: 9d56ee2937db982ddf7fb7e346872442fa49da433751ef3f59a24f99b17bd910
Opcode Fuzzy Hash: 838c695c0a6e0faef7fdbd9342e4943d17f53fc4fab66a26d1f0376a22e9d419
Instruction Fuzzy Hash: 81216EB4A14209DFCB45DF98D498AAEBBB5FB48310F1080A9E915A7350DB35AA81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FD58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc542e9dc175a3543e09b7e7fb2782f871e584f866ef8926fb1c68538d01abe
Instruction ID: 7ef69916de12cab80cf64faffd6bf510ad63c41228bba53cd3e79c4878d9a8f3
Opcode Fuzzy Hash: 1bc542e9dc175a3543e09b7e7fb2782f871e584f866ef8926fb1c68538d01abe
Instruction Fuzzy Hash: FF21C374E04219DFCB49DFA9D945ABEBBF1FB88304F10816AD819E3254DB345A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A9CBBD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0160a7088b7eff000911ca80f1724c4eeb44aac7b080d3903e1fc2fd3885c73b
Instruction ID: bbc5cf45f5e91b0226a2a9ac4a9863edd99ba239297020ebbf0da3411d081adf
Opcode Fuzzy Hash: 0160a7088b7eff000911ca80f1724c4eeb44aac7b080d3903e1fc2fd3885c73b
Instruction Fuzzy Hash: E0210978A042588FDB54DFA8D858BAEBBB6FB9C300F104069A409A7395CF346D81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031B0000 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360227865.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8068e941fc92e2b63164cf82a30a8353295ce93b1f04dd6e66afc09cfdd51f93
Instruction ID: c6e1700a04a5f9f0db20385d85e0f345dff89b1edde823b4c590046c1ea34dca
Opcode Fuzzy Hash: 8068e941fc92e2b63164cf82a30a8353295ce93b1f04dd6e66afc09cfdd51f93
Instruction Fuzzy Hash: C311F83124E3D45FC7578B248CA5A553FB1AF4B610B1A40DBD985CF2B3C629AD09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 057C64FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d12d92dc19cbab69909f83c9ff6f76a2e7fb28779ae6842730460cd09155d2
Instruction ID: 3cfdeec6116e0bd91fd6220783ddf81530b5cee9dae0d9d0f9113961219c0a42
Opcode Fuzzy Hash: b9d12d92dc19cbab69909f83c9ff6f76a2e7fb28779ae6842730460cd09155d2
Instruction Fuzzy Hash: 5F1107B1D01208DFDB44DFAAE5856AEBBF6EB88300F2085A9D419A2248E7745A419B91

Uniqueness

Uniqueness Score: -1.00%

Function 05A99C08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e556550d0bda02678158b0f4f5f04b53844a78834ff3d9f7ecc9af7ae8df4b
Instruction ID: 804652f2aef05b840035461c475707e845bafe397b347c709f72e3d0e245e653
Opcode Fuzzy Hash: 12e556550d0bda02678158b0f4f5f04b53844a78834ff3d9f7ecc9af7ae8df4b
Instruction Fuzzy Hash: 8E11C675E10228AFDB08DBAAD845AEEBBF5FB88310F04C02AD925B7354DB345445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057C6510 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09b7b0aa7854063948ecefacde3f50525f1d3b9fdbe6953ecb0b185dc3503f8
Instruction ID: 83addf028af8332683bf2d3507321d5ea4ce1b160bdc9ac150d47a570e897860
Opcode Fuzzy Hash: a09b7b0aa7854063948ecefacde3f50525f1d3b9fdbe6953ecb0b185dc3503f8
Instruction Fuzzy Hash: 4F11E974D05208DFCB44DFAEE4846BEBFF6EB88300F6084ADD419A3248E7745A419B90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A7D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbc1e4266fd0acf9cafe2788d9905f677a36dc79d9cb19c99e2264a7b6168fa
Instruction ID: 6cada9db40b236b2189ad2977e99b58a6a2fd3da214b259be58ad3d1c509c92f
Opcode Fuzzy Hash: 0fbc1e4266fd0acf9cafe2788d9905f677a36dc79d9cb19c99e2264a7b6168fa
Instruction Fuzzy Hash: 9801AD76D05218FFCB04EFA8D845B9DBBF9EB54310F04C0AAE804D3254DA319A50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C123 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647071a34da40b46247ce8f018a58f6a813e1cbb591cbea918974a2398f38604
Instruction ID: 8b7de2093b4ea4a7cee516f96b64a44e1458e77ed95026c24736f16eb181241e
Opcode Fuzzy Hash: 647071a34da40b46247ce8f018a58f6a813e1cbb591cbea918974a2398f38604
Instruction Fuzzy Hash: 53219578A042688FDB64CF58D984BEABBB2FB49300F1040D5E90DA7365CB35AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 057C4581 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f3dc3ba3ffaf6094ecb1666e89372c9fcd17b87b31fc75077e1e306ec3af5d
Instruction ID: 8994049910ad29f0bce8e0867b909ba88f318b65344a6f5c891df52fb78dfaab
Opcode Fuzzy Hash: 62f3dc3ba3ffaf6094ecb1666e89372c9fcd17b87b31fc75077e1e306ec3af5d
Instruction Fuzzy Hash: 23019E7180120CFFCB11EFA8D844A9DBFB5EB49301F6480EAD905D7214EB329A50EB41

Uniqueness

Uniqueness Score: -1.00%

Function 057CC390 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2630a7097f761f669292fd48a8f3ad7e838bc67134972b7bb40ad8296902a89a
Instruction ID: b000449b9261111e801a03ffe1d0c373ef805f3d5cb435c2bd79830da2e77de1
Opcode Fuzzy Hash: 2630a7097f761f669292fd48a8f3ad7e838bc67134972b7bb40ad8296902a89a
Instruction Fuzzy Hash: 72115B74E14209DFCB41EFA8D4496BEBFFAFB49300F1090AD9819A3344DB305A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057CDEF8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8781c7996ae0ccced5744de7c895d6cc862c361bbe49d3a52f748a194a5ef646
Instruction ID: 5b626811681f673a56ae21c09fa92ec66bf2a3679d0eb3c16aa79202ba20d71b
Opcode Fuzzy Hash: 8781c7996ae0ccced5744de7c895d6cc862c361bbe49d3a52f748a194a5ef646
Instruction Fuzzy Hash: 881139B4E0024ADFCB00DFA8C4586BEBFB6FB88314F1080B9D915A3394DB316A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FE98 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddd0240ebdd4539e195b4d3343bce4ba23de192a4916d9ab521ac22fefb1412
Instruction ID: 7f1e7cca0c15d1b4d4acfa79008348989cb4037b230923af5c2df606f58ab63a
Opcode Fuzzy Hash: 1ddd0240ebdd4539e195b4d3343bce4ba23de192a4916d9ab521ac22fefb1412
Instruction Fuzzy Hash: 75018074A012099FC745EFA8D8157BE7BF5FB48300F1481AAE814E7345DB30A901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A9BED3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9a6278a0105b2c34b8a81a17133cf39f67f44c7ab758f084bc7bb862a2e5d1
Instruction ID: 89ac0fde6e8b9bbce4977a89e179b1b3aea8648fe38dce13f0b90460c3bada54
Opcode Fuzzy Hash: df9a6278a0105b2c34b8a81a17133cf39f67f44c7ab758f084bc7bb862a2e5d1
Instruction Fuzzy Hash: D6110971D052688BEB68DF2ADC44B9DBAB6ABC8300F04C0EAD40DB7254DE3059858F50

Uniqueness

Uniqueness Score: -1.00%

Function 057CD94E Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6810e73be8e847107d3041dc70ec5257396ff60ee0aca277f9a5434dd23cf6
Instruction ID: e5d23d4e5935485f6d1693e47411658418643c271aec9103512cb4dc46f733f4
Opcode Fuzzy Hash: 9c6810e73be8e847107d3041dc70ec5257396ff60ee0aca277f9a5434dd23cf6
Instruction Fuzzy Hash: 8E01D778A05289DBDB24DF98D598ABDBFFBFB88300F20506DD80AAB254DB745941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CAAC5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2f8664172bd0f0daac50823e7b2ee6a01394555b0059005e5387bf32dd2140
Instruction ID: 6f7ce6ef1ad8db3b7d95eb772c6dbc6cfdcde59a8564cbecabd72b0c684fa4c3
Opcode Fuzzy Hash: 7a2f8664172bd0f0daac50823e7b2ee6a01394555b0059005e5387bf32dd2140
Instruction Fuzzy Hash: B1110774A0015E8FC794DF58D954BFABBB2FB98304F0080A5D90AA7798DF345E859F90

Uniqueness

Uniqueness Score: -1.00%

Function 05A95181 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8701777414c717336842f90e5c89847cd01c1e750a28b9573642a291acb2ebba
Instruction ID: 047fccf03f7721fea46d1ae3ddb63de89b9958ca9e965ad25bfd2681338ff515
Opcode Fuzzy Hash: 8701777414c717336842f90e5c89847cd01c1e750a28b9573642a291acb2ebba
Instruction Fuzzy Hash: 9711AC34A08249DFCB05DFA8D458AADBFF1EF49310F6441AAD419A7355CB306D41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D88A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9588a2c5f4cfbd06c8297488b96e2f7e34c88a83e03a627b2f92b6bbeebb6d35
Instruction ID: 97b8421a6f178df6502c041acb07bb50a4418848de428e54456c39d1c52839c9
Opcode Fuzzy Hash: 9588a2c5f4cfbd06c8297488b96e2f7e34c88a83e03a627b2f92b6bbeebb6d35
Instruction Fuzzy Hash: 7211E578A052099FCB44CFA8D884DADBBF2FF48300F118155E915AB366CB34AC46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 057CF658 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eab78ed22d01e8f3143c8f7da520ce834aae77cfa29b8b912cc7956f5a5d86f
Instruction ID: 02e2c1d806b0ee36a62c6592be97eb71d4629fdce3c02ce4f7910dfa3011a829
Opcode Fuzzy Hash: 2eab78ed22d01e8f3143c8f7da520ce834aae77cfa29b8b912cc7956f5a5d86f
Instruction Fuzzy Hash: 5FF0DC317043009FC7208B6CC808EA57FE7EF8D300B2580EEE585DB362DA21EC02AB90

Uniqueness

Uniqueness Score: -1.00%

Function 057CE640 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ead50c5ef4095a355dc504beda1f4a9fa24b5235d29feb0d1796220142784d
Instruction ID: f32c44366ae7bbd4e1b7d888268a33c4e42bbc0d922194284259dd569ddd5c61
Opcode Fuzzy Hash: 19ead50c5ef4095a355dc504beda1f4a9fa24b5235d29feb0d1796220142784d
Instruction Fuzzy Hash: 5E01BC30922248EFCB42EFA8D9586ACBFB4EB45300F6080EEDC08E3340DA319A45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 057CDEF3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4a3dcab7525d13302014816844d40ad9b4d177c551cf35c634cdd95a2fce1
Instruction ID: de701e4cffa824d17945d8039e89a64e1af333873783ae99a19deb4a7207db40
Opcode Fuzzy Hash: 14b4a3dcab7525d13302014816844d40ad9b4d177c551cf35c634cdd95a2fce1
Instruction Fuzzy Hash: ED014CB4E0424EDBCB00EFA8D4596BFBFB6FB88315F108079D915A3254DB305A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057C6B64 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f731c55f36d220acd6b8614fd2c1c8b9ebb0d204869d423f1f833910d8b2d7ca
Instruction ID: ab33026414c634fad1fa8ae68140d69b3daddffaa48423ad02beecd3cd995b32
Opcode Fuzzy Hash: f731c55f36d220acd6b8614fd2c1c8b9ebb0d204869d423f1f833910d8b2d7ca
Instruction Fuzzy Hash: 83011E74A05188CFCB14DF59D584AADBFBAEB4D300F10D89DD40AA7215CB30A942DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A95190 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c092f8e8ba8ff1fd480f65123f2f0a10fda0a518ebb0ebb8af65eeb95f923a6
Instruction ID: ff5e4f9e7e2eea8048090d07ff550bf22289914d34bf49ab3875d4866276ca84
Opcode Fuzzy Hash: 4c092f8e8ba8ff1fd480f65123f2f0a10fda0a518ebb0ebb8af65eeb95f923a6
Instruction Fuzzy Hash: C101B374E05218DFCB45EFA8D445AAEBBF5FB48300F5085AA9819A3354EB34AA41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9BEE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf48de6b3fba0479c8b0aaa18425a9ae38771143fc44e66f14730ba4425d4cd7
Instruction ID: 79f13ac02b54e49b1f2337958f8ee6b73da91e72893685c4ce07d418c2051c62
Opcode Fuzzy Hash: cf48de6b3fba0479c8b0aaa18425a9ae38771143fc44e66f14730ba4425d4cd7
Instruction Fuzzy Hash: 1D01D370D056688BEB68DF6ADC44B9DBAB7BBC8300F04C5EAC40DB7254DA705A858F60

Uniqueness

Uniqueness Score: -1.00%

Function 057CB4D5 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdbe0743f375c50c8e15068bf0c8d4d8dac9a576515547dfc6b179859378ead
Instruction ID: 343e6ffe18f6b64ffc6fe53f492ed5b1ced0d565ced8ec4f6af7c33ccdf15b87
Opcode Fuzzy Hash: 7cdbe0743f375c50c8e15068bf0c8d4d8dac9a576515547dfc6b179859378ead
Instruction Fuzzy Hash: 15012974A0525CCBC754DF58E448BB97BB6FB89312F5050ACE40A9B294CF749C85EB01

Uniqueness

Uniqueness Score: -1.00%

Function 057CC970 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8fd36dd6f2b2a210d2e1e163584e377e850399157b0326f6ccb603e28ffd97
Instruction ID: dc7e46f67af684f407730c9eb0d19255cf5bf5d7ec2d1bc5c4f4d32b1b31e603
Opcode Fuzzy Hash: 9c8fd36dd6f2b2a210d2e1e163584e377e850399157b0326f6ccb603e28ffd97
Instruction Fuzzy Hash: 5C0128B4D06248AFCB05DBA8C588AADBFF5BF49310F1480DED458EB345D6309A45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A94F70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44f7ad1e308a55de9e24ee1275e35eece214eb82c0af5bf969a3ed829a4841b
Instruction ID: 80e2ffc11aa2bc5677f28683fca67b3ac990483c9889ce7f2e1fde9b3af35eca
Opcode Fuzzy Hash: f44f7ad1e308a55de9e24ee1275e35eece214eb82c0af5bf969a3ed829a4841b
Instruction Fuzzy Hash: 4A018C74E05219DFCF48EFA8D808ABEBBFAFB4C300F0085A9981993344DB705951CB81

Uniqueness

Uniqueness Score: -1.00%

Function 057CBD20 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9f2630c9c8d01f0443221ddcd6862ac5f8744a96a1e392a0ca336edc7aceaa
Instruction ID: dfb5698fd5acc185b68ff7a672657c24a473b8d50f3033b5a82d25c77cffadaf
Opcode Fuzzy Hash: ba9f2630c9c8d01f0443221ddcd6862ac5f8744a96a1e392a0ca336edc7aceaa
Instruction Fuzzy Hash: 76016934E05248EFCB41DFA8D58596DBFB1EB49300F50C0DEA808A7341CA36AE02DB41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FEA8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3102f62143134a2b567576c553b2d83e71f08e9af0902da8bbb059109ad3d4
Instruction ID: 96621e08e338b190fc9ea848f93eec1480d87c12e6f2d82c4928b0e5055143ec
Opcode Fuzzy Hash: 1c3102f62143134a2b567576c553b2d83e71f08e9af0902da8bbb059109ad3d4
Instruction Fuzzy Hash: 9D014F74E012199FCB44EFA8D4546BEBBF5FB48300F1441A9E814E7354DB349E01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A99998 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ca3083ab921276e4a48ac4efeea180b254b29bc015f56a826d10d5e9b702ac
Instruction ID: 97b0b509e57de0c3dcdb97443c8693994566f17f18dedc0524e1388a0cf7237d
Opcode Fuzzy Hash: d7ca3083ab921276e4a48ac4efeea180b254b29bc015f56a826d10d5e9b702ac
Instruction Fuzzy Hash: DF014BB4D05319AFCB05EFA8C885AAEFFF0FB48300F14809AD849A3355E7309A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057C6630 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bd43309755af8d87bdf58ba601d455ee8ed9f8257523d56976606de9a6e9e2
Instruction ID: 99566866d14df1ea0cfb2dac779b8d444eaf52c453f4439a19063fdf63f6aa53
Opcode Fuzzy Hash: e8bd43309755af8d87bdf58ba601d455ee8ed9f8257523d56976606de9a6e9e2
Instruction Fuzzy Hash: 8CF0B43190110CEBCB04DF98D881A9CFF75EB51300F5081EDD80567364DB326A56FB95

Uniqueness

Uniqueness Score: -1.00%

Function 05A95078 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6084132533de9d6720b266100eebe8e6207f7f3e69384f284957abd3ab5c8b
Instruction ID: a776af310893762b3cec564ae029730921eb15ca1e2c1b2f4002231a996923d6
Opcode Fuzzy Hash: eb6084132533de9d6720b266100eebe8e6207f7f3e69384f284957abd3ab5c8b
Instruction Fuzzy Hash: 12011974D04219AFCB40EFA8D849AAEBBF0FB08300F5481AAD818E7359D734A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 057CB7B8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba8cccea67dbff7be3bc88d700ad3c7b1523469f9f0111d9ade0f048443fc11
Instruction ID: 4d69864c67f9b98b50d27406ab50af4b9353570402afe957d6eb8ae401fcda0e
Opcode Fuzzy Hash: 5ba8cccea67dbff7be3bc88d700ad3c7b1523469f9f0111d9ade0f048443fc11
Instruction Fuzzy Hash: 8BF06D30D04244AFCB51DBA899459ADBFF0AB06320B5481EFE818D7296D3319902AB81

Uniqueness

Uniqueness Score: -1.00%

Function 057CBDB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b5419e17d7f3f009d1409e4a1be3a51f3ce95eda50b2c5f471e2c0b5c2db66
Instruction ID: f805f44b212a195dd0c7de2c6261760a88a23fca25da4755380407fb8a757daf
Opcode Fuzzy Hash: b3b5419e17d7f3f009d1409e4a1be3a51f3ce95eda50b2c5f471e2c0b5c2db66
Instruction Fuzzy Hash: 93F0F070D04258AFCB11DBACC4095ACBFF0AB05310F9080DEE858D3385D2355903EB81

Uniqueness

Uniqueness Score: -1.00%

Function 05A999A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbe13c1fb2edb8225bfe9a38ced4be5a1cddcf0d5c510dded378279cb8bdd39
Instruction ID: 45bfc05eb806db5ec9fed1557771a63ed14778074c2ec77c0e98615c755502b3
Opcode Fuzzy Hash: fcbe13c1fb2edb8225bfe9a38ced4be5a1cddcf0d5c510dded378279cb8bdd39
Instruction Fuzzy Hash: 3C01B274D05219EFCB14EFA8C485AAEFBF0FB48310F5080AAD919A3354E730AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057C02A1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbc9e04b1bf84e845f0190e053b89c2c41952f8054736f7f4ef11174674e4da
Instruction ID: 2ec6d37b2d3609ce7a323e1eb8f8e51bf31440d9a5f09b32bc507bbdb53c3955
Opcode Fuzzy Hash: 2cbc9e04b1bf84e845f0190e053b89c2c41952f8054736f7f4ef11174674e4da
Instruction Fuzzy Hash: 99F06771C08248EFCB41DFA8D848AADBFF5FB5A300F1481AAE819E3215D7305A94DB50

Uniqueness

Uniqueness Score: -1.00%

Function 057CFD10 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f201ca581108b216678f5a337cae5fd832f5f929323e469200757ce1b8fbbee4
Instruction ID: 4e22477d8a786e2cb83155dcae6f5c1f4c324d81a7d0e6902c0f669fdcfe1f13
Opcode Fuzzy Hash: f201ca581108b216678f5a337cae5fd832f5f929323e469200757ce1b8fbbee4
Instruction Fuzzy Hash: 7AF0F6749082DC5FC702CFACD8146FEBFB5EB0A311F5482DAE9A0962A7CA385541DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A99A08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0d16e74d498642ce44e7bef908942c4bbdd0233c9649946126bb1474eb4118
Instruction ID: 5b5c65b1ca1f41f4fa394dfc94152c0bf7c393ab2dd39b17243e3e5091c8d81d
Opcode Fuzzy Hash: 1d0d16e74d498642ce44e7bef908942c4bbdd0233c9649946126bb1474eb4118
Instruction Fuzzy Hash: B5F06D70D052499FCB18DFACD844AAEBFB0EF49314F6482ADD424A73A4D7355A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 057CFDC8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744e1cc476a8ae7b7912aaa71148da3d5434356868001e823a447c3b01dbc23e
Instruction ID: faf33b5d08a6870bfcc04c5057e8e51e4abe2251c7db20e235004b5ea31cbd32
Opcode Fuzzy Hash: 744e1cc476a8ae7b7912aaa71148da3d5434356868001e823a447c3b01dbc23e
Instruction Fuzzy Hash: B8F08C35804258EFCB05DFA4D852BADBFB8EB48311F14C09AEC5492346C635AA62EB51

Uniqueness

Uniqueness Score: -1.00%

Function 057CC929 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0978b033672ff4a06972812c6ef5dd7d25d6afa44e513e92346699c3fb5802
Instruction ID: 64edc4884cc4b7859dfabeafe2b52cedda9856506416419f2d148604de6a12f1
Opcode Fuzzy Hash: fc0978b033672ff4a06972812c6ef5dd7d25d6afa44e513e92346699c3fb5802
Instruction Fuzzy Hash: 3FF05870D05208AFCB41DFACD9486ACBFB8AB49300F1880DED818E7351E6319A42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 057CAA36 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e242d2df3b63e6e7b08a7c396901fc6e92cfb65616d76520559216e8e2df22b
Instruction ID: 6b9f3277de9e64eb87e79a8e6f3cc840d560b0890b7e3a7e52a8f5f367cc9f9d
Opcode Fuzzy Hash: 9e242d2df3b63e6e7b08a7c396901fc6e92cfb65616d76520559216e8e2df22b
Instruction Fuzzy Hash: 0CF0F974A0525CCFCB50DF58E848BB97BB2FB89311F5051ACE40AAB284CF759CC5AB01

Uniqueness

Uniqueness Score: -1.00%

Function 05A92520 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0953ee2811ae5b1f4c48b049540a0876be1373cde226d9a2a694dac03f27b80d
Instruction ID: 0a8f2f00d07810545509179eb394c31cc798afe627d497f32fd59e03b06853be
Opcode Fuzzy Hash: 0953ee2811ae5b1f4c48b049540a0876be1373cde226d9a2a694dac03f27b80d
Instruction Fuzzy Hash: 67F0DA38D01208FBCB44DFA8D845B9CBBB5EB48310F14C0999814A7354D635AA56DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A95088 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a324869cdb267ba37c06a945fdd3b1ba0bddffb9f315fca3e4325d1b41ff10
Instruction ID: 63fb9425fcc1a09e9f725e9de4c2df58ca5b9d2f398ae72d83a34e849a9e573e
Opcode Fuzzy Hash: a0a324869cdb267ba37c06a945fdd3b1ba0bddffb9f315fca3e4325d1b41ff10
Instruction Fuzzy Hash: 2EF0F974D042089FCB40EFACD445AAEBBF4FB48300F1081AAD818E3358D7309941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05A98D6B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f2f1837810cf918e0682439e4653814549c1a3eb3aca2ca25912e374130ee2
Instruction ID: 6d55abec70db444757b2c0e0821a9dcae209997e3c95eb87a1b101cf9b49d983
Opcode Fuzzy Hash: 49f2f1837810cf918e0682439e4653814549c1a3eb3aca2ca25912e374130ee2
Instruction Fuzzy Hash: 65F08274D02208AFC750EFA8D445BAD7BF4EB48700F1081A5980493344EA345A848B80

Uniqueness

Uniqueness Score: -1.00%

Function 05A94F10 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febd8392520189919e25525ff54a3269b4e8dffacd6b2b02ccbbec7c57df85f7
Instruction ID: d201eb22a11e91bb99c16922a4ff8afb9c97f6d6544748b8701371ca0f7f513c
Opcode Fuzzy Hash: febd8392520189919e25525ff54a3269b4e8dffacd6b2b02ccbbec7c57df85f7
Instruction Fuzzy Hash: 92F0F834D04208ABCB44DFA8D845B9CBFB0EB48310F14C1AAD958D7345DA35AA52DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F8C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad476ceea6eb2aee6f6548858f9b8a48d3dcc944e5ce9d7ddbe30231cd2d1413
Instruction ID: da5d0757b9823c93ea5f70bba0a9e039182a829d2884141b8f9a9e73aebc8a7c
Opcode Fuzzy Hash: ad476ceea6eb2aee6f6548858f9b8a48d3dcc944e5ce9d7ddbe30231cd2d1413
Instruction Fuzzy Hash: FDF06774D043189FDB40EFA8D8086ADBBF0FB48300F1080AAD818D3345EB342A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 057C00A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd44107787b847fc4ef1b888a862dea568782d4cff3e7107a6fd569925b0e6ec
Instruction ID: 4f4802de3d554f96a27b33d8d4a6f467083effd6434409d00b1e5ec5a3428e35
Opcode Fuzzy Hash: cd44107787b847fc4ef1b888a862dea568782d4cff3e7107a6fd569925b0e6ec
Instruction Fuzzy Hash: 58F09A34D04288EFCB42DFA8C844A9DBFB1EB4A300F04C0EAEC59DB312C2318A51DB41

Uniqueness

Uniqueness Score: -1.00%

Function 057CFD20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b86b5bac3f1693573af1cb578b004038ca2c866dcbcf3e47f594ff0bbe60616
Instruction ID: a1156835330fe6541b16dacad231dbf64d99080f9bb1d649c13f41065ffa146d
Opcode Fuzzy Hash: 0b86b5bac3f1693573af1cb578b004038ca2c866dcbcf3e47f594ff0bbe60616
Instruction Fuzzy Hash: 2BF03AB4D0425CAFC741EFA8D955ABEBFF8EB48301F1081AAE915D3244DA349A40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A92428 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2719c7fd2181ca7b1359854c27fbe4c926b7da448c021923f243087c75acc79
Instruction ID: d76214fd406ba3cafe1a7c9e193a6283559e8e726421a94ff36462eda76d99ff
Opcode Fuzzy Hash: a2719c7fd2181ca7b1359854c27fbe4c926b7da448c021923f243087c75acc79
Instruction Fuzzy Hash: C6F0D479D00208AFCB45EFA8D885B9CBBB1EB49310F14C1A9A858A7354D631AA56DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FF71 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5021ab02aeea81f9f156d5bf7e3850e516eaad3a4bcde4d04a66b85e5977ca7b
Instruction ID: f5494f27a1c5cdde2d8266a2065452c04e0c08b4f7c0f9c5071b4dcee42a4cb3
Opcode Fuzzy Hash: 5021ab02aeea81f9f156d5bf7e3850e516eaad3a4bcde4d04a66b85e5977ca7b
Instruction Fuzzy Hash: 45F0A038801148AFCB45DFA8D841BACBFF8EB48311F14C199EC5493341C631AA62EB90

Uniqueness

Uniqueness Score: -1.00%

Function 057CF6E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31533645d9b78d90b333da1f0222d7f3977a7fa1ab5f30d425db815b5db21aa
Instruction ID: 42b1e60ec8b73c472d0b0fe3c7b05d64d85ea08d55dcc404bd60ff9bfd2604ab
Opcode Fuzzy Hash: c31533645d9b78d90b333da1f0222d7f3977a7fa1ab5f30d425db815b5db21aa
Instruction Fuzzy Hash: 9BF03034D083489FCB00DFA8D55459DBFF1EF45308F1185E9E845E7791EA355A05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 057CFCC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab5b5d86d98567e80cbb799c45ac16c2e2a28985ee61e27abe47f3e38dc3c04
Instruction ID: c535309803ebadaae4ffa1ef4cd9797eff13e596d581d48dbba2f75d537c52e6
Opcode Fuzzy Hash: 8ab5b5d86d98567e80cbb799c45ac16c2e2a28985ee61e27abe47f3e38dc3c04
Instruction Fuzzy Hash: B4F0A034E142849FCB20EBA8C995668BFB0AB06614F6440DECC08D3341E6319E41C781

Uniqueness

Uniqueness Score: -1.00%

Function 05A94318 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3fb8a9d6a84c0aec5dbfe7c3e58e93435a0b9f0598dd784653130f9bba2bb
Instruction ID: d5fa6eadc5b5fbb2ee17165952f24e1dac6ba73eda2c72d63644b77255fe562d
Opcode Fuzzy Hash: dde3fb8a9d6a84c0aec5dbfe7c3e58e93435a0b9f0598dd784653130f9bba2bb
Instruction Fuzzy Hash: AEF03034904249AFCB55CFA8C849EE9FFB1FF09310F1881DAE86897291C6319652EB51

Uniqueness

Uniqueness Score: -1.00%

Function 05A92DC1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506f1d597fb75270eb8a198a4759bdac9e486ba67bdceb5c41d7fe9f85f9576c
Instruction ID: bfd35fa18e393309a11d9dd998612059d19ebaf168ce032b309af9f5754b5f2d
Opcode Fuzzy Hash: 506f1d597fb75270eb8a198a4759bdac9e486ba67bdceb5c41d7fe9f85f9576c
Instruction Fuzzy Hash: 16F0D43610524AEFCF0ADF94DD10EA9BF72FF59314F188199ED1816266C6329A72EB40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FCF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a48b5f76f5e07c58bc85c698a28fd3e91f16f5d0db4bd9ed92a07cac5c89e71
Instruction ID: 0455cf9f48929a6ef4b81921e06262459e1802d6ffe93ad6b25f594775d11df1
Opcode Fuzzy Hash: 5a48b5f76f5e07c58bc85c698a28fd3e91f16f5d0db4bd9ed92a07cac5c89e71
Instruction Fuzzy Hash: A1F01C74D00208EFCB55EFA8D445B9CBBF4EB48300F14C1A99C1893305D631AA55DF84

Uniqueness

Uniqueness Score: -1.00%

Function 05A98E11 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eadf3b3e16d743b3c9f4733e691dd6a74ffcfd41fc5b2e56d36f72800712ca6
Instruction ID: ee9167828de9d5d9e86cf1d5078b999f819c7eb5a88f4b423e9d30a85e15e2a4
Opcode Fuzzy Hash: 0eadf3b3e16d743b3c9f4733e691dd6a74ffcfd41fc5b2e56d36f72800712ca6
Instruction Fuzzy Hash: 99F03034D01208FFCB04DF98D481B9CBFB1EB88300F14C1A9DD0493344DA32AA52DB44

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F968 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f79138ce412fe5edc7e8d46abb90b1c6c9c1607e0ab5512648186c3274fbabe
Instruction ID: 57d903ec40e29568633274a6442064269859041d9fd96f1d0cd545be2a931766
Opcode Fuzzy Hash: 1f79138ce412fe5edc7e8d46abb90b1c6c9c1607e0ab5512648186c3274fbabe
Instruction Fuzzy Hash: 46F03074D01208AFDB54DFA8D946B9DBBF4EB48314F54C0A9D818D3345EA31AA46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F870 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d08dbc0940362a2426628aaf294a1f5071dccf166456d279230b1dcafd3661
Instruction ID: 3332f03d9d9bb2f37fa29370880cff5af3f5db075bd3a3618bd0f07cebd4b9f6
Opcode Fuzzy Hash: 67d08dbc0940362a2426628aaf294a1f5071dccf166456d279230b1dcafd3661
Instruction Fuzzy Hash: 01F0F874D04208AFCB55DFACD445B9CBFF4EB48310F64C1A9985893345D635AA56DB80

Uniqueness

Uniqueness Score: -1.00%

Function 031B0048 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360227865.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acadf228f24a7541df9fdb7617174a2fcb3a37cdb7f6c0c6644e4527953b581
Instruction ID: 88705c7d761ac47896b6cb1c104b91a9194efd69849892310312f0c2b5bf1d42
Opcode Fuzzy Hash: 7acadf228f24a7541df9fdb7617174a2fcb3a37cdb7f6c0c6644e4527953b581
Instruction Fuzzy Hash: F6E0C9353402149FD758DA39D845F5A7BA5EF89620F5180A5F5098B3A1DA71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 057C02B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c545a3443b9fd2d7a6c42b621933005c0eef3b8f09d5e60d8fb9b4bf24180dc5
Instruction ID: 4ca5eb865e123bf2b62fbf147dda6309cd07aae86351665d6f848e4109f10c3c
Opcode Fuzzy Hash: c545a3443b9fd2d7a6c42b621933005c0eef3b8f09d5e60d8fb9b4bf24180dc5
Instruction Fuzzy Hash: 1CF0F875D0420DEFCB44EFA8D948AADBFF9FB48300F1081AAD819A3214D7305A94DB90

Uniqueness

Uniqueness Score: -1.00%

Function 057CDEA0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0ff1fdf69fd4c93a29f66a915f26ee4f8f7eec7d73104fc3397a9a3d20cf56
Instruction ID: 257d8f99a2d42f2807e8b50b58acd6faa3e18be89e4f57989b1fe8a31ed7037b
Opcode Fuzzy Hash: 5d0ff1fdf69fd4c93a29f66a915f26ee4f8f7eec7d73104fc3397a9a3d20cf56
Instruction Fuzzy Hash: 18F0A034914388AFC711EB6CD854658BFF0AB45200F5480EEC848D7341E7319E01DB41

Uniqueness

Uniqueness Score: -1.00%

Function 057C48A1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b27eed6329dcf7335fc38422cb9db5317264466680fe3bd526fb91bb7c4259
Instruction ID: a58f38469a3a3302c0ab96ae9b6d65956dc1c8f09bce234d7a1d236971a62444
Opcode Fuzzy Hash: 74b27eed6329dcf7335fc38422cb9db5317264466680fe3bd526fb91bb7c4259
Instruction Fuzzy Hash: D7F05870D01208EFCB54DFA8D881A9CBFB1EB58300F10C1EADC1493354D6365A11CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A9247B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae545e10c5051c22e5e4826fc1484882eecd6e1dd2903c2ad0547400c4fa5b76
Instruction ID: 931a10dff801e3a573bff6351dc40887240dfaad2f792f70d9cded68755e2336
Opcode Fuzzy Hash: ae545e10c5051c22e5e4826fc1484882eecd6e1dd2903c2ad0547400c4fa5b76
Instruction Fuzzy Hash: 57F0A774D00249AFCB14DF98D805BBDFFB1FB58320F608199E914A7394CB355691DB54

Uniqueness

Uniqueness Score: -1.00%

Function 05A95028 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7aa188cbdf5c702cd409ce4719e75c35cfffadd9bc4e8818d7958151e17e01
Instruction ID: e19a84cd52cff6d1cbcec8683385f5dc745f089e9f40444c76577ee9c48b6efb
Opcode Fuzzy Hash: ae7aa188cbdf5c702cd409ce4719e75c35cfffadd9bc4e8818d7958151e17e01
Instruction Fuzzy Hash: 55F05874D08248AFCB15DFA8D844A9CBFB0EB49300F10C0EADC48A3351E6359A15DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A95228 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2498008865d0d42b8e3d4507a4b0472132b8e88806358cdd94ed77c429b8354
Instruction ID: 9979aa45e1438bb420c5dcd18a5e91fd3e888007f40c7119dba9d40b4fa9dd2d
Opcode Fuzzy Hash: d2498008865d0d42b8e3d4507a4b0472132b8e88806358cdd94ed77c429b8354
Instruction Fuzzy Hash: 29F07474D01219EFCB45EFA8D545AADBBF1FB08300F5085AAD818A7314D7719A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05A99F28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5989f4f53e67b141232ceeb2fd76be6d4c960292377d0097708957f04e8345e
Instruction ID: 32d4e5d2dc0089821e55947676ced9a5e971fd86d93d194c8fd2b606d31d5218
Opcode Fuzzy Hash: c5989f4f53e67b141232ceeb2fd76be6d4c960292377d0097708957f04e8345e
Instruction Fuzzy Hash: 08E0DFB281511DAFDB04FBA8D809B8B7BE9DF20310F6481E8D105C3214E9700B0082A2

Uniqueness

Uniqueness Score: -1.00%

Function 05A9DE09 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93578022f7806a56125e5c2fcfbe2f7a360d76a4ba1e17a9ce6b68721f8f9b59
Instruction ID: 460f5b62068746b3909c3079f71a3e182b001528d513553ccfa36d269f4a3b56
Opcode Fuzzy Hash: 93578022f7806a56125e5c2fcfbe2f7a360d76a4ba1e17a9ce6b68721f8f9b59
Instruction Fuzzy Hash: 54E01A78904208BBCB14DFA8DC46B69BFB4EB94310F64C0ADED4463354CA31EA56DA98

Uniqueness

Uniqueness Score: -1.00%

Function 057CA6C3 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd829f8dba36c2e75865572391242f305dfb44ef128fbfca363f2da0ec03e55
Instruction ID: 40151aa1cc57bcdb00632ab42ad5224e0a4b91e154dd11082ab761ad0450868d
Opcode Fuzzy Hash: 0fd829f8dba36c2e75865572391242f305dfb44ef128fbfca363f2da0ec03e55
Instruction Fuzzy Hash: E7F0B770A0422CCFDB54CF59D859BA9BBB6FB89301F4081ADE40AAB254D7755C81DB11

Uniqueness

Uniqueness Score: -1.00%

Function 057CD308 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc386bb69ace73a379c8d0177a2ae367abcdb31ab0e51a147d63a5bff4b8acd
Instruction ID: f4c66a610a983303149dc3fb892100ead853e095f532c963390b749639921a68
Opcode Fuzzy Hash: 0cc386bb69ace73a379c8d0177a2ae367abcdb31ab0e51a147d63a5bff4b8acd
Instruction Fuzzy Hash: B0F0D434D05208FFCB55EFA8D944A9DBBB0EB48310F14C4AEE848A3244D631AA56DF81

Uniqueness

Uniqueness Score: -1.00%

Function 057CBC09 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bda88e71c800377459ed1775fdf639c7913ce85848b6587b6122200d1919991
Instruction ID: 7c5204c407e978d32db35b26df833eb2896176e7b4687c776378259f180523f9
Opcode Fuzzy Hash: 2bda88e71c800377459ed1775fdf639c7913ce85848b6587b6122200d1919991
Instruction Fuzzy Hash: 8AF0EC355482849FC712DF54D95556CBF30EB86300F58C0DDD8845B396D6319956E750

Uniqueness

Uniqueness Score: -1.00%

Function 057CDCC1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8ecd716893f9c3b06f865c291805d0b6a725d9b3a6561b163ae3b9a73b359c
Instruction ID: 6aebbf208c892a45270c88293620cd9defae35ccfa2eca44c121961caa5a6167
Opcode Fuzzy Hash: 8d8ecd716893f9c3b06f865c291805d0b6a725d9b3a6561b163ae3b9a73b359c
Instruction Fuzzy Hash: 7AF03070D05348AFC750DFA8D84569DBBF0EB88310F24C0EAD81893344E6319E42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 057C5A30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88128f221d9a05544855e02c51f8586f2a4d83a194796ed1daa709a9a5b4d8fb
Instruction ID: 065ea0e557aa211a3e75809f0c328166af8511af963f289ee555cfe0bda0d486
Opcode Fuzzy Hash: 88128f221d9a05544855e02c51f8586f2a4d83a194796ed1daa709a9a5b4d8fb
Instruction Fuzzy Hash: CCF01575D00608EFCB44EFA8D885B9DBFF1EB58300F14C0A99818A3345E736AA51DB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CCAB8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32448e1e0cdf83f987cd94bbb55090feef30b7454a30a295f341b5de925af368
Instruction ID: 6342073a3ddff7c6025dbd3290dde613b98b740cf5afadc305c3c8bf64939520
Opcode Fuzzy Hash: 32448e1e0cdf83f987cd94bbb55090feef30b7454a30a295f341b5de925af368
Instruction Fuzzy Hash: D8E09A3190620CEFCB41EBBCE848A5A7FF8EB09780F0000DAD409E3224EA301E54AB52

Uniqueness

Uniqueness Score: -1.00%

Function 05A92488 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b839816064a88a6ca0bd625c052d3e7b5ec8a79c09fca069e896b093c0d7315
Instruction ID: 1eea17167c48aa69aff60c73f2915ac1b98bdc93f98bc717ff0ea39de2dc71f6
Opcode Fuzzy Hash: 3b839816064a88a6ca0bd625c052d3e7b5ec8a79c09fca069e896b093c0d7315
Instruction Fuzzy Hash: 9AF01C74E0120CAFCB54EFA8D444AADBBB5EB88310F5080A9A904A3344DA345A50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C471 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2806a49bae815f68289ff0ae7a0a4ad7f156b4a5089a6d2b8eb902058f84dbc
Instruction ID: 1f26fe596d227bcaa5265a1795e99036ac3262f74fe3fc8e9357e8535095a82f
Opcode Fuzzy Hash: f2806a49bae815f68289ff0ae7a0a4ad7f156b4a5089a6d2b8eb902058f84dbc
Instruction Fuzzy Hash: 86F0A478A042189FC791DB58D894BAAB7F6FB8C300F1080D4E80DA3355DB34AE858F90

Uniqueness

Uniqueness Score: -1.00%

Function 05A94FE3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7dfbc99ddce4bb9cac3caf31b634b2bb07e32a020429de6e7a8ee6f7b3aff0
Instruction ID: 23f03437ff2633ac77e59e98f9d69523b7a94a962217bb15548f43c6f32c5893
Opcode Fuzzy Hash: ec7dfbc99ddce4bb9cac3caf31b634b2bb07e32a020429de6e7a8ee6f7b3aff0
Instruction Fuzzy Hash: 40E04F3280510AFACB09FBB8C846B5E7BF8DB18640F4440A5960AD3214DD7556549692

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FE51 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a355e98332463879ca3135260e014cb071dc7cac3e813af220615e45699c2e28
Instruction ID: 9d245888fdc20b494cdae39428b7cd7936ad4396a1631ba5d6ec03ddde7565b3
Opcode Fuzzy Hash: a355e98332463879ca3135260e014cb071dc7cac3e813af220615e45699c2e28
Instruction Fuzzy Hash: CDE06D74915298AFCB05CFA8C900AACBFB1EB5A310F14C2DAD86893351C6359A12DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9F8D0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0921f750fda59f9b5322d605c02330221976c9cffa52abb4a3ced8a48d873411
Instruction ID: 93f87cedd7daf937fd5dc4e9d3fc6c8e303684fb760201c279e7eaaa038d5143
Opcode Fuzzy Hash: 0921f750fda59f9b5322d605c02330221976c9cffa52abb4a3ced8a48d873411
Instruction Fuzzy Hash: 76F0F274D042289FDB84EFA8D8456AEBBF4FB48300F5081AAD818A3358DB756A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A96858 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615a31e85d9852c957d866708893d49645b79ff9d27604e90e1d495ee75903bc
Instruction ID: a421ae2a31437a0ccdb7e6ac46572b0130347033f562d68a46edd2171b1e7e95
Opcode Fuzzy Hash: 615a31e85d9852c957d866708893d49645b79ff9d27604e90e1d495ee75903bc
Instruction Fuzzy Hash: 57E06D34C09248BFCB54EBA8D851BACFFB4EB49310F58C0EAD85457344C635AA42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 057CF6B8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5655714db338ced73415a9e1aea161e2094d1cfd7268bad1575d7bb410906a06
Instruction ID: da95611011b8ce29c4c37617676873a4dcb3a1a9910334abd8b3b65ae4862989
Opcode Fuzzy Hash: 5655714db338ced73415a9e1aea161e2094d1cfd7268bad1575d7bb410906a06
Instruction Fuzzy Hash: 66E0CD73D051449FC714AAD5F8063787E16D746361F4404DAE909E7730D52AD4105392

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A7E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526e42d0427f8be678b0d235892047f39b9859e71e6c1bc31a69359892e04b26
Instruction ID: 70c1ac291b76cd5cdd7705401d464f0e06d1a219e6f7b37aedaf658d19b14d24
Opcode Fuzzy Hash: 526e42d0427f8be678b0d235892047f39b9859e71e6c1bc31a69359892e04b26
Instruction Fuzzy Hash: 23F0C974E04218EFCB94EFA8D844AADBFF4EB48310F14C0AAE858D3344D635AA51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A3C1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24118be5a1c68a46d7468d11e4884bf7cfc00f6245ab394974a06fbe230e3696
Instruction ID: 63139bc8dfe869c1193cfde47b5448f9a84c39d8cfe963083674fd4bc166ea81
Opcode Fuzzy Hash: 24118be5a1c68a46d7468d11e4884bf7cfc00f6245ab394974a06fbe230e3696
Instruction Fuzzy Hash: 7AE09275D11208DFCB08FFA8E88579CBBB5EB04214F6045A9D804D3344E6359A40C740

Uniqueness

Uniqueness Score: -1.00%

Function 05A98D78 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad6f8449cf3d2c08f09b05aab27fc99312de50597a7dcc23973aeb97bda6528
Instruction ID: 4fa3ec1c4ceae06397fb2557b1f53e3aa61a169b3ef755ccb120b8b8c8c5f7f7
Opcode Fuzzy Hash: bad6f8449cf3d2c08f09b05aab27fc99312de50597a7dcc23973aeb97bda6528
Instruction Fuzzy Hash: 17F06574E11308EFC740EFA8D4446ADBFF5EB48300F1081A9D80593344EB355A80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 057C7940 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3f5f52c1a6c694f374d57473587b6fb4faa8d6d203e2c659280077f434fa69
Instruction ID: 6fb3bf46a1ce5a238f73ef714e72bacd5b63d7fb9f6a975e0a04fc7e179210e3
Opcode Fuzzy Hash: 2e3f5f52c1a6c694f374d57473587b6fb4faa8d6d203e2c659280077f434fa69
Instruction Fuzzy Hash: 0FE0DF75D04208EBCB08EF94D849B5CFF70EB50310F54C0ADD808A3346CA31AA52DF81

Uniqueness

Uniqueness Score: -1.00%

Function 057C5ACA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5ae30c4249c4537a2eb110462d8409573769d7dae563cba5e73413c091d2a8
Instruction ID: 703271ffff5b64c2ced65ed2d1a17d96da7dac061d837765efa15c0b8a239466
Opcode Fuzzy Hash: 3f5ae30c4249c4537a2eb110462d8409573769d7dae563cba5e73413c091d2a8
Instruction Fuzzy Hash: 55E0C934D04208AFCB54DFA8D98579CBBF5EB48300F54C1AA9808A3344D636AA45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A92438 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594c438930bf5b5c5d7a1ccc5a91c5983bb2625b3939b2b8f2b670e96b4359e8
Instruction ID: 6c21770390cd2dd6a59ddf158f50e70ea94db287cf84ae1716ccd3c8031f615c
Opcode Fuzzy Hash: 594c438930bf5b5c5d7a1ccc5a91c5983bb2625b3939b2b8f2b670e96b4359e8
Instruction Fuzzy Hash: DDF0A578D00208EFCB54EFA8D844A9CBBB1EB48310F10C0AAA81893354D631AA51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B683 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e165d264ebe2c405e4de00e0c78f4d23d8e1c717a2fe7d27ac23952e3c16044
Instruction ID: a24cb88e4014de8fd33533ceb251cb4f138e0492e9a7cbe7c7fc266c62f9c005
Opcode Fuzzy Hash: 3e165d264ebe2c405e4de00e0c78f4d23d8e1c717a2fe7d27ac23952e3c16044
Instruction Fuzzy Hash: A0E0ED74E04208EFCB54EFA8D845AADFBF0EB48310F14C0A9D918E3344D631AA51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A961FE Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfeeae8682b99a03c0f6be13496c5eabe0e5c9a28c1c8937b6cd3c755ccb1f4
Instruction ID: 24f6978ecd84e892bf4ff54f1c6639ed1e8448e1b79370d946890cb3a09dd986
Opcode Fuzzy Hash: acfeeae8682b99a03c0f6be13496c5eabe0e5c9a28c1c8937b6cd3c755ccb1f4
Instruction Fuzzy Hash: 24F08C38E0C2998FCB41CB58D894AE87FF2FF49200F0540FAD14CAB662CA3059668B02

Uniqueness

Uniqueness Score: -1.00%

Function 05A95131 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a2600b8071e0b7b666ade513a2dfe45bf0fc5657b76cd5d375ed607675b3a3
Instruction ID: 44ae8b31c4d84b6c393223b37c4bbbfa68a0424d85de9329c583b326e41f1dd3
Opcode Fuzzy Hash: 02a2600b8071e0b7b666ade513a2dfe45bf0fc5657b76cd5d375ed607675b3a3
Instruction Fuzzy Hash: 02F01C74900249AFCB55DFA8C845BA9FBF0FB45320F2482EAD86857396C6315692DB44

Uniqueness

Uniqueness Score: -1.00%

Function 05A993D0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7f8465598dd33bd17fc13a45b26027e6fdda63920946395c1e96bbd19a0ba4
Instruction ID: c7083fca6cf7feefc5542b666397bdb475c9d83d76aa4315915c084c5d28aad4
Opcode Fuzzy Hash: 7b7f8465598dd33bd17fc13a45b26027e6fdda63920946395c1e96bbd19a0ba4
Instruction Fuzzy Hash: 6FE0DF3280A108EFCB12EBF8C645AAE7BF0EB16700F4440AAC105C3124DA304A08CB42

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A379 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280d9d8710cffbb4fd4c715dc4ec879defc8c5eddd1b49e71b859abccc30076
Instruction ID: c47b9ea356a24bbe0b9fa411cc1eea3eaf1d129b181504ecf03e09d321d7d1ff
Opcode Fuzzy Hash: 8280d9d8710cffbb4fd4c715dc4ec879defc8c5eddd1b49e71b859abccc30076
Instruction Fuzzy Hash: 2EE0E574D002449FC704DBA8D840758FFF1EB05314F2482CDC85897395C6329A43CB40

Uniqueness

Uniqueness Score: -1.00%

Function 057CE688 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9b9f631a3da0f698e67445906f5f1fcee67cca0fd5cdd3c5c80147da64acd7
Instruction ID: c96358cfbc69a963d0567b204ff1439b7226023092d18bd22625e386ef749c17
Opcode Fuzzy Hash: aa9b9f631a3da0f698e67445906f5f1fcee67cca0fd5cdd3c5c80147da64acd7
Instruction Fuzzy Hash: 21E06D7091A288EFCB02EBA8E95966DBFB4EB05200B1440DAD905AB251DA711E44D751

Uniqueness

Uniqueness Score: -1.00%

Function 057C00B0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fa7dc0663173f5473e45e02b524986dd0c231f68c6d144664e4c7c8c142890
Instruction ID: 46c96672ad32dc7666dbb1944068dea2ee33dfbc194243ee90f68ddde796b574
Opcode Fuzzy Hash: e9fa7dc0663173f5473e45e02b524986dd0c231f68c6d144664e4c7c8c142890
Instruction Fuzzy Hash: 9BF0C934D01208EFCB54EFA8D844A9CFBB1FB48310F10C1AAEC1893354D631AA51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 057C49C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d91465dc72d75dbae7cf1ff11aadd0aa342fce42621173e7ee8882fa4e794b2
Instruction ID: f774f28b34ce44ba5a09ab9574805799fe6ce3c19eeec6d8ac33a7cbc8946730
Opcode Fuzzy Hash: 9d91465dc72d75dbae7cf1ff11aadd0aa342fce42621173e7ee8882fa4e794b2
Instruction Fuzzy Hash: 22E09A34905108ABCB20DAA8D89ABACBF70EB45300F2481A9C80867348DB326A02CA81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B688 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c8b12cc01b913cb8edc15ec2373ad0e0692f0a66bf64ceaf594b76a61031c4
Instruction ID: 4610d669f44bd2f6c5477b59f0c295bc3eda1c229c1cf840e7b3a533c6c33dfb
Opcode Fuzzy Hash: 40c8b12cc01b913cb8edc15ec2373ad0e0692f0a66bf64ceaf594b76a61031c4
Instruction Fuzzy Hash: F6E0ED74D04208EFCB54DFA8D444A9CFBF0EB48310F10C0A9D81893344D631AA51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9BFF4 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b339e2ff429584d47e961c58e0e4526d5934b173ad799f12f52c0d44a0d658
Instruction ID: 8a2ca9730dab30cf8ffb0ea6f6bdcd0ed1f2200bb142f9a4460e3f856670e465
Opcode Fuzzy Hash: 50b339e2ff429584d47e961c58e0e4526d5934b173ad799f12f52c0d44a0d658
Instruction Fuzzy Hash: CAF01C7890821DCFDB54CF88E494B7EBBB6FB48300F104058D519A7245CB78DD868F90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A8C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe46e805b04c9da1ecbf0d97d22b700e0391e8303738dcb7b4a116a7ebf3b58f
Instruction ID: 2fe40b758af17d1f8eb206e27bcc9090f766bb2dccf22a281960aaae565b6621
Opcode Fuzzy Hash: fe46e805b04c9da1ecbf0d97d22b700e0391e8303738dcb7b4a116a7ebf3b58f
Instruction Fuzzy Hash: C1E0ED75E001699FCB90CB98D840AEDBBF5FB88351F1080A6E54DD7354CA3069958F51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9485D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8095a57ddc1deb543c51038a22c1d70c089d02f3001cdf6a6e334ec941ce9f38
Instruction ID: 84b6adf7a0849564c8ce6b4db10c377290316691592692c83de3c74229a578a1
Opcode Fuzzy Hash: 8095a57ddc1deb543c51038a22c1d70c089d02f3001cdf6a6e334ec941ce9f38
Instruction Fuzzy Hash: FCE0ED749092A88BCF28DB24C084BBD7AFABB4D245F149455940A67241CA704982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 057C64C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f935bbd9a5e6609dc62a84eab5458a29b07348993cd6086df58e5346df26d23f
Instruction ID: cc534d96da30834c874de5d8bbe9dc8a9934973e990f80cfbd6a59cbc7683671
Opcode Fuzzy Hash: f935bbd9a5e6609dc62a84eab5458a29b07348993cd6086df58e5346df26d23f
Instruction Fuzzy Hash: 37E04F39904208ABC704DBA8D99579DBB75EB45314F6480DDD80863344C6329B42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 057CE09B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195e7e2cfaa3c75f711c84f5cd79244efca9e611cf0af9e2816ae2dd809b881e
Instruction ID: f30717ea6a8d3075461f426a7aa4eeb19aead3d7db0850400689aae579896f3d
Opcode Fuzzy Hash: 195e7e2cfaa3c75f711c84f5cd79244efca9e611cf0af9e2816ae2dd809b881e
Instruction Fuzzy Hash: 28E0ED74D04208EFCB44EFA8D94565CBBF4EB48304F54C0E9981893344D6359A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 057CAF1D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30475012cdd0dcaef598b787c2ef169c2d522173f8946877b3dd9094e2a83fce
Instruction ID: 06ae703978bbdc8bd494e2c5825d8bd21366a75a4b8daf97e5fdd6e574f0c2b2
Opcode Fuzzy Hash: 30475012cdd0dcaef598b787c2ef169c2d522173f8946877b3dd9094e2a83fce
Instruction Fuzzy Hash: D3F0D474901228CFCB90CF68D848BACBBB2FB48311F4042A9E00AAB251DB759CC5DF01

Uniqueness

Uniqueness Score: -1.00%

Function 057C48B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ec4e95391e02faa889a88fe53aad849e0eb90d47b7a8b0ab9267a2a38f7d2b
Instruction ID: 81d38a9b07c485c0c4d96b218468ce11368d7984cbee41c1c385061b8d72fe14
Opcode Fuzzy Hash: 13ec4e95391e02faa889a88fe53aad849e0eb90d47b7a8b0ab9267a2a38f7d2b
Instruction Fuzzy Hash: EBE0E574E00208EFCB54EFA8D844A9CFBF1EB48310F10C1AAD818A3344D631AA51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 057C5A40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ec4e95391e02faa889a88fe53aad849e0eb90d47b7a8b0ab9267a2a38f7d2b
Instruction ID: dc494a030d2eb5637e3cc0d960b518303a538a35df50f01c1a6c9e1c48c31725
Opcode Fuzzy Hash: 13ec4e95391e02faa889a88fe53aad849e0eb90d47b7a8b0ab9267a2a38f7d2b
Instruction Fuzzy Hash: 86E0E574E00208EFCB54EFA8D884A9CFFF0EB48310F10C0AAD818A3344D632AA51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A388 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27163907227e134c86cdecc9a1ad48b26a16ad140e0b6bca6edccbb93facfb6e
Instruction ID: 43a41aa07baf2737cd6e3f1cc184cbfe3e2a91e599e2da6bcda7768a6c8a0505
Opcode Fuzzy Hash: 27163907227e134c86cdecc9a1ad48b26a16ad140e0b6bca6edccbb93facfb6e
Instruction Fuzzy Hash: 7BE0E534E00208EFCB44EFA8D484A9DBBF0EB48300F20C0AA981893344D632AA42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05A9ED08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350325acdb77494b5120d721352a6c70fe952bfbe583fe089045dc06152ebfc8
Instruction ID: 07e40c58690ff58d3480f06e96f6dcfd351279701c7cb5a592adcc7744bcfb43
Opcode Fuzzy Hash: 350325acdb77494b5120d721352a6c70fe952bfbe583fe089045dc06152ebfc8
Instruction Fuzzy Hash: B7E06D71D09284DFCB05DFA4D848A59BF70EB96300F14C1EEDC441B255CA315A55C755

Uniqueness

Uniqueness Score: -1.00%

Function 05A93F60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27163907227e134c86cdecc9a1ad48b26a16ad140e0b6bca6edccbb93facfb6e
Instruction ID: c92708e9a00234ab54d24f3fc9f6263d066dce38e27d34e830865d786b167acb
Opcode Fuzzy Hash: 27163907227e134c86cdecc9a1ad48b26a16ad140e0b6bca6edccbb93facfb6e
Instruction Fuzzy Hash: 99E01A34E00208EFCB44EFA8D444AACFBF0EB48300F10C0EAD81893344D632AA42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 057C573A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becf0faff567724f6a20b61d18e88b508bbe769b70a0368d10f4b3acd315e8fb
Instruction ID: c8ec851565b27579a168f5db85bea83adc9a977e9f409fd6cd9e42676937f93b
Opcode Fuzzy Hash: becf0faff567724f6a20b61d18e88b508bbe769b70a0368d10f4b3acd315e8fb
Instruction Fuzzy Hash: DDE0C27280120DFFCB10FBB8C848A5EBFB8DB20740F8840E9D101D3554EE711B50A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 057CB7C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction ID: 0da8c491eb1d2dc417e7b5edadacbfc34a6fc51e45949adae7cfb82ca4702ed8
Opcode Fuzzy Hash: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction Fuzzy Hash: 15E0E534E00208EFCB44EFA8D84569CBBF0EB48300F50C0EA980893344D635AA42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 057CBDC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction ID: 98874092bdce07816cac1daa61d9e1a7f9769264654efd557053a2e71442d1e4
Opcode Fuzzy Hash: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction Fuzzy Hash: A3E0E534E00208EFCB44EFA8D44569CBBF0EB48300F50C0EA9818A3344D635AA42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 057CDCD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction ID: 06a9e0027c62a28acd37c4fdf575f1059369d78b527415b84693a85a7553b534
Opcode Fuzzy Hash: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction Fuzzy Hash: ABE0E574E00208EFCB54EFA8D44469CBBF0EB48300F50C0EA981893344D631AA42DF80

Uniqueness

Uniqueness Score: -1.00%

Function 057C3E09 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0084d6f6785c32849d69bb1c77751efd6b9e83966d05133f7bcbd525c738e543
Instruction ID: bc68222716f974ffca10ad000dc64d5f87a6bd67577eb0a00d44e2380d00b407
Opcode Fuzzy Hash: 0084d6f6785c32849d69bb1c77751efd6b9e83966d05133f7bcbd525c738e543
Instruction Fuzzy Hash: 90E02B72C00108EBC300EA88D851BA6BB78D706310F54C0DDD90493780DB33AE02C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 057CC938 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction ID: 3907b25de64849d3ed25fd5e6a04ca0d520968626b77c206aecbd7bc48b06066
Opcode Fuzzy Hash: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction Fuzzy Hash: 09E0E534E00208EFCB44EFA8D44469CBBF4EB48300F10C1EA981893344D631AA42DF80

Uniqueness

Uniqueness Score: -1.00%

Function 057C5AD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction ID: 5af87ac4c1f38206631d8266b254f4c4e259ae3a63e10fad866f296bffbb7938
Opcode Fuzzy Hash: fe82bd91b48d8cd8c3f226cfc9a574ea1f1fa33fc946252658da2d285aa66dab
Instruction Fuzzy Hash: 55E0E534E00208EFCB44EFA8D48469CBBF0EB48300F10C1EA980893344D632AA42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 057C8ABB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3251004ff35b9b58dd4f903b579e082f6ce84a08f1c06129b57ba6116514250
Instruction ID: bad6d01070adf06268442fbd68f1628206e6968f16cd9675937fcfcbb52ee790
Opcode Fuzzy Hash: f3251004ff35b9b58dd4f903b579e082f6ce84a08f1c06129b57ba6116514250
Instruction Fuzzy Hash: 43E0E534D04208EFCB18EF98D945AADFFB0EB58310F14C0AAE844A3385C631AA51EB95

Uniqueness

Uniqueness Score: -1.00%

Function 05A993E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b60b3b449ac7a4931316fae241d5eb37d420ad19fc02675231b445ff81208f9
Instruction ID: 36769b5b65412d9fcf4f05985b8f864b0c580f18c98d12d3d8ee75ea3b9801e8
Opcode Fuzzy Hash: 4b60b3b449ac7a4931316fae241d5eb37d420ad19fc02675231b445ff81208f9
Instruction Fuzzy Hash: 93E0823280620DEACB11EBA88848A9E7BE8EB04A10F8440A9C10283124EEB00A549A92

Uniqueness

Uniqueness Score: -1.00%

Function 05A9627D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bc1c1c9c456b098c916fc03969332bd000f5b0a82a48d0e71a8e1ff45e4894
Instruction ID: fecc5cadbecc9a6e62e8bf1b88d4e397d391ec6f2201634dcee94e99ae92f1fe
Opcode Fuzzy Hash: 49bc1c1c9c456b098c916fc03969332bd000f5b0a82a48d0e71a8e1ff45e4894
Instruction Fuzzy Hash: 1DE01A39A112199FDB50CF48DD44ADCBBB1FF88311F1401E1E60DA7214CB306E948F80

Uniqueness

Uniqueness Score: -1.00%

Function 05A94FF0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cb20b5911b62d9d460d6626e9b3563d318490d427da47ce07b6173d7e2116f
Instruction ID: f8657192448ff67592b81aef148490941faebab41c30fa07d8fe4a0c1d308770
Opcode Fuzzy Hash: b1cb20b5911b62d9d460d6626e9b3563d318490d427da47ce07b6173d7e2116f
Instruction Fuzzy Hash: 07E0C23180220DEFCB15FBB8C405A5E7BF8EB00700F4440A5C106C3114DE710B10D793

Uniqueness

Uniqueness Score: -1.00%

Function 05A99F38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35fd3659436e3513f3bbc8e5000f471274edb78491740bbe311e4e072cfabea
Instruction ID: 93c46f74a64ea7434695cdb9aa014b278ee77364f6eb73fbd51462d5c774925a
Opcode Fuzzy Hash: e35fd3659436e3513f3bbc8e5000f471274edb78491740bbe311e4e072cfabea
Instruction Fuzzy Hash: 38E08C3280520DEACB10EBA8C408A9E7BA8DB00600F5040E5810583114DE700A109792

Uniqueness

Uniqueness Score: -1.00%

Function 057C4590 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a4c782346fe5856bf7794b296f15f9e994909917d723d7d1d4fde1cfa94156
Instruction ID: 9c4fdfd62ec9425cdb599bb1607207002c0fdf47b662a3b0ad7da181d164e821
Opcode Fuzzy Hash: 14a4c782346fe5856bf7794b296f15f9e994909917d723d7d1d4fde1cfa94156
Instruction Fuzzy Hash: 78E0C27280120DFBCB10FBB9D404A5E7FA8DB00700F1440E9D501D3114DE710B109792

Uniqueness

Uniqueness Score: -1.00%

Function 057C5740 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee51eb994dc1126b057ac3d2773ed6e0dae52f804ea4fd14f45601099d30deb
Instruction ID: 410a5c1b199d947dc67d2b4822efba840583ddd15bc7f2f1e9389170e80fa449
Opcode Fuzzy Hash: 9ee51eb994dc1126b057ac3d2773ed6e0dae52f804ea4fd14f45601099d30deb
Instruction Fuzzy Hash: D2E0C23180120DEFCB10FBB8C848A5E7FB8DB10740F8040E9C101C3154EE711B50A792

Uniqueness

Uniqueness Score: -1.00%

Function 057CF6F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa49c63eb5817c818c4a30af2134e6396cfb5ce506073b96d1868e75d524c9
Instruction ID: d6d428d2662a46c973bf3d24c84e68b795f4c3f821ed01e2e44f3176d45e0047
Opcode Fuzzy Hash: 32aa49c63eb5817c818c4a30af2134e6396cfb5ce506073b96d1868e75d524c9
Instruction Fuzzy Hash: 3DE0B674E0420CAFCB44EFA8E44549DBFF5EB89304F0085E9E809E7390EA396A458F81

Uniqueness

Uniqueness Score: -1.00%

Function 057CCAC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9317b4634f7ca5d46f29a4fe3bf574c869b4ae26488c198cca226b35fc5396b7
Instruction ID: eca5ab1136db80907b4d9faa2a39d20637196300cd7f48d65077e6e9a342d8b5
Opcode Fuzzy Hash: 9317b4634f7ca5d46f29a4fe3bf574c869b4ae26488c198cca226b35fc5396b7
Instruction Fuzzy Hash: 22E0C27180220DEBCB11FBB8D808A5E7FB8EB04700F4040E9C505E3214DE700F149792

Uniqueness

Uniqueness Score: -1.00%

Function 057C8AC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722ad089826628862fe3d4839de6b6abad40166c733f75b2f2175ee7b31e1f15
Instruction ID: 09987e27d7cfe3f618b9d37c034922329bf689a1a91353a41fb21f2cb43fe9bc
Opcode Fuzzy Hash: 722ad089826628862fe3d4839de6b6abad40166c733f75b2f2175ee7b31e1f15
Instruction Fuzzy Hash: D2E01A34D04208EFCB14DF98D444AACFFB0EB48310F14C0EADC4463344C631AA51DB85

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A3D0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f83951f8cbdeeddd03ab18dd0b4df1320d8a3fc3ac9ec07c74a70d12bfe44b
Instruction ID: 6b1fde356b0aa02898da90509c0b5e87686e19a517b44647d66abf66a8bbd06a
Opcode Fuzzy Hash: a1f83951f8cbdeeddd03ab18dd0b4df1320d8a3fc3ac9ec07c74a70d12bfe44b
Instruction Fuzzy Hash: 92E01D34D11358DFCB55EFB8E55565DBBF5EB44301F6041E9C80493344DB319A51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9ED18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c4365ac8f6c69b8587dcf5603ca28f85bb00a975db74822418d8f5a2e61a60
Instruction ID: 63e959779f2b783f2425413a9010bbbcd09ba9b78a527e47cc000f0522b51359
Opcode Fuzzy Hash: 62c4365ac8f6c69b8587dcf5603ca28f85bb00a975db74822418d8f5a2e61a60
Instruction Fuzzy Hash: F3E08C34904208EBCB08EF98E844A6CBFB4EB85310F20C0A9DC0423344CA32AA52DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A95F3A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88274fa8ab007d3cd3f2fcc96aab4869697951ded04aaa47ac1ed812a428b0bc
Instruction ID: 9ab3fd46843b68eda02ea17a5b8c1b4cc41a442f5c67e376ea688640d463bbd7
Opcode Fuzzy Hash: 88274fa8ab007d3cd3f2fcc96aab4869697951ded04aaa47ac1ed812a428b0bc
Instruction Fuzzy Hash: 2EE01A74A001298FCB50DB88D884AEDBBB6FB88314F0041A2D509E7244CB306D558B40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9DE18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c4365ac8f6c69b8587dcf5603ca28f85bb00a975db74822418d8f5a2e61a60
Instruction ID: 00ead5f9e107ff911376ba607fac5966bc7b6ac87e6d143e7f80ee8b8b900bed
Opcode Fuzzy Hash: 62c4365ac8f6c69b8587dcf5603ca28f85bb00a975db74822418d8f5a2e61a60
Instruction Fuzzy Hash: 14E08C34904208EBCB08EF98E844A6CFFB4EB54310F24C0ADDC4423344CB32AA92DB84

Uniqueness

Uniqueness Score: -1.00%

Function 05A969B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506a3890925215c29f06bf0bd6bdc6fc2d00de67591c908a80137127f88c9390
Instruction ID: 6148fa4fc6cc29ffba2d6b15dfb2aed2909171008436394a178f132577a52ac1
Opcode Fuzzy Hash: 506a3890925215c29f06bf0bd6bdc6fc2d00de67591c908a80137127f88c9390
Instruction Fuzzy Hash: 88E0BF34D05208EFCB04EF98D555A5CFBB4EB44314F54C1EAD81857344D6316A56CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C829 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8cb130b07434b26f1b6fb03ee2bbb9eb8c382e164defa3a61e7771e007b0b9
Instruction ID: 4a32be7fa4c824bb750fbfb9cd1514e4c88d914c77377cb018b15d1811c63c00
Opcode Fuzzy Hash: 9b8cb130b07434b26f1b6fb03ee2bbb9eb8c382e164defa3a61e7771e007b0b9
Instruction Fuzzy Hash: B8F0C978A04168CFDB90CF58D884BAABBF1FB48300F004095D409A7354DB349D858F61

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C823 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fe1bf9ef62ce42b20f4897fa2e5575ed1210f894ad233940394602c7702da9
Instruction ID: 4a32be7fa4c824bb750fbfb9cd1514e4c88d914c77377cb018b15d1811c63c00
Opcode Fuzzy Hash: b5fe1bf9ef62ce42b20f4897fa2e5575ed1210f894ad233940394602c7702da9
Instruction Fuzzy Hash: B8F0C978A04168CFDB90CF58D884BAABBF1FB48300F004095D409A7354DB349D858F61

Uniqueness

Uniqueness Score: -1.00%

Function 057CFCD8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c82f329f1f0cb7e08c22acb221ac1ab9d2a7dd27e22cd01a9701e63686f08a3
Instruction ID: 6a287861ec6321f139d06bff228692458a27211b280f543d16e8066e1e746696
Opcode Fuzzy Hash: 1c82f329f1f0cb7e08c22acb221ac1ab9d2a7dd27e22cd01a9701e63686f08a3
Instruction Fuzzy Hash: 8CE0BF34911208EFC754EFA8D55565CBBF4EB44214F6480EDDC0893344D6319A51CB41

Uniqueness

Uniqueness Score: -1.00%

Function 057CAE54 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7436821c728409c971e8bbe30741f92b13f081573f5eba21f859c9dcd706646
Instruction ID: 99bea06610c6ed53799a60655b291287ab17f37550ebbd3a0769de6534384372
Opcode Fuzzy Hash: a7436821c728409c971e8bbe30741f92b13f081573f5eba21f859c9dcd706646
Instruction Fuzzy Hash: 15E0127490122CCFCB00CF54D548BB97BB3FB85301F4000ADE10A97284CB759C95DB00

Uniqueness

Uniqueness Score: -1.00%

Function 057C7950 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef48172b6eef0c17fe171eefcf954fe313daae1e7b08d5c03772a947600fc9f6
Instruction ID: f92e95096648440193d040536b8e1e2d8725153fa2ad4c203d7fb127ef784762
Opcode Fuzzy Hash: ef48172b6eef0c17fe171eefcf954fe313daae1e7b08d5c03772a947600fc9f6
Instruction Fuzzy Hash: A8E08C34904208EBCB08EF98E844A6CFF70FB44310F20C1ADDC0427344CA32AA52DB84

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C4E3 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840cd258d67c76a0cfcc5898eb428ffa20f6ab4b934b08d37295bae1a75bfccf
Instruction ID: 518b298457ff932cede6063c6f038027dd92ab1df1f13f108db44cc75e001173
Opcode Fuzzy Hash: 840cd258d67c76a0cfcc5898eb428ffa20f6ab4b934b08d37295bae1a75bfccf
Instruction Fuzzy Hash: A9E09A3091861DCFCB00DF68C904BE9BBB2FB89300F0041D9C0486B219EF34AE898F90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9CCB2 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9422624bfeda04b21ae3bf7950c871e5e24569738af4a488c30d30d57378d3a
Instruction ID: c11da54ba1547d9e688f754d351f4a1b4c81d175dc49b9c1b2ead8eb6e464aa5
Opcode Fuzzy Hash: f9422624bfeda04b21ae3bf7950c871e5e24569738af4a488c30d30d57378d3a
Instruction Fuzzy Hash: F6E04E78A052688FDBA0CF58D958BA9BBF5FB58304F0080D5E409A7354DB74AE898F60

Uniqueness

Uniqueness Score: -1.00%

Function 057C64D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction ID: b8353608ca52882a9ce834bb0ef4244aadaf357260ea6b11eff6d29e02b59122
Opcode Fuzzy Hash: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction Fuzzy Hash: 40E01234905208EBC714EF98E99596DFF74EB45314F64C1DDD80517344CA32AE52DB81

Uniqueness

Uniqueness Score: -1.00%

Function 057CE698 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e430ad1451807aab650cef952fb1ce9d1733caebd47024d2f5aeb4372a01076a
Instruction ID: 31c29b621a84818d106ea366a0981f24e4a04c54c2f54f531aab1cbde443dfef
Opcode Fuzzy Hash: e430ad1451807aab650cef952fb1ce9d1733caebd47024d2f5aeb4372a01076a
Instruction Fuzzy Hash: 16E0C230912208FBCB01EFA8E809A6DBBF9EB04300F5044A9D80993304DA311E40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 057CBC17 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf925df4e7dfd292ae56d91c8aba4b219f2fd0a0ef189dfc11da803a73ceecd
Instruction ID: 3a7739130e992c7c6c8fd7a8942d6c9f115058a9bc5406e7651f34bb0fed3f69
Opcode Fuzzy Hash: 6bf925df4e7dfd292ae56d91c8aba4b219f2fd0a0ef189dfc11da803a73ceecd
Instruction Fuzzy Hash: 1FE02B34514148EBC719DB94D541A6CBF71EB55314F64C0CCDC0807355CA33AD53C640

Uniqueness

Uniqueness Score: -1.00%

Function 057CBCA8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction ID: 77b3c6776022116f14d01cd09297b136357cfee87fd870ce9195eadc1085749a
Opcode Fuzzy Hash: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction Fuzzy Hash: 50E01234905208EBC714EF98E95596DBF74EB45314F64C1EDD80817344CA326E52DB81

Uniqueness

Uniqueness Score: -1.00%

Function 057C49D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction ID: 269a5465915901f5d86deffb660adf74cd8172603fa59f6774a622f2b9a678c2
Opcode Fuzzy Hash: 9579fef93b5fe1f4153510d22c67aa37f1c343579708430e093d47d33b353c8d
Instruction Fuzzy Hash: B6E0C234904208EBCB04EF98E855A6CFF70EB41300F60C0DDCC0817344CA326E42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 057C3E18 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3878882c65b8a89271a79b502937953ea88c9c23959972c2d63b8a1b433ac362
Instruction ID: 7095b69847837f9aa007d154b929f41ef8f1139e4c7ab3650b36c03bf20e81e1
Opcode Fuzzy Hash: 3878882c65b8a89271a79b502937953ea88c9c23959972c2d63b8a1b433ac362
Instruction Fuzzy Hash: 3FD0A930905208EBC704EB98E854E2ABBA8EB42314F64C0DDD80843344CB33AE02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05A95FAB Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17dc321fa29a5d1c8bfa6c84925d88d9cfcba5247c98a08fca65802b3c6090a7
Instruction ID: 6989466fb73115f83da64d68aa866c5e175e7a3187424ac2c5b9080c552c1373
Opcode Fuzzy Hash: 17dc321fa29a5d1c8bfa6c84925d88d9cfcba5247c98a08fca65802b3c6090a7
Instruction Fuzzy Hash: 84D0C574E09309CFDF54DFA9D099AACBFF6AF49210F6080199419AB246D6345485CF11

Uniqueness

Uniqueness Score: -1.00%

Function 057CB514 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84375945e76a27e90e439fc643025ec2ebd6784f84dd1f3c6256460a1f10398b
Instruction ID: 1da8b22722cf47a077c45d94d0284b70ee715fc10aac65d194cfc9f77e17f3ed
Opcode Fuzzy Hash: 84375945e76a27e90e439fc643025ec2ebd6784f84dd1f3c6256460a1f10398b
Instruction Fuzzy Hash: C3D0C931105118CFE7059F34E81DA68BF36FF84306F109164A0076B165CB741C40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 057CF6C8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93b42dbe489ad30971bf9fed8bfb6d56f7a7ffb7f960b15ba96182d18630a27
Instruction ID: ecf305c335a7d9c1f65fbd6523a282d1ab5c28dc03cccb4ae6ed1c1cda62f27b
Opcode Fuzzy Hash: a93b42dbe489ad30971bf9fed8bfb6d56f7a7ffb7f960b15ba96182d18630a27
Instruction Fuzzy Hash: F4B0927090530CAF8610DA99980181ABBACDA0A218F0006D9E90897710D93AA91056E2

Uniqueness

Uniqueness Score: -1.00%

Function 05A98760 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375958304.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a90000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bdb59076d3426a177797a23512b944ac57e49905870aed60a5c99387972b3d
Instruction ID: cdb7e917bf69aff0c30c4d4ad0aeb4492ad694311654626f82f7ab7e3c357a63
Opcode Fuzzy Hash: 17bdb59076d3426a177797a23512b944ac57e49905870aed60a5c99387972b3d
Instruction Fuzzy Hash: 23C02B3160D2810FF7138620D8077123F3087A3340F0982DF6F82C82ABEA509419C273

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 057C935D Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

UUUU, xrefs: 057C957D

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: a1c0af514cfbd7c91dd86d0b44f53f16e9839cdc072ca405038ceeef350933bc
Instruction ID: aebd05288fda5213e82faaa3b54b3541956ab3119769123a69408ff0fe0408ba
Opcode Fuzzy Hash: a1c0af514cfbd7c91dd86d0b44f53f16e9839cdc072ca405038ceeef350933bc
Instruction Fuzzy Hash: 16A17C71E046598FDB54CFE9C980A9DFBF2BF88304F248569D419EB209E734A946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018913D0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

], xrefs: 0189476C

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: ad4474c6b685ec9924816aef0c3175c96d507d7e21fdcd9bf90efe345c31bb32
Instruction ID: a29313c16281a4bb07fe6fbbd4cbaa94903f4066ef7cb69c4a65e2dbc5471742
Opcode Fuzzy Hash: ad4474c6b685ec9924816aef0c3175c96d507d7e21fdcd9bf90efe345c31bb32
Instruction Fuzzy Hash: A0515F71D056698BEB68CF1B8D4479AFAF7AFC8340F08C1FA940CA6654DB700A869F51

Uniqueness

Uniqueness Score: -1.00%

Function 057CC589 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373465880.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57c0000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033416a0c74194f94de74f28cf50ca063afdebff9e781b447486dc683447350a
Instruction ID: ea6c383940fb3ba22bcd2a6e04e997bf6cd3139f639a5d1093ca1f5635862d43
Opcode Fuzzy Hash: 033416a0c74194f94de74f28cf50ca063afdebff9e781b447486dc683447350a
Instruction Fuzzy Hash: 46910774E052088FCB41DFA9E584AAEBBF6FB8C300F109569D418AB755DB74AD46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01891118 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd24cfe76dc6f8dd3e0ce9c10024b0b4a2b5be55e0576654b2b34d3d3904880
Instruction ID: 99dfc8a0a5674142f23e3ffea5ccbdd302a58934142ecc36fb041c04609b0751
Opcode Fuzzy Hash: 0fd24cfe76dc6f8dd3e0ce9c10024b0b4a2b5be55e0576654b2b34d3d3904880
Instruction Fuzzy Hash: 32611F709016498BE748DFAAE8446A9BBF7FFCC304F05D429D4099B268EF7919468B60

Uniqueness

Uniqueness Score: -1.00%

Function 018913C1 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823a9d4f7058c8f2c0f0909db07098f0c62b21ec594cc7b02ff6f4f36d1876fd
Instruction ID: 135762ba7589b513e6f59e5f60b0058e4c46ee0bfb9fa3a8eb144ba78cc7ba98
Opcode Fuzzy Hash: 823a9d4f7058c8f2c0f0909db07098f0c62b21ec594cc7b02ff6f4f36d1876fd
Instruction Fuzzy Hash: 3B515271D016598BEB6CCF2B8D44799FAF7AFC8340F04C1FA940DA6668DB741A829F50

Uniqueness

Uniqueness Score: -1.00%

Function 0189E5D8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.360136077.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1890000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bf80943b49ab4023502350de7f770ce9dfe366b5f19ab9e698d6225614e376
Instruction ID: 8c23f934fa59d2d74e00fadc583f5b86f333c692dd05476e53fbfa57e8a93816
Opcode Fuzzy Hash: f5bf80943b49ab4023502350de7f770ce9dfe366b5f19ab9e698d6225614e376
Instruction Fuzzy Hash: 8041CEB4D002489FDF15CFA9D984A9EBFF1BB49314F24902AE414BB350E7749985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 057546A8 Relevance: 10.6, APIs: 7, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69c084b1ac5100b83ee516edadaf2e305362034fdca105cbdf3e51599248c3f
Instruction ID: 2e3dca8e0f6944a2c008dc387867b8361f2c2bb68e7fc5aa0a9de1427e1f395f
Opcode Fuzzy Hash: a69c084b1ac5100b83ee516edadaf2e305362034fdca105cbdf3e51599248c3f
Instruction Fuzzy Hash: 58619AB1808399CEDF21CFA9C44D39EBFF1BB19318F14850AD459A7281C3B86284DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05754770 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 057547CC
RtlDecodePointer.NTDLL ref: 0575480B
RtlEncodePointer.NTDLL(00000000), ref: 05754872
RtlDecodePointer.NTDLL(00000000), ref: 057548AE
RtlEncodePointer.NTDLL(00000000), ref: 057548E8
RtlDecodePointer.NTDLL ref: 05754928
RtlDecodePointer.NTDLL ref: 05754966

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: c6df1f9870a6b3cab853e88f6346b3d139c87eac11fc8cfed0c6d77ffbc19492
Instruction ID: 1b46d8509f3b62762ad2841d2633aba125ec61dea6dd7fcc2bb953a73e35172a
Opcode Fuzzy Hash: c6df1f9870a6b3cab853e88f6346b3d139c87eac11fc8cfed0c6d77ffbc19492
Instruction Fuzzy Hash: 9B6118B1C04359CEDF21CFAAC54939EBFF1BB18329F14851AD859A7680C7B82584DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05754760 Relevance: 10.6, APIs: 7, Instructions: 145COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 057547CC
RtlDecodePointer.NTDLL ref: 0575480B
RtlEncodePointer.NTDLL(00000000), ref: 05754872
RtlDecodePointer.NTDLL(00000000), ref: 057548AE
RtlEncodePointer.NTDLL(00000000), ref: 057548E8
RtlDecodePointer.NTDLL ref: 05754928
RtlDecodePointer.NTDLL ref: 05754966

Memory Dump Source

Source File: 00000000.00000002.373443329.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5750000_WmtuqNHPM2.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 8b8600279dd2117c1c59b57af94b06b97d4a5ee2ad95ef2d45ef1abb13894587
Instruction ID: 106e556dcaee0e872ffab5855788cacccc06280ec602b9dd5ded6d2b64eb5586
Opcode Fuzzy Hash: 8b8600279dd2117c1c59b57af94b06b97d4a5ee2ad95ef2d45ef1abb13894587
Instruction Fuzzy Hash: 126137B1C04399CEDF21CFAAC44939EBFF1BB18329F14851AD859A7680D3B82184DF61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WmtuqNHPM2.exePID: 1804, Parent PID: 4748COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.6%
Total number of Nodes:	523
Total number of Limit Nodes:	36

Executed Functions

Function 0512F5F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ef247d920a1e4ab2609b024e566e1ce738fe0250c09f2fd06f63a3d835b567
Instruction ID: a571f05e218b05b777050847864986afac5a2167651f0d2421f24567ea689b75
Opcode Fuzzy Hash: 09ef247d920a1e4ab2609b024e566e1ce738fe0250c09f2fd06f63a3d835b567
Instruction Fuzzy Hash: 6EF17E34A00219CFDB14DFA9C995BADBBF2FF48304F158159E409AF2A5DB74A856CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06E03180 Relevance: 1.6, APIs: 1, Instructions: 58timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 06E031FC

Memory Dump Source

Source File: 00000003.00000002.579833918.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: true

Associated: 00000003.00000002.579753153.0000000006DF0000.00000004.08000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.579753153.0000000006DFE000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6df0000_WmtuqNHPM2.jbxd

Yara matches

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 6108ffabc1b26138ab0aa8ecdf9924b2cf93f159a4c9ceb69c06bb20a700733c
Instruction ID: 22098267997159bcc6417e491de97cf58261ba56df1a649e0e538c529dfe1662
Opcode Fuzzy Hash: 6108ffabc1b26138ab0aa8ecdf9924b2cf93f159a4c9ceb69c06bb20a700733c
Instruction Fuzzy Hash: 1221F5B5C012199FCB50CF99D5847DEFBF4EF48310F24806AE808A7241D3789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B6C0 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B6B730
GetCurrentThread.KERNEL32 ref: 02B6B76D
GetCurrentProcess.KERNEL32 ref: 02B6B7AA
GetCurrentThreadId.KERNEL32 ref: 02B6B803

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f46f14a50ec5b63fbefff5e8ba23d7c608273199dbf3143f57c4f4cdb5882182
Instruction ID: e86bbf220a3a45b9977f1bd57607f3980df12cc7619816433680b817528b2fce
Opcode Fuzzy Hash: f46f14a50ec5b63fbefff5e8ba23d7c608273199dbf3143f57c4f4cdb5882182
Instruction Fuzzy Hash: 735155B5D006498FDB10CFAAC6887EEBBF1BF48308F20859AE059B7650D7789845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B6B730
GetCurrentThread.KERNEL32 ref: 02B6B76D
GetCurrentProcess.KERNEL32 ref: 02B6B7AA
GetCurrentThreadId.KERNEL32 ref: 02B6B803

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 61b411ea5f1523e1ad4722c341a53fff22ebedb7ae7a1bae9311431cef8ee937
Instruction ID: f852a61861dbe505872f0b16a0d0e941a6f5af536a6c243d6093898acbd2dd6a
Opcode Fuzzy Hash: 61b411ea5f1523e1ad4722c341a53fff22ebedb7ae7a1bae9311431cef8ee937
Instruction Fuzzy Hash: B15144B5D006498FDB10CFAAC648BEEBBF1BF48318F20859AE019B7650D7785884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 051217E0 Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbb8c5dc2f54119858f0d36e30e536920e2c18fc94e6c9f0d5303df3089de00
Instruction ID: a3a8217d3ec3877d08186aef144601dde8885c7b6a0a83f8071adce1aad63ebe
Opcode Fuzzy Hash: 6fbb8c5dc2f54119858f0d36e30e536920e2c18fc94e6c9f0d5303df3089de00
Instruction Fuzzy Hash: C522A278E04215DFCB24DF98D488ABEBBB2FF89310F658155D422A7355C734A8A1CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0512E190 Relevance: 1.7, APIs: 1, Instructions: 218
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0512E289

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 8576864a9d95c2fb1343b021f91c9200f7346a6acf13f5056a20d144dcf1bb54
Instruction ID: 0ed5dd07f07486caeb3c56c612803af78d4e26c99145de940bdf0e97ebc456b6
Opcode Fuzzy Hash: 8576864a9d95c2fb1343b021f91c9200f7346a6acf13f5056a20d144dcf1bb54
Instruction Fuzzy Hash: BB81AC71E002598FCB14DFA9C854AAEBFFAFF48300F24856AD416AB350DB749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B693E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02B6962E

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e20d04236fe54c769949272758a089375afd2cf41e0b3063a21eee70a9a3b47
Instruction ID: 21ae4d41367326784e2f47f7ac5935df881b5d8c14e1ac9ec81466ae85dc469f
Opcode Fuzzy Hash: 4e20d04236fe54c769949272758a089375afd2cf41e0b3063a21eee70a9a3b47
Instruction Fuzzy Hash: D3711370A00B058FD764DF2AD45476ABBF1FF88314F148A6AD48ADBA50D738E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B6FB61 Relevance: 1.7, APIs: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B6FD0A

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c70ee23d773a3f5de9c466a6e50ec1d63133b018d2876344aae4486c64f264f0
Instruction ID: 5cbfe61d55f8b627bd93e211b72925a1422f396b717805a4e10afa4b8a9557e7
Opcode Fuzzy Hash: c70ee23d773a3f5de9c466a6e50ec1d63133b018d2876344aae4486c64f264f0
Instruction Fuzzy Hash: 476128B1C04249AFCF05CF99D884ADDBFB2FF48314F28819AE809AB221D7359854CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0512E179 Relevance: 1.6, APIs: 1, Instructions: 144
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0512E289

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b44c5345753df81194512eabd66e6e7af3104d0ae777436cc639523e2511b090
Instruction ID: 1c721a9bed47cfdb08cae9b9b8e1a5bf7f71296f31942e2d3c8b431d349e03c0
Opcode Fuzzy Hash: b44c5345753df81194512eabd66e6e7af3104d0ae777436cc639523e2511b090
Instruction Fuzzy Hash: C6519A71E002688FDF25DFA5C854AEEBBBABF44300F14866AE416AB250DB749855CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B6FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B6FD0A

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 75e743c7ff926ea284dc2e3d427b83991a496c7e28c63f474dbf2703e3e67ac0
Instruction ID: ab2e691d8944a48369ba6af669f0515731771214f80e3438b573536b979a89f2
Opcode Fuzzy Hash: 75e743c7ff926ea284dc2e3d427b83991a496c7e28c63f474dbf2703e3e67ac0
Instruction Fuzzy Hash: 5E41B2B1D003099FDF14CF99D884AEEBBB5FF48314F24816AE819AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05123474 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 051246B1

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ad917e3f25bf9fec018c8355f00abb91174711eb8f127e7519405f6d4929a10b
Instruction ID: 2c200b57790a683a49407ff8210734bd52e5776e0d987b369ca8aa7bd7985ecb
Opcode Fuzzy Hash: ad917e3f25bf9fec018c8355f00abb91174711eb8f127e7519405f6d4929a10b
Instruction Fuzzy Hash: 7B41D171C00628CFDB24DFA9C884B9EBBF6BF49304F208099D409BB255DBB56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 051245F4 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 051246B1

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d686f2cddcedab3619e6d2dc28e6c424b2861744953599bc3aea55bd59fa38b
Instruction ID: 19d9d370c774296b0f7bef724c48d35d5600c534d0db56c7031188528b5968a4
Opcode Fuzzy Hash: 9d686f2cddcedab3619e6d2dc28e6c424b2861744953599bc3aea55bd59fa38b
Instruction Fuzzy Hash: 8041F271C00628CFDB24DFA9C884BCEBBF6BF59304F208199D409AB255DBB55985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05122470 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05122531

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e13b1b8a19cf5b3615e0534877c132071d7c073a60acd080a5a0ae176adb9e1e
Instruction ID: d515933cd74f418ec41acf438974f1a26c959275dede8fa5697edea54b1293fa
Opcode Fuzzy Hash: e13b1b8a19cf5b3615e0534877c132071d7c073a60acd080a5a0ae176adb9e1e
Instruction Fuzzy Hash: 85411CB9A003158FCB14CF99C448AAEBBF6FF88314F24C499D519A7321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0512B889 Relevance: 1.6, APIs: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0512B957

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 85893b7a6d4e2d2802c4c49cfafea4ddc4d71946d188acad62f2b329fa7c6e30
Instruction ID: 49e6dc7ec160c45355f44a832909a411a95b53dc0f1d9934d5d6d5ac402f4f06
Opcode Fuzzy Hash: 85893b7a6d4e2d2802c4c49cfafea4ddc4d71946d188acad62f2b329fa7c6e30
Instruction Fuzzy Hash: 9E319EB2904359AFCB11CFA9D800AEEBFF8EF19310F18805AE554A7211C339A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6BDC1 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B6BD87

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 649ab2cd8ccf9c1f926a6420b4d50752bac2bf484455d759bf937ea376d89587
Instruction ID: 8549a56273a2acafc008096fdcb93cf7656093059bc68dfc55aadaa3fff95c78
Opcode Fuzzy Hash: 649ab2cd8ccf9c1f926a6420b4d50752bac2bf484455d759bf937ea376d89587
Instruction Fuzzy Hash: 4B315038E80A40EFE705AB78E5457A93BB9E788345F204A29E9159F7CACB741950CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0512E6B0 Relevance: 1.6, APIs: 1, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,02B353E8,00000000,?), ref: 0512E73D

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 28630efcf83c5af5dae2eee23424764f1165e87cae19c48e3f127bac71dbce95
Instruction ID: 8e932f882397a461f5dae0d0dc597c619675328823eecc70a3826ea9b46dc03d
Opcode Fuzzy Hash: 28630efcf83c5af5dae2eee23424764f1165e87cae19c48e3f127bac71dbce95
Instruction Fuzzy Hash: A8218CB68043498FDB10CF9AC8457DEBFF8EF18320F24845AD854A3601D378A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6BCF9 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B6BD87

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a516765c6f5cd9ea51f946cc0c8554a0e608b1209802906460c698f145558837
Instruction ID: 8887817c26705e07ec9d88b756a6aa91b11644286a36897a6f53f5d0bf28b39b
Opcode Fuzzy Hash: a516765c6f5cd9ea51f946cc0c8554a0e608b1209802906460c698f145558837
Instruction Fuzzy Hash: 7721E3B59002599FDB10CFAAD584AEEBFF4FF48324F14845AE954B7211C378A954CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B6BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B6BD87

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4c2628447228eb1c3c6ad46e1a1bcb2b64b2423e3a0660dbb835c1b4fcab6370
Instruction ID: 7e2cd618e65b28737922cf079932d27724b6463c76179daca2d821fbdd790dc8
Opcode Fuzzy Hash: 4c2628447228eb1c3c6ad46e1a1bcb2b64b2423e3a0660dbb835c1b4fcab6370
Instruction Fuzzy Hash: C821E4B59002089FDB10CF9AD584ADEBFF8FB48324F14845AE954B7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B68768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B696A9,00000800,00000000,00000000), ref: 02B698BA

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0de076c2b7b72ceac58acf44e15108cca0802944fa12acda33c57a8235d25526
Instruction ID: d69ae08d0892f5c55720549044dd4b18d68b3de7231189650224b09b30019c76
Opcode Fuzzy Hash: 0de076c2b7b72ceac58acf44e15108cca0802944fa12acda33c57a8235d25526
Instruction Fuzzy Hash: DA1106B6D006098FCB10CF9AC444AEEBBF4EB48354F14846AD519B7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B69849 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B696A9,00000800,00000000,00000000), ref: 02B698BA

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9dcc54a505017820a09d7ad677a42b0ae0f7a35eff62296d5e9c6b2f1f7a845e
Instruction ID: 723e281220ede1e0f281a67936de11c8d2b3ba5d8e17095166b428cfacb785b7
Opcode Fuzzy Hash: 9dcc54a505017820a09d7ad677a42b0ae0f7a35eff62296d5e9c6b2f1f7a845e
Instruction Fuzzy Hash: 381117B6D002098FCB10CF9AD484AEEFBF4EF58314F14845AD455B7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0512B8E8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0512B957

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: fb870624a5e5024661ac64b14deb5599e280c7a9b1a6ac78411aeb33da8c73fb
Instruction ID: 58a03cdbe9cbf431f12230dacc6d3bfd77b29aec8c7cda9258f745e910f4daa4
Opcode Fuzzy Hash: fb870624a5e5024661ac64b14deb5599e280c7a9b1a6ac78411aeb33da8c73fb
Instruction Fuzzy Hash: F01134B68002599FDB10CFAAD944BDEBFF8EF58320F14841AE554B3210C378A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 051232D8 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,02B353E8,00000000,?), ref: 0512E73D

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b97d26e2a54c76eb9dc14f4b57417247c512fe307d01ee967a03844d98af1b74
Instruction ID: b4381cff21413293a9a256b2bbae3e77ecceaf59d493558425a03ec24edafba3
Opcode Fuzzy Hash: b97d26e2a54c76eb9dc14f4b57417247c512fe307d01ee967a03844d98af1b74
Instruction Fuzzy Hash: 25116AB58003199FDB20DF9AC585BEEBBF8FB08320F10845AE954B3200D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512D238 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 0512D29D

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 435c341f9e7102bfffe50106becf235735369ed9ba52cb5d899f44c27f1cb7b3
Instruction ID: cb32f4f15a781c91ed6f0ec1146981fea82c74418286daa58fe5b8ed09f126c2
Opcode Fuzzy Hash: 435c341f9e7102bfffe50106becf235735369ed9ba52cb5d899f44c27f1cb7b3
Instruction Fuzzy Hash: F811F5B58003199FDB20DF9AD984BDEBBF8FB58324F208459E554B3640C378A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B695C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02B6962E

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71927c92d7110b243d0c0889b770662d3046c278711087530063386c07a72c7c
Instruction ID: 838a508ec38be307444232942180b1bbc49470cc38933b42002e172b1d18bf99
Opcode Fuzzy Hash: 71927c92d7110b243d0c0889b770662d3046c278711087530063386c07a72c7c
Instruction Fuzzy Hash: 8611DFB6D007498FCB20CF9AD544ADEFBF8EF88224F14855AD419A7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05121540 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0512226A,?,00000000,?), ref: 0512C435

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2249499b43499b25bbce6810202471604df10629c9a2fc2af06ecfcea81dd992
Instruction ID: ea876aae46dc33e0683e0946c707bcf361e41d39845686af4f52f874e7cdef0c
Opcode Fuzzy Hash: 2249499b43499b25bbce6810202471604df10629c9a2fc2af06ecfcea81dd992
Instruction Fuzzy Hash: CE11F5B58003599FCB20DF9AD584BEEBBF8EB58324F208459E555B7600C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512A548 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0512BCBD

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0cbd20763cc95baeef43c3cd83a6dea47b4899213e699834b683380b028f042a
Instruction ID: 8d541fc78c90000ecb0e3f604ad02e363df8bb83661e48d18e7bf283c8d36c15
Opcode Fuzzy Hash: 0cbd20763cc95baeef43c3cd83a6dea47b4899213e699834b683380b028f042a
Instruction Fuzzy Hash: 0A1110B58003199FCB20DF8AC584BDEBBF8EB48320F10885AE518A7600C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051250D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 0512D29D

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 32ef2526a8f6cb8a6c5d98ce1ab2a193d4e0443becd88fe7c00edfc3d945469d
Instruction ID: 2a78978f4fdbfa166b49eff7e81e8ef8e27af984d669aae996b3abf0dd8469b0
Opcode Fuzzy Hash: 32ef2526a8f6cb8a6c5d98ce1ab2a193d4e0443becd88fe7c00edfc3d945469d
Instruction Fuzzy Hash: AE1136B58003199FCB20DF9AD584BDEBBF8FB48320F208459E914B3200C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512C3D0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0512226A,?,00000000,?), ref: 0512C435

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1ebf434a285c6178bcec203e82256f440488fb0d510a8454b30ee2e9960c5d36
Instruction ID: 3b8171cab7a6aea174d5f459f9a58b219ef7438f41e92addd2c5db79f5bc8e43
Opcode Fuzzy Hash: 1ebf434a285c6178bcec203e82256f440488fb0d510a8454b30ee2e9960c5d36
Instruction Fuzzy Hash: 4A11F5B68002599FDB20CF9AD584BDFBBF8EB48324F20845AE554B7600C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6FE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B6FE9D

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6fa3889c434529a932ec53e3dca88ee0d1ba83934ee5cfa793a91b9dadb89388
Instruction ID: 6027965e1665e5deac6c83519247a90522ce970b212a17e0f35ccdb58877b65b
Opcode Fuzzy Hash: 6fa3889c434529a932ec53e3dca88ee0d1ba83934ee5cfa793a91b9dadb89388
Instruction Fuzzy Hash: 811125B58002488FCB20CF99D585BEEBBF4EB58324F20844AD959B3601C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512F3D8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0512F435

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 73478a8d73435fe06873cce6db06ddf27fcda954bea2220fe99208d26e68158e
Instruction ID: 56619418ced8ce94480f8cebfd880e99ffd8a8904c983c92538b92d930d9c0ea
Opcode Fuzzy Hash: 73478a8d73435fe06873cce6db06ddf27fcda954bea2220fe99208d26e68158e
Instruction Fuzzy Hash: 311112B58002598FCB20CFAAD584BCEBFF8EF58324F24855AD559B3600D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0512DC60 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0512F435

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6c13f17a330596448390cdc47d75140a2e104a7463cd0333fdfe52faaccbc9a2
Instruction ID: 40c85b642ed23f0d6911a3e25237c95c49eb889cb2bd913d65104db3fa5dc270
Opcode Fuzzy Hash: 6c13f17a330596448390cdc47d75140a2e104a7463cd0333fdfe52faaccbc9a2
Instruction Fuzzy Hash: 5F1145B58003588FCB20DF9AC484BDEBBF8EF48324F20845AD559B3600C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B6FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B6FE9D

Memory Dump Source

Source File: 00000003.00000002.566522438.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_WmtuqNHPM2.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 60e7bb32374cf32aebf7fa302ee2aff15af6dec700e8d378ba457bc47a24f522
Instruction ID: 3d8e1c46ead5fcc496930cc96ae3dfc44202a7ff890044fce29262c401988c47
Opcode Fuzzy Hash: 60e7bb32374cf32aebf7fa302ee2aff15af6dec700e8d378ba457bc47a24f522
Instruction Fuzzy Hash: CE1118B58002098FDB10CF9AD584BDFBBF8EB48324F10845AD919B3700C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512BC59 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0512BCBD

Memory Dump Source

Source File: 00000003.00000002.576194993.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5120000_WmtuqNHPM2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ddc37ece94e3b4c02eac1511ef1d3e1d5f4534093bd5575e8350ffb2b1402bab
Instruction ID: 3757fdcbb7a5426ebc291a2d4c05f569c6d0965d2b289be372d6656e0f0a36fd
Opcode Fuzzy Hash: ddc37ece94e3b4c02eac1511ef1d3e1d5f4534093bd5575e8350ffb2b1402bab
Instruction Fuzzy Hash: B811F5B5800259CFDB10CF99D584BDEBBF4EB48324F14844AD819B7600D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07160239 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea19658c28b460c78c8dc35b936de52f060a3444354c4220ef71a67633bfcb8
Instruction ID: a8d978fffe3d699ce20fa5d26e2e351f7b14f44c936ea3341a3624bb0b8f1ee5
Opcode Fuzzy Hash: 2ea19658c28b460c78c8dc35b936de52f060a3444354c4220ef71a67633bfcb8
Instruction Fuzzy Hash: 58E0927161D2998FC337076A28284753FAADECF51030A00A7E585C72E2DA544C1A83A6

Uniqueness

Uniqueness Score: -1.00%

Function 07160548 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043d0b17225c9c2ade53e10f27616d422d9397786a824443cfe2232f0a53ee1c
Instruction ID: de46d887fe47b135026a5e0fc6713ba7f93bdd0da995e4859e4dab49889de3c9
Opcode Fuzzy Hash: 043d0b17225c9c2ade53e10f27616d422d9397786a824443cfe2232f0a53ee1c
Instruction Fuzzy Hash: C64136703003059FCB45DB68DC50A6FBBA6EFC9354B14852AE90ADB394DF75DC1587A0

Uniqueness

Uniqueness Score: -1.00%

Function 07160CA0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdc00b4b66c1bae828ae418ec8daa33177b402db603e3769e41f0730fb939bc
Instruction ID: 66082b3b53d49fdb122315fdb24d08af856242401c5581cdbe09ad9442f1d191
Opcode Fuzzy Hash: dbdc00b4b66c1bae828ae418ec8daa33177b402db603e3769e41f0730fb939bc
Instruction Fuzzy Hash: 4D31D2713002148FC7059B3CD418A597BE6EF89715B1581AEE60ACF7A1CB72EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07160610 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1743742a5b9077c609c67447217f4c7539240e0cb3223cb12d6851beae4983ed
Instruction ID: 83a2c1deccad85a90d53f0bd63ec4198a05fdda91d7bfd40a0590ea52b59120c
Opcode Fuzzy Hash: 1743742a5b9077c609c67447217f4c7539240e0cb3223cb12d6851beae4983ed
Instruction Fuzzy Hash: 99214370B00302DBC784A778982056EBAABEFC9295710A52AE41ACB384EE74CC5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0105D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565426121.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2509087bf2d5f9abcc8ebba122b5d1094f2f9e9ca9d82bcd5bbf564b7bcd5e9f
Instruction ID: ee633bb9fffefcc3fc968814dc62ccce9cd7562a80c8ab920f74d7d460db43e6
Opcode Fuzzy Hash: 2509087bf2d5f9abcc8ebba122b5d1094f2f9e9ca9d82bcd5bbf564b7bcd5e9f
Instruction Fuzzy Hash: 76210671504240DFDB46DF98D9C0B6BBFA5FB84328F24C5AAED450A216C33AD845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0105D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565426121.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d8d8a934b99764d3b51f0169f045440a60814706f8bf5776878679f61b207f
Instruction ID: 56c842613195d6a379aecf46cf110d37bcf4218f5f9a2218b9a7fde5c17d4b44
Opcode Fuzzy Hash: 24d8d8a934b99764d3b51f0169f045440a60814706f8bf5776878679f61b207f
Instruction Fuzzy Hash: 5221F471500240DFDB41DF58D8C0B6BBFA5FB84324F24C5AAED450A206C73AE846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565475881.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_106d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe01eb87479023fe891e4ad979b63e3a5b47b5c9d09be78f202a8d523e30fba
Instruction ID: af4362c4253044bf235c7be52a2d9e00981c330742d563afe5f32df92726f395
Opcode Fuzzy Hash: ebe01eb87479023fe891e4ad979b63e3a5b47b5c9d09be78f202a8d523e30fba
Instruction Fuzzy Hash: A5210375604240DFEB11CF58D4C0B26BBA9EB84354F24C5A9F9C90B246C33AD806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07160478 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5740b724593ef45766b577a8954d490e070d00888a20f2b6e35ab6a4d8ffba7a
Instruction ID: 0f1a4b05549a30f5bf5c866b6d888045f5f4e39c990b5486ce46db5d08163947
Opcode Fuzzy Hash: 5740b724593ef45766b577a8954d490e070d00888a20f2b6e35ab6a4d8ffba7a
Instruction Fuzzy Hash: E021C3B1E00609DFCB15CFA8C9449EEBBF6AF88204B0485AAD405D7394EB34DE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565475881.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_106d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477593c0979808ad46125635fbed96403e38cbbc5632baa96fd73a9bb26da5ab
Instruction ID: f6435a9c5919e4a655e07a0c05ee21edf4944b5b35ec14876dc32d9a58ea53c4
Opcode Fuzzy Hash: 477593c0979808ad46125635fbed96403e38cbbc5632baa96fd73a9bb26da5ab
Instruction Fuzzy Hash: AD2195755093C08FD713CF24D590B15BFB1EB46214F28C6DAD8898F657C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07160538 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f155ad65ed038a2acb5da2c0ae74c7170004b81308261a69ab449cd8c576ac7
Instruction ID: 2d99e54df456b0daef74ec7bf3dcb0c1afabbda3c7bcf5abed2cdb194937352f
Opcode Fuzzy Hash: 2f155ad65ed038a2acb5da2c0ae74c7170004b81308261a69ab449cd8c576ac7
Instruction Fuzzy Hash: 5C11C6B5300205AFDB15DF19DC40E9A7BAAEF89354F048025FD08CB795DB75DC2587A0

Uniqueness

Uniqueness Score: -1.00%

Function 0105D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565426121.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 475b9ffc690aada1f2bb58919faa94219dec7b67fde93be445953b214a7ef03e
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 6A11D276404280CFDB52CF44D5C0B16BFB1FB84328F2482AADD450B616C336D456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0105D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.565426121.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 8f448d23bbc4e5179a78e476eb58c3765c719bf2a20f3fba88238003491ca41d
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 9311AF76504280DFDB52CF54D5C4B56BFB2FB84324F24C6AADC890B616C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07162093 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2cbd1c1418e84d6c155852030e35e2a01a0ab48d9be58c1baf6741ac13675
Instruction ID: 030852db40dae5a0269641b9be9ea3b7dbf9b346e5b337d5b0d5a040eb0db4f5
Opcode Fuzzy Hash: 2fa2cbd1c1418e84d6c155852030e35e2a01a0ab48d9be58c1baf6741ac13675
Instruction Fuzzy Hash: 4F01B170309194ABC729A27D4C2475B9D9AABDBB00F24C15EA08B8B3C5CD658C0643AA

Uniqueness

Uniqueness Score: -1.00%

Function 07161420 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3037d8f7917c846501bec1682acca5e9bd9665fc15e9923b838e031033fa173b
Instruction ID: e10baead1161f03949087e38bc2a731912dc15f5ba0af0e5473fbd437814d2b0
Opcode Fuzzy Hash: 3037d8f7917c846501bec1682acca5e9bd9665fc15e9923b838e031033fa173b
Instruction Fuzzy Hash: DA012B72B00E159BC725DA68D840A6B73EBAF88620304C53DD84ACB7C4EF31EC0287C0

Uniqueness

Uniqueness Score: -1.00%

Function 071613A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280d2e64e5fd986bad0da8c272dfe0e9d07397f2e3c0ba325ae9b26308b02d65
Instruction ID: ba2ba06e6671f1ac914e9e1612f372080d0c72ffa11e1837ca7865907fb0a6f9
Opcode Fuzzy Hash: 280d2e64e5fd986bad0da8c272dfe0e9d07397f2e3c0ba325ae9b26308b02d65
Instruction Fuzzy Hash: 9D0176703047594FC31A973D982446FBFA29FC6260310812AE44ECB351EB145D0643E1

Uniqueness

Uniqueness Score: -1.00%

Function 071614D9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad321788df50c4cd48b64f51cba7eba4924b99e7eb495c069eae3442ee080ea
Instruction ID: 60c713602d71ffec6445222c44bd71ed3266c147c32001e956950801c2317481
Opcode Fuzzy Hash: 7ad321788df50c4cd48b64f51cba7eba4924b99e7eb495c069eae3442ee080ea
Instruction Fuzzy Hash: ADF05C77504318AB832259A8A8185AE77AA1AC91203004356A825C32D0EF1C8D1A53E3

Uniqueness

Uniqueness Score: -1.00%

Function 07161390 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c42350620bc55c5c81be15b9d8423aa8061c44423848962d1169211ff5a170
Instruction ID: c70263aaaa585083ef0b0995f989aa188704af07dff269226f723797b9ad022e
Opcode Fuzzy Hash: d6c42350620bc55c5c81be15b9d8423aa8061c44423848962d1169211ff5a170
Instruction Fuzzy Hash: 50F027323047551B8321DA2EE84084AFBAAEFC6360300896EF90ACB211DA21AC0443E1

Uniqueness

Uniqueness Score: -1.00%

Function 07162053 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a577fa3f90faf201413f0b77f3e96d27f98b6f23ee2c2ae35fb2e27b871fd5b7
Instruction ID: 6a80b3eb28ed2b414190279f1403735cab03fca6a25751670a7a9881662275ac
Opcode Fuzzy Hash: a577fa3f90faf201413f0b77f3e96d27f98b6f23ee2c2ae35fb2e27b871fd5b7
Instruction Fuzzy Hash: 73E0DFB0B00B224FEB3CCA1A80402ABFBD71FC8604F08C42EC48E82A50C7B0A8058780

Uniqueness

Uniqueness Score: -1.00%

Function 071621F3 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905844b70dd7628cc7b25b5659a924acd579eba90927565caeb93e667e545b4d
Instruction ID: fe4cdfa67217e5186f98884c74459815162eba5d370e973152333366f52d4b0d
Opcode Fuzzy Hash: 905844b70dd7628cc7b25b5659a924acd579eba90927565caeb93e667e545b4d
Instruction Fuzzy Hash: 20E01AB0C0420AEFC744EFA8C81979EBBF0BB08300F208969C419E6241E77446469F91

Uniqueness

Uniqueness Score: -1.00%

Function 07162058 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfac2312146f2729bb52d7096ca955515cb3366d18ca1a002f068e9447d11b9
Instruction ID: ca7e99d3b200bd60390b93ce0c2a7fae5df4233a865cefb86861de19ff02ffa7
Opcode Fuzzy Hash: edfac2312146f2729bb52d7096ca955515cb3366d18ca1a002f068e9447d11b9
Instruction Fuzzy Hash: FEE086B0B00F564BDB3DDF5B804425BFBDB5F89614F04C42EC49E43A51DBB5A4548784

Uniqueness

Uniqueness Score: -1.00%

Function 07160448 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aced354f597bd0b2c9bf511138ca76e6530a429ffdaa38a3be9d1cbd65b2b83
Instruction ID: b5cbb8532a7ddf93f73256b3af8b81a8cbeeea4d106f0418905bf946db16db0d
Opcode Fuzzy Hash: 3aced354f597bd0b2c9bf511138ca76e6530a429ffdaa38a3be9d1cbd65b2b83
Instruction Fuzzy Hash: 24D05E71714025C74629165B781C97E779FEBC9962708402BE20AC3384DFA58C0243D9

Uniqueness

Uniqueness Score: -1.00%

Function 071614E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0ac11928150edc0db57c118486c84176b704c127882f733076a77b28501127
Instruction ID: 9346a3b2e0c25c6864b70a2850d99b6b2e7f964afe0ad7ab8bb9636f8eac2430
Opcode Fuzzy Hash: 1b0ac11928150edc0db57c118486c84176b704c127882f733076a77b28501127
Instruction Fuzzy Hash: 60E0C2366006249B87145A14A5185AEB3EB9BC81703008229AC0AC3384DF2C9E0592E2

Uniqueness

Uniqueness Score: -1.00%

Function 07162130 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1855f9b6b3caff4ef669abca4bca76cdf4e2292531580e6f3b85ca71cad4e31
Instruction ID: b101fed4eb8fa6a3d716916bcd898f9f4ff46e7612f7f6bf40b4accd558395f6
Opcode Fuzzy Hash: c1855f9b6b3caff4ef669abca4bca76cdf4e2292531580e6f3b85ca71cad4e31
Instruction Fuzzy Hash: 99E0C2F626D284DFC72A83346C782A62F23A3DAB0CB0986D67289D75869BB108594311

Uniqueness

Uniqueness Score: -1.00%

Function 071621FB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30afffcd391cd9cf64a6b86bbb0a6950c94da804235bad80e96a5ae9678e6937
Instruction ID: c85bc99b1496356c6de6e875fc37ab2204f633e0095cc30b1f7fa4e5198e1473
Opcode Fuzzy Hash: 30afffcd391cd9cf64a6b86bbb0a6950c94da804235bad80e96a5ae9678e6937
Instruction Fuzzy Hash: CDE0ECB0D4130AAEDB84EFA8C95579FBFF4BF04244F208A69C415F6241EB7446468FA1

Uniqueness

Uniqueness Score: -1.00%

Function 07162200 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879af1ff82cad1b264ee8626a7c74dc917ed0b13907e1ea0113f38e1228352e1
Instruction ID: 571198d7a33d984cbdea06c184e97ae6d61f5cddf49fe7711986b50c71127172
Opcode Fuzzy Hash: 879af1ff82cad1b264ee8626a7c74dc917ed0b13907e1ea0113f38e1228352e1
Instruction Fuzzy Hash: A1E0ECB0D0020AAECB84EFA8C54575EBBF0BB04200F108A69C415E6241E77446458F91

Uniqueness

Uniqueness Score: -1.00%

Function 071606F8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d03514d196e4eb21295ddf8b03e935620a5107630c0b8e88a6e6c67ca35b9c
Instruction ID: 350b306afa371739de686dece0145acbcf3d47000590de664fd0a5c8dfa27ab7
Opcode Fuzzy Hash: 87d03514d196e4eb21295ddf8b03e935620a5107630c0b8e88a6e6c67ca35b9c
Instruction Fuzzy Hash: 21D012F4405340AECB0ACF1544448617FB0ADDD20836588DEE0448A153E325CA07CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07162140 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fe695d1bbc3674d4b95ef81f89e2ed201f4349d802133b3f19c64b72e0e19f
Instruction ID: 54cc1e9e90776d6cba021a7c6f0643d7dac6219746a482d8de9c325aee857d78
Opcode Fuzzy Hash: 52fe695d1bbc3674d4b95ef81f89e2ed201f4349d802133b3f19c64b72e0e19f
Instruction Fuzzy Hash: 92C08CF166C20493DB1C9629BC98A6B336FA3C9B00F04C614B20E676888BB268110260

Uniqueness

Uniqueness Score: -1.00%

Function 07160C7B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.580126594.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7160000_WmtuqNHPM2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15882ff7c98b653778c23f141ddc35f80c5f50f9a06b0c9303f503f344f6f41
Instruction ID: 590a94544b3d500855f13485642266f192b84628f7ac395d771f6ffe12d0468e
Opcode Fuzzy Hash: b15882ff7c98b653778c23f141ddc35f80c5f50f9a06b0c9303f503f344f6f41
Instruction Fuzzy Hash: 699002E8245410DBBA212B15C428886BA947D493617D14464C5C0008745616485445A2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WmtuqNHPM2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WmtuqNHPM2.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwewao31.inp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n31va3q2.xzf.psm1

C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe

C:\Users\user\AppData\Roaming\Adobe\Flash Player.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Windows Analysis Report
WmtuqNHPM2.exe

Function 057C1278 Relevance: 2.6, Strings: 1, Instructions: 1339
COMMON

Function 057C9200 Relevance: 1.7, Strings: 1, Instructions: 460
COMMON

Function 057543F8 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 057543EA Relevance: 10.7, APIs: 7, Instructions: 160
COMMON

Function 05753746 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Function 05753750 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 05A98790 Relevance: 1.7, Strings: 1, Instructions: 433
COMMON

Function 05753118 Relevance: 1.6, APIs: 1, Instructions: 131
threadinjectionCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre