Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x4VGltSj0j.exe

Overview

General Information

Sample Name:x4VGltSj0j.exe
Original Sample Name:20ef67d923f487ff82fb19be1270571c.exe
Analysis ID:878160
MD5:20ef67d923f487ff82fb19be1270571c
SHA1:6e87a3a9a4dbe64f9626f2230cd2fea63452ee68
SHA256:77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • x4VGltSj0j.exe (PID: 5476 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
    • x4VGltSj0j.exe (PID: 6704 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
      • schtasks.exe (PID: 6804 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6908 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • x4VGltSj0j.exe (PID: 6940 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe 0 MD5: 20EF67D923F487FF82FB19BE1270571C)
    • x4VGltSj0j.exe (PID: 6752 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • dhcpmon.exe (PID: 7056 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 20EF67D923F487FF82FB19BE1270571C)
    • dhcpmon.exe (PID: 6796 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • dhcpmon.exe (PID: 5812 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 20EF67D923F487FF82FB19BE1270571C)
    • dhcpmon.exe (PID: 4092 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435b5:$a: NanoCore
    • 0x4360e:$a: NanoCore
    • 0x4364b:$a: NanoCore
    • 0x436c4:$a: NanoCore
    • 0x56d6f:$a: NanoCore
    • 0x56d84:$a: NanoCore
    • 0x56db9:$a: NanoCore
    • 0x6fd5b:$a: NanoCore
    • 0x6fd70:$a: NanoCore
    • 0x6fda5:$a: NanoCore
    • 0x43617:$b: ClientPlugin
    • 0x43654:$b: ClientPlugin
    • 0x43f52:$b: ClientPlugin
    • 0x43f5f:$b: ClientPlugin
    • 0x56b2b:$b: ClientPlugin
    • 0x56b46:$b: ClientPlugin
    • 0x56b76:$b: ClientPlugin
    • 0x56d8d:$b: ClientPlugin
    • 0x56dc2:$b: ClientPlugin
    • 0x6fb17:$b: ClientPlugin
    • 0x6fb32:$b: ClientPlugin
    0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x4364b:$a1: NanoCore.ClientPluginHost
    • 0x56db9:$a1: NanoCore.ClientPluginHost
    • 0x6fda5:$a1: NanoCore.ClientPluginHost
    • 0x4360e:$a2: NanoCore.ClientPlugin
    • 0x56d84:$a2: NanoCore.ClientPlugin
    • 0x6fd70:$a2: NanoCore.ClientPlugin
    • 0x439e2:$b1: get_BuilderSettings
    • 0x5bcff:$b1: get_BuilderSettings
    • 0x74ceb:$b1: get_BuilderSettings
    • 0x43699:$b4: IClientAppHost
    • 0x43a53:$b6: AddHostEntry
    • 0x43ac2:$b7: LogClientException
    • 0x5bc6e:$b7: LogClientException
    • 0x74c5a:$b7: LogClientException
    • 0x43a37:$b8: PipeExists
    • 0x43686:$b9: IClientLoggingHost
    • 0x56dd3:$b9: IClientLoggingHost
    • 0x6fdbf:$b9: IClientLoggingHost
    00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 90 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0x175f:$x2: NanoCore.ClientPlugin
    • 0x16e3:$x3: NanoCore.ClientPluginHost
    • 0x1775:$i3: IClientNetwork
    • 0x16fd:$i6: IClientLoggingHost
    • 0x171c:$i7: IClientNetworkHost
    • 0x1491:$s1: ClientPlugin
    • 0x1768:$s1: ClientPlugin
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x16e3:$a1: NanoCore.ClientPluginHost
    • 0x175f:$a2: NanoCore.ClientPlugin
    • 0x16fd:$b9: IClientLoggingHost
    3.2.x4VGltSj0j.exe.71a0000.30.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    Click to see the 251 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Persistence and Installation Behavior

    barindex
    Sigma detected: Scheduled temp file as task from temp location
    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\x4VGltSj0j.exe, ParentImage: C:\Users\user\Desktop\x4VGltSj0j.exe, ParentProcessId: 6704, ParentProcessName: x4VGltSj0j.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, ProcessId: 6804, ProcessName: schtasks.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    Timestamp:192.168.2.4141.98.6.1674969440322025019 05/30/23-13:08:06.488254
    SID:2025019
    Source Port:49694
    Destination Port:4032
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.4141.98.6.1674969440322816766 05/30/23-13:08:09.282700
    SID:2816766
    Source Port:49694
    Destination Port:4032
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for submitted file
    Source: x4VGltSj0j.exeReversingLabs: Detection: 21%
    Source: x4VGltSj0j.exeVirustotal: Detection: 28%Perma Link
    Antivirus detection for URL or domain
    Source: jasonbourneblack.ddns.netAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: jasonbourneblack.ddns.netVirustotal: Detection: 10%Perma Link
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 21%
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR
    Machine Learning detection for sample
    Source: x4VGltSj0j.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: x4VGltSj0j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: x4VGltSj0j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mscorlib.pdb source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000C15000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oXQF.pdbSHA256; source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: oXQF.pdb source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then jmp 09B37ECDh0_2_09B372F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_0654B918
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_0654B908

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49694 -> 141.98.6.167:4032
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49694 -> 141.98.6.167:4032
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: jasonbourneblack.ddns.net
    Source: Malware configuration extractorURLs: 127.0.0.1
    Uses dynamic DNS services
    Source: unknownDNS query: name: jasonbourneblack.ddns.net
    Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
    Source: global trafficTCP traffic: 192.168.2.4:49694 -> 141.98.6.167:4032
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://google.com
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comenc
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comitk
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comscrf:
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: x4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomau
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf?
    Source: x4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542610815.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comk
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0g
    Source: x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/o
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
    Source: x4VGltSj0j.exe, 00000000.00000003.539411991.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.539394916.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541072737.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic6
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deI
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deN
    Source: x4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: x4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.S
    Source: unknownDNS traffic detected: queries for: jasonbourneblack.ddns.net
    Source: x4VGltSj0j.exe, 00000000.00000002.552960704.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: x4VGltSj0j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5C1A40_2_00E5C1A4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5E5E00_2_00E5E5E0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5E5F00_2_00E5E5F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD40C80_2_06FD40C8
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD4C480_2_06FD4C48
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD6DB10_2_06FD6DB1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD08580_2_06FD0858
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD93080_2_06FD9308
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDB1500_2_06FDB150
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDC1020_2_06FDC102
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDBC800_2_06FDBC80
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD48700_2_06FD4870
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD48610_2_06FD4861
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD08480_2_06FD0848
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD99B10_2_06FD99B1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B372F00_2_09B372F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B300060_2_09B30006
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B300400_2_09B30040
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CE4803_2_028CE480
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CE4713_2_028CE471
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CBBD43_2_028CBBD4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_065496B03_2_065496B0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06548A983_2_06548A98
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654976E3_2_0654976E
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06549F903_2_06549F90
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BC1A48_2_029BC1A4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BE5F08_2_029BE5F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BE5E08_2_029BE5E0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C440D78_2_06C440D7
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44C488_2_06C44C48
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C46DB18_2_06C46DB1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C408588_2_06C40858
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C493088_2_06C49308
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4B1418_2_06C4B141
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4B1508_2_06C4B150
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C1028_2_06C4C102
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4BC808_2_06C4BC80
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C46DBF8_2_06C46DBF
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C408488_2_06C40848
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C448618_2_06C44861
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C448708_2_06C44870
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C499B18_2_06C499B1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_095F00408_2_095F0040
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_095F00068_2_095F0006
    Source: x4VGltSj0j.exe, 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000002.565716267.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000000.537587805.000000000063A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoXQF.exe8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000002.552960704.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831774560.00000000071AE000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831317891.0000000007018000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007198000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.829167301.0000000006080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000008.00000002.595768511.0000000003F03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000008.00000002.588315692.0000000000D08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.622056821.000000000124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exeBinary or memory string: OriginalFilenameoXQF.exe8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: x4VGltSj0j.exeReversingLabs: Detection: 21%
    Source: x4VGltSj0j.exeVirustotal: Detection: 28%
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile read: C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: x4VGltSj0j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmpJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmpJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x4VGltSj0j.exe.logJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8CAB.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@18/10@3/1
    Source: x4VGltSj0j.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{540c4d56-ad4d-4ca4-9f9f-305dba1da640}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: x4VGltSj0j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: x4VGltSj0j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: x4VGltSj0j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: mscorlib.pdb source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000C15000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oXQF.pdbSHA256; source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: oXQF.pdb source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: x4VGltSj0j.exe, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: 0.0.x4VGltSj0j.exe.570000.0.unpack, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: dhcpmon.exe.3.dr, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D216 push es; retf 3_2_0654D218
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D21E push es; retf 3_2_0654D220
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D21A push es; retf 3_2_0654D21C
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D20E push es; retf 3_2_0654D214
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D236 push es; retf 3_2_0654D238
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D232 push es; retf 3_2_0654D234
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D23A push es; retf 3_2_0654D23C
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D226 push es; retf 3_2_0654D228
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D222 push es; retf 3_2_0654D224
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D22E push es; retf 3_2_0654D230
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D22A push es; retf 3_2_0654D22C
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D282 push es; retf 3_2_0654D284
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D06E push es; retf 3_2_0654D070
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D022 push es; retf 3_2_0654D024
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D0BA push es; retf 3_2_0654D0BC
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D152 push es; retf 3_2_0654D154
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D106 push es; retf 3_2_0654D108
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D1EA push es; retf 3_2_0654D1EC
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D19E push es; retf 3_2_0654D1A0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654CFD6 push es; retf 3_2_0654CFD8
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654CF8A push es; retf 3_2_0654CF8C
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654C85A push 8B000005h; retf 3_2_0654C85F
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C407A8 push cs; ret 8_2_06C407AE
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C5C0 push ebx; ret 8_2_06C4C5CE
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C591 push edx; ret 8_2_06C4C59E
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4D2F0 pushad ; ret 8_2_06C4D2FE
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4D27A pushad ; ret 8_2_06C4D2FE
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C440A0 pushfd ; ret 8_2_06C440AE
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44079 pushfd ; ret 8_2_06C44086
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40AB8 push cs; ret 8_2_06C40AC6
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40A70 push cs; ret 8_2_06C40A7E
    Source: x4VGltSj0j.exeStatic PE information: 0xBD56133A [Fri Aug 29 10:47:22 2070 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.620478844643008
    Source: initial sampleStatic PE information: section name: .text entropy: 7.620478844643008
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile opened: C:\Users\user\Desktop\x4VGltSj0j.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5468Thread sleep time: -41202s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5448Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 2444Thread sleep time: -8301034833169293s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 7036Thread sleep time: -41202s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5184Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7068Thread sleep time: -41202s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3048Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4108Thread sleep time: -41202s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 944Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6904Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 1032Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: threadDelayed 9576Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: foregroundWindowGot 762Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: foregroundWindowGot 647Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 41202Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 41202Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 41202Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 41202Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: x4VGltSj0j.exe, 00000003.00000003.617919152.0000000000C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06543C40 LdrInitializeThunk,3_2_06543C40
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory written: C:\Users\user\Desktop\x4VGltSj0j.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory written: C:\Users\user\Desktop\x4VGltSj0j.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmpJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmpJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerD$
    Source: x4VGltSj0j.exe, 00000003.00000002.832353745.000000000841E000.00000004.00000010.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.831095958.0000000006FEE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
    Source: x4VGltSj0j.exe, 00000003.00000002.832261158.00000000080DD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager 4L0s
    Source: x4VGltSj0j.exe, 00000003.00000002.830604776.0000000006D0E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager`
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002AAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHa
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: x4VGltSj0j.exe, 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		112
    Process Injection    		2
    Masquerading    		21
    Input Capture    		11
    Security Software Discovery    		Remote Services21
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Scheduled Task/Job    		1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Hidden Files and Directories    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common3
    Obfuscated Files or Information    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items12
    Software Packing    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Timestomp    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 878160 Sample: x4VGltSj0j.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 13 other signatures 2->55 8 x4VGltSj0j.exe 3 2->8         started        12 x4VGltSj0j.exe 2 2->12         started        14 dhcpmon.exe 3 2->14         started        16 dhcpmon.exe 2 2->16         started        process3 file4 45 C:\Users\user\AppData\...\x4VGltSj0j.exe.log, ASCII 8->45 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Injects a PE file into a foreign processes 8->61 18 x4VGltSj0j.exe 1 14 8->18         started        23 x4VGltSj0j.exe 2 12->23         started        25 dhcpmon.exe 2 14->25         started        27 dhcpmon.exe 16->27         started        signatures5 process6 dnsIp7 47 jasonbourneblack.ddns.net 141.98.6.167, 4032, 49694 CMCSUS Germany 18->47 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, data 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmp8CAB.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    x4VGltSj0j.exe22%ReversingLabsWin32.Trojan.Pwsx
    x4VGltSj0j.exe28%VirustotalBrowse
    x4VGltSj0j.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe22%ReversingLabsWin32.Trojan.Pwsx

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    jasonbourneblack.ddns.net10%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
    http://www.fontbureau.comcom0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.carterandcone.comitk0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/Q0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.comscrf:0%Avira URL Cloudsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.fontbureau.com.TTF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/o0%URL Reputationsafe
    http://www.fontbureau.comion0%URL Reputationsafe
    http://www.tiro.comlic0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0g0%VirustotalBrowse
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
    127.0.0.10%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/f?0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0g0%Avira URL Cloudsafe
    http://www.fontbureau.comf?0%Avira URL Cloudsafe
    http://www.urwpp.deN0%Avira URL Cloudsafe
    http://www.urwpp.deI0%Avira URL Cloudsafe
    http://www.fontbureau.comk0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
    http://www.fontbureau.comcomF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
    http://www.fontbureau.comals0%URL Reputationsafe
    http://www.zhongyicts.com.cno.S0%Avira URL Cloudsafe
    http://www.tiro.comlic60%Avira URL Cloudsafe
    http://www.fontbureau.comcomau0%Avira URL Cloudsafe
    jasonbourneblack.ddns.net100%Avira URL Cloudmalware
    http://www.carterandcone.comenc0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/f?0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    jasonbourneblack.ddns.net
    		141.98.6.167
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    127.0.0.1true
    • Avira URL Cloud: safe
    		unknown
    jasonbourneblack.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.com/designersGx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designers/?x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.founder.com.cn/cn/bThex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers?x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.tiro.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541072737.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designersx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/f?x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.goodfont.co.krx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://google.comx4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpfalse
              		high
              http://www.carterandcone.comx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comx4VGltSj0j.exe, 00000000.00000003.539411991.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.539394916.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/Y0gx4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.typography.netDx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cn/cThex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/staff/dennis.htmx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fontfabrik.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comscrf:x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jiyu-kobo.co.jp/4x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp//x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comcomx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/DPleasex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comitkx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/jp/Qx4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fonts.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.sandoll.co.krx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/&x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleasex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnx4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.sakkal.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com.TTFx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/Xx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comFx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comf?x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Qx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deNx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/ox4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deIx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comionx4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comlicx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Cx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/ux4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cno.Sx4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comax4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comlic6x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/?x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comcomaux4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comlx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comkx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542610815.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/Y0/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcomFx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/gx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comalsx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comencx4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/jp/f?x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              141.98.6.167
                              		jasonbourneblack.ddns.netGermany
                              		33657CMCSUStrue

                              General Information

                              Joe Sandbox Version:37.1.0 Beryl
                              Analysis ID:878160
                              Start date and time:2023-05-30 13:06:59 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:14
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample file name:x4VGltSj0j.exe
                              Original Sample Name:20ef67d923f487ff82fb19be1270571c.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@18/10@3/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 94
                              • Number of non-executed functions: 11
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:07:58API Interceptor922x Sleep call for process: x4VGltSj0j.exe modified
                              13:08:04Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\x4VGltSj0j.exe" s>$(Arg0)
                              13:08:04Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              13:08:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              13:08:13API Interceptor2x Sleep call for process: dhcpmon.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              141.98.6.167M8Hh0nRCxM.exeGet hashmaliciousNanocoreBrowse
                                pQ8I1Q95pk.exeGet hashmaliciousNanocoreBrowse
                                  1UScideLXZ.exeGet hashmaliciousNanocoreBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    jasonbourneblack.ddns.netM8Hh0nRCxM.exeGet hashmaliciousNanocoreBrowse
                                    • 141.98.6.167
                                    pQ8I1Q95pk.exeGet hashmaliciousNanocoreBrowse
                                    • 141.98.6.167
                                    1UScideLXZ.exeGet hashmaliciousNanocoreBrowse
                                    • 141.98.6.167

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CMCSUSQuotation_Request.jsGet hashmaliciousWSHRATBrowse
                                    • 141.98.6.215
                                    DO-COAU8034456940.xlsGet hashmaliciousGuLoaderBrowse
                                    • 141.98.6.22
                                    1EwIywYAJw.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56
                                    gpiQaD7JJyHJILw.exeGet hashmaliciousAsyncRATBrowse
                                    • 95.214.27.44
                                    HQVL2NYefa.rtfGet hashmaliciousGuLoaderBrowse
                                    • 45.66.230.128
                                    ssHeDpcTJD.exeGet hashmaliciousGuLoaderBrowse
                                    • 141.98.6.22
                                    KJn65MWQpD.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56
                                    PURCHASE_ORDER.docx.docGet hashmaliciousGuLoaderBrowse
                                    • 45.66.230.128
                                    3MxtwbOQ1s.rtfGet hashmaliciousLokibotBrowse
                                    • 171.22.30.164
                                    file.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56
                                    LEo7jDCX96.elfGet hashmaliciousMiraiBrowse
                                    • 140.89.48.85
                                    MVCMWbA16l.elfGet hashmaliciousMiraiBrowse
                                    • 45.66.230.105
                                    S4Z2548LfU.elfGet hashmaliciousUnknownBrowse
                                    • 45.66.230.105
                                    dG84aTb5it.elfGet hashmaliciousUnknownBrowse
                                    • 45.66.230.105
                                    file.exeGet hashmaliciousMinerDownloader, Nymaim, RedLine, Vidar, XmrigBrowse
                                    • 45.12.253.56
                                    INVOICE1008.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.12.253.147
                                    file.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56
                                    file.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56
                                    Vs0MHTEkfN.exeGet hashmaliciousAmadey, LummaC Stealer, RedLineBrowse
                                    • 95.214.27.98
                                    NYO4gnYYQq.exeGet hashmaliciousNymaimBrowse
                                    • 45.12.253.56

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):816128
                                    Entropy (8bit):7.614289847336906
                                    Encrypted:false
                                    SSDEEP:12288:gX2B0xTGlxNqvNu2hZ+nUEsn9mpwZFYpU2bgnBNMjUw+CR3BJQwV54OEcZPHu/8C:gXLaVUH9994pUbBaQwXR3PJ5CcZOE83
                                    MD5:20EF67D923F487FF82FB19BE1270571C
                                    SHA1:6E87A3A9A4DBE64F9626F2230CD2FEA63452EE68
                                    SHA-256:77DD08FAC6833C6EF555E84C2EF5599ED10B7E6DAD2DA324E4AD643E843709D0
                                    SHA-512:C4D628BC4E662E374EC30C141B2FCFD1D5580DFABAB5FCD0343C7482DF8FD4BEEAD39A0D96F2C362534408D39405BC7C5B0A4E2643BE34CA7D0A25352E88258B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 22%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.V...............0..j............... ........@.. ....................................@.................................<...O....................................b..p............................................ ............... ..H............text....h... ...j.................. ..`.rsrc................l..............@..@.reloc...............r..............@..B................p.......H.......\...0j......g....W..................................................9...%.r...p.%.r...p.%.r!..p.}......}.....(.......(.....*..*..0..m.........{....o....o....o.........,%.r7..prg..p..0(....&.{....o....&8*....{....o....o....o.........,%.r{..prg..p..0(....&.{....o....&8......9...%.r...p.%..{....o....o.....%.r...p.%..{....o....o.....%.r-..p.(......(w...(.........,I..s).......o......(......{....r1..po......{....r1..po......{....o....&.+D.r3..prg..p..0(....&.{....r1..po....

                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                    Download File
                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x4VGltSj0j.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1300
                                    Entropy (8bit):5.112189246737583
                                    Encrypted:false
                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yiqlxtn:cbk4oL600QydbQxIYODOLedq3Rj
                                    MD5:C61B35863B7CAE63C3BF834C1D47218B
                                    SHA1:ABFDC256D43FDBBF643453B28606B8EAF69BE764
                                    SHA-256:A0ABA28B7A1128556AC9777F6CA198CCFE7C5F56E36BAA2E48ADB028E1306004
                                    SHA-512:773D5AF6C8BECC81E51F929CD1D9EE10277AC6ACCB181F5F770D7C9CC415B4B00BA21950D0A571F0DC86CDE46D8E306F0EC69E95223CD9576FBC1B8E5059C432
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                    C:\Users\user\AppData\Local\Temp\tmp8E42.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1310
                                    Entropy (8bit):5.109425792877704
                                    Encrypted:false
                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                    MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                    SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                    SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                    SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):232
                                    Entropy (8bit):7.024371743172393
                                    Encrypted:false
                                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                    Malicious:false
                                    Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8
                                    Entropy (8bit):3.0
                                    Encrypted:false
                                    SSDEEP:3:pFS:pFS
                                    MD5:36948EE65FD386868BE70F538AEBC99B
                                    SHA1:1C6953A65B21F617EEDA3D4B3317677E0C9D3D46
                                    SHA-256:52460DA195769319AD0040E6797184DEF0F19BB5CDB11F33A80074E8679ED650
                                    SHA-512:DEAE3F751D14F616C80C95843D928693391725A6877FFC66D8C830EC767CD111C41EAB50461AC6D5982D4AE720B57D12033028B37439FF20001611FD19ABB1D9
                                    Malicious:true
                                    Preview:...".`.H

                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):327432
                                    Entropy (8bit):7.99938831605763
                                    Encrypted:true
                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                    Malicious:false
                                    Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):37
                                    Entropy (8bit):4.17257423112624
                                    Encrypted:false
                                    SSDEEP:3:oNt+WfWdRziJRyJn:oNwv/iJQJn
                                    MD5:532BBBFDD3C8A8902604F29875D82A81
                                    SHA1:F68BEF17A8BD41B7CA3F209D8B5EC68E549A456F
                                    SHA-256:9E2E102670F2FA1556AC0711F9C5CC4436C86E2765BE5E0205D04F6E171B8D1F
                                    SHA-512:FF8CFD7F42A5B1966ADDAC7AF89EC5AE683BD14020B698D895679D907FAB717B7CFAAF5AD09E73446BFE1CA0161152C88C66D974275E039A4C7C141C8669C5ED
                                    Malicious:false
                                    Preview:C:\Users\user\Desktop\x4VGltSj0j.exe

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.614289847336906
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:x4VGltSj0j.exe
                                    File size:816128
                                    MD5:20ef67d923f487ff82fb19be1270571c
                                    SHA1:6e87a3a9a4dbe64f9626f2230cd2fea63452ee68
                                    SHA256:77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
                                    SHA512:c4d628bc4e662e374ec30c141b2fcfd1d5580dfabab5fcd0343c7482df8fd4beead39a0d96f2c362534408d39405bc7c5b0a4e2643be34ca7d0a25352e88258b
                                    SSDEEP:12288:gX2B0xTGlxNqvNu2hZ+nUEsn9mpwZFYpU2bgnBNMjUw+CR3BJQwV54OEcZPHu/8C:gXLaVUH9994pUbBaQwXR3PJ5CcZOE83
                                    TLSH:8005F141B5BB4B1BC1BA53F48500A2712BBE269DB8B2E31F4EDBF4D76551F014A81B23
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.V...............0..j............... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4c888e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0xBD56133A [Fri Aug 29 10:47:22 2070 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc883c0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x5a4.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xc621c0x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xc68940xc6a00False0.8787390851164254data7.620478844643008IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xca0000x5a40x600False0.4212239583333333data4.0770589259622545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xcc0000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0xca0900x314data
                                    RT_MANIFEST0xca3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    192.168.2.4141.98.6.1674969440322025019 05/30/23-13:08:06.488254TCP2025019ET TROJAN Possible NanoCore C2 60B496944032192.168.2.4141.98.6.167
                                    192.168.2.4141.98.6.1674969440322816766 05/30/23-13:08:09.282700TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496944032192.168.2.4141.98.6.167

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 30, 2023 13:08:06.274028063 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:06.301248074 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:06.301433086 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:06.488254070 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:06.564220905 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:06.565438986 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:06.645399094 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:07.538510084 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:07.607856035 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:07.826369047 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:07.852054119 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:07.879791975 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:07.960787058 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:07.969623089 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.056312084 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.130402088 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.130459070 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.130477905 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.130494118 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.130592108 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.130634069 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.156972885 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157011986 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157032967 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157054901 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157074928 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157077074 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.157098055 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157108068 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.157119036 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157140970 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.157152891 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.157187939 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183305979 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183341980 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183362007 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183403015 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183413029 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183423042 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183444977 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183445930 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183465958 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183486938 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183487892 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183509111 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183528900 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183538914 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183551073 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183571100 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183584929 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183592081 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183612108 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183633089 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183633089 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183653116 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.183655977 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.183689117 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.211751938 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211791992 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211812973 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211837053 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211852074 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.211858034 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211879969 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211880922 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.211901903 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211924076 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211945057 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211956978 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.211967945 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.211985111 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.211988926 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212011099 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212038040 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212047100 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212057114 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212069035 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212090015 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212112904 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212127924 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212138891 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212151051 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212152958 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212172985 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212193966 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212198973 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212215900 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212238073 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212255001 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212270021 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212277889 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212311029 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212333918 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212354898 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212362051 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.212378025 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212392092 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212405920 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212419987 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212434053 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212449074 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.212548018 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.238826036 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.238872051 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.238914013 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.238935947 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.238959074 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.238971949 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.238981009 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239006042 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239027023 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239031076 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239048004 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239072084 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239078999 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239098072 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239120007 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239140987 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239145994 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239162922 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239166021 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239186049 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239207983 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239211082 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239228964 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239249945 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239264965 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239273071 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239295006 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239299059 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239316940 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239339113 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239360094 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239360094 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239379883 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239382982 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239401102 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239423990 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239444017 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239444971 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239464998 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239475012 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239500046 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239506006 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239520073 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239540100 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239558935 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239559889 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239579916 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239598989 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239619017 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239638090 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239641905 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239658117 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239667892 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239676952 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239691973 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239696980 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239708900 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239717007 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239737034 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239754915 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239757061 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239779949 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239799976 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239814043 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239820957 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239840984 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239845037 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239861012 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239871979 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239880085 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239900112 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239921093 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.239957094 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.239976883 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266149998 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266186953 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266206980 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266226053 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266247988 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266264915 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266268969 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266289949 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266299963 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266299963 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266310930 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266330957 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266350985 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266372919 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266374111 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266395092 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266396046 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266417980 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266428947 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266438961 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266462088 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266479969 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266484976 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266505003 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266526937 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266546011 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266546965 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266558886 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266567945 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266587973 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266602039 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266609907 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266632080 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266649008 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266652107 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266673088 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266693115 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266705990 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266711950 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266732931 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266735077 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266752958 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266773939 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266778946 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266794920 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266804934 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266814947 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266834974 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266846895 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266855955 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266876936 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266890049 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266896963 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266916990 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266937017 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266951084 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266957998 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266974926 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.266977072 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.266998053 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267019987 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267040014 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267040014 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.267060995 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267062902 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.267081976 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267105103 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267123938 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.267126083 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267147064 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267149925 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.267168999 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267184973 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.267189026 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.267246962 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293396950 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293437004 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293457985 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293478012 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293502092 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293513060 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293524027 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293545961 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293546915 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293565035 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293567896 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293590069 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293612003 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293629885 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293633938 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293654919 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293695927 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293714046 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293714046 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293716908 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293739080 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293767929 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293787956 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293803930 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293808937 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293828964 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293837070 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293849945 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293855906 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293872118 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293890953 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293891907 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293912888 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293931961 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293948889 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293951035 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293972969 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.293973923 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.293992996 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294013023 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294028044 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294034004 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294050932 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294054031 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294076920 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294097900 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294111967 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294117928 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294135094 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294138908 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294158936 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294179916 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294179916 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294199944 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294219971 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294234991 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294245005 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294259071 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294264078 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294285059 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294298887 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294305086 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294326067 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294347048 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294363976 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294365883 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294387102 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294388056 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294408083 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294429064 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294442892 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.294449091 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294469118 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.294487000 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.295274019 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.320677042 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320718050 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320739031 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320761919 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320781946 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320813894 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320833921 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320872068 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320892096 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320915937 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320933104 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.320938110 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320951939 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320966959 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320981026 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.320981026 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321002007 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321018934 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321042061 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321047068 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321069002 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321089029 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321090937 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321113110 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321131945 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321132898 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321156025 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321176052 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321181059 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321197987 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321213007 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321218967 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321240902 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321261883 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321263075 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321284056 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321299076 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321305990 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321327925 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321348906 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321351051 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321371078 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321392059 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321393013 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321417093 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321436882 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321455956 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321458101 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321480036 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321485996 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321501017 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321517944 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321521044 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321542025 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321562052 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321573973 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321582079 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321602106 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321611881 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321623087 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321644068 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321650028 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321665049 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321686983 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321707010 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321707964 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321727991 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321748972 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321748972 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321769953 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321782112 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321790934 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321811914 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321816921 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321832895 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321854115 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321866035 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321873903 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321894884 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321901083 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321916103 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321935892 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321954012 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321957111 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321978092 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.321988106 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.321999073 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322021008 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322021961 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.322041988 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322062016 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322078943 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.322081089 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322102070 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322109938 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.322124004 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322138071 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.322144985 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322165012 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:08.322194099 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:08.367141962 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:09.282700062 CEST496944032192.168.2.4141.98.6.167
                                    May 30, 2023 13:08:09.367595911 CEST403249694141.98.6.167192.168.2.4
                                    May 30, 2023 13:08:10.314621925 CEST496944032192.168.2.4141.98.6.167

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 30, 2023 13:08:06.216593981 CEST5968353192.168.2.48.8.8.8
                                    May 30, 2023 13:08:06.251574993 CEST53596838.8.8.8192.168.2.4
                                    May 30, 2023 13:08:18.664226055 CEST6416753192.168.2.48.8.8.8
                                    May 30, 2023 13:08:18.684761047 CEST53641678.8.8.8192.168.2.4
                                    May 30, 2023 13:08:24.898333073 CEST5856553192.168.2.48.8.8.8
                                    May 30, 2023 13:08:24.919045925 CEST53585658.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    May 30, 2023 13:08:06.216593981 CEST192.168.2.48.8.8.80x3217Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false
                                    May 30, 2023 13:08:18.664226055 CEST192.168.2.48.8.8.80x1d76Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false
                                    May 30, 2023 13:08:24.898333073 CEST192.168.2.48.8.8.80x3164Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 30, 2023 13:08:06.251574993 CEST8.8.8.8192.168.2.40x3217No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false
                                    May 30, 2023 13:08:18.684761047 CEST8.8.8.8192.168.2.40x1d76No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false
                                    May 30, 2023 13:08:24.919045925 CEST8.8.8.8192.168.2.40x3164No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:13:07:53
                                    Start date:30/05/2023
                                    Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Imagebase:0x570000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low

                                    General

                                    Target ID:3
                                    Start time:13:08:00
                                    Start date:30/05/2023
                                    Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Imagebase:0x540000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    Reputation:low

                                    General

                                    Target ID:4
                                    Start time:13:08:02
                                    Start date:30/05/2023
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
                                    Imagebase:0x1110000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:5
                                    Start time:13:08:02
                                    Start date:30/05/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7c72c0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:13:08:03
                                    Start date:30/05/2023
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
                                    Imagebase:0x1110000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:7
                                    Start time:13:08:03
                                    Start date:30/05/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7c72c0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:13:08:04
                                    Start date:30/05/2023
                                    Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe 0
                                    Imagebase:0x500000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:low

                                    General

                                    Target ID:9
                                    Start time:13:08:04
                                    Start date:30/05/2023
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                    Imagebase:0x690000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 22%, ReversingLabs
                                    Reputation:low

                                    General

                                    Target ID:10
                                    Start time:13:08:13
                                    Start date:30/05/2023
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                    Imagebase:0x630000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:low

                                    General

                                    Target ID:11
                                    Start time:13:08:16
                                    Start date:30/05/2023
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Imagebase:0xe00000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low

                                    General

                                    Target ID:12
                                    Start time:13:08:16
                                    Start date:30/05/2023
                                    Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                                    Imagebase:0xa90000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low

                                    General

                                    Target ID:13
                                    Start time:13:08:24
                                    Start date:30/05/2023
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Imagebase:0xf80000
                                    File size:816128 bytes
                                    MD5 hash:20EF67D923F487FF82FB19BE1270571C
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:low

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:11.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:8.9%
                                      Total number of Nodes:157
                                      Total number of Limit Nodes:12
                                      execution_graph 25024 e598f0 25025 e59932 25024->25025 25026 e59938 GetModuleHandleW 25024->25026 25025->25026 25027 e59965 25026->25027 25044 e540d0 25045 e540e2 25044->25045 25046 e540ee 25045->25046 25050 e541e0 25045->25050 25055 e53c64 25046->25055 25048 e5410d 25051 e54205 25050->25051 25059 e542d1 25051->25059 25063 e542e0 25051->25063 25056 e53c6f 25055->25056 25071 e551a4 25056->25071 25058 e56a80 25058->25048 25061 e542d4 25059->25061 25060 e543e4 25060->25060 25061->25060 25067 e53de4 25061->25067 25065 e54307 25063->25065 25064 e543e4 25065->25064 25066 e53de4 CreateActCtxA 25065->25066 25066->25064 25068 e55370 CreateActCtxA 25067->25068 25070 e55433 25068->25070 25070->25070 25072 e551af 25071->25072 25075 e557f8 25072->25075 25074 e56b25 25074->25058 25076 e55803 25075->25076 25079 e55828 25076->25079 25078 e56c02 25078->25074 25080 e55833 25079->25080 25083 e55858 25080->25083 25082 e56d02 25082->25078 25084 e55863 25083->25084 25085 e5741e 25084->25085 25089 e591d8 25084->25089 25086 e5745c 25085->25086 25093 e5b330 25085->25093 25086->25082 25098 e59210 25089->25098 25101 e591ff 25089->25101 25090 e591ee 25090->25085 25094 e5b338 25093->25094 25095 e5b385 25094->25095 25122 e5b5e8 25094->25122 25126 e5b5f8 25094->25126 25095->25086 25105 e59308 25098->25105 25099 e5921f 25099->25090 25102 e59210 25101->25102 25104 e59308 LoadLibraryExW 25102->25104 25103 e5921f 25103->25090 25104->25103 25106 e5931b 25105->25106 25107 e5932b 25106->25107 25110 e59989 25106->25110 25114 e59998 25106->25114 25107->25099 25111 e59994 25110->25111 25113 e599d1 25111->25113 25118 e594f8 25111->25118 25113->25107 25115 e599ac 25114->25115 25116 e594f8 LoadLibraryExW 25115->25116 25117 e599d1 25115->25117 25116->25117 25117->25107 25119 e59b78 LoadLibraryExW 25118->25119 25121 e59bf1 25119->25121 25121->25113 25123 e5b605 25122->25123 25125 e5b63f 25123->25125 25130 e597f8 25123->25130 25125->25095 25128 e5b605 25126->25128 25127 e5b63f 25127->25095 25128->25127 25129 e597f8 LoadLibraryExW 25128->25129 25129->25127 25131 e597fd 25130->25131 25133 e5c338 25131->25133 25134 e598c0 25131->25134 25135 e598cb 25134->25135 25136 e55858 LoadLibraryExW 25135->25136 25137 e5c3a7 25135->25137 25136->25137 25140 e5e128 25137->25140 25138 e5c3e0 25138->25133 25142 e5e1a5 25140->25142 25143 e5e159 25140->25143 25141 e5e165 25141->25138 25142->25138 25143->25141 25144 e5e5e0 LoadLibraryExW 25143->25144 25145 e5e5a8 LoadLibraryExW 25143->25145 25146 e5e598 LoadLibraryExW 25143->25146 25144->25142 25145->25142 25146->25142 25147 e5b710 GetCurrentProcess 25148 e5b783 25147->25148 25149 e5b78a GetCurrentThread 25147->25149 25148->25149 25150 e5b7c7 GetCurrentProcess 25149->25150 25151 e5b7c0 25149->25151 25152 e5b7fd 25150->25152 25151->25150 25153 e5b825 GetCurrentThreadId 25152->25153 25154 e5b856 25153->25154 25028 9b38268 25029 9b383f3 25028->25029 25030 9b3828e 25028->25030 25030->25029 25033 9b384e0 25030->25033 25036 9b384e8 PostMessageW 25030->25036 25034 9b384e8 PostMessageW 25033->25034 25035 9b38554 25034->25035 25035->25030 25037 9b38554 25036->25037 25037->25030 24952 6fdcdf0 24954 6fdce0c 24952->24954 24953 6fdd18b 24954->24953 24957 9b36fb8 24954->24957 24962 9b36fa8 24954->24962 24958 9b36fd2 24957->24958 24968 9b37e22 24958->24968 24982 9b372f0 24958->24982 24959 9b36ff6 24959->24953 24963 9b36f68 24962->24963 24964 9b36fb2 24962->24964 24963->24953 24966 9b37e22 11 API calls 24964->24966 24967 9b372f0 11 API calls 24964->24967 24965 9b36ff6 24965->24953 24966->24965 24967->24965 24970 9b373e0 24968->24970 24969 9b37ef0 24969->24959 24970->24969 24974 6fdc719 WriteProcessMemory 24970->24974 24975 6fdc720 WriteProcessMemory 24970->24975 24976 6fdbb78 SetThreadContext 24970->24976 24977 6fdbb71 SetThreadContext 24970->24977 24996 6fdca2c 24970->24996 25000 6fdca38 24970->25000 25004 6fdc840 24970->25004 25008 6fdc838 24970->25008 25012 6fdc65e 24970->25012 25016 6fdba98 24970->25016 25020 6fdba90 24970->25020 24974->24970 24975->24970 24976->24970 24977->24970 24984 9b372f5 24982->24984 24983 9b37ef0 24983->24959 24984->24983 24985 6fdca2c CreateProcessA 24984->24985 24986 6fdca38 CreateProcessA 24984->24986 24987 6fdba98 ResumeThread 24984->24987 24988 6fdba90 ResumeThread 24984->24988 24989 6fdc65e VirtualAllocEx 24984->24989 24990 6fdc838 ReadProcessMemory 24984->24990 24991 6fdc840 ReadProcessMemory 24984->24991 24992 6fdc719 WriteProcessMemory 24984->24992 24993 6fdc720 WriteProcessMemory 24984->24993 24994 6fdbb78 SetThreadContext 24984->24994 24995 6fdbb71 SetThreadContext 24984->24995 24985->24984 24986->24984 24987->24984 24988->24984 24989->24984 24990->24984 24991->24984 24992->24984 24993->24984 24994->24984 24995->24984 24997 6fdca38 CreateProcessA 24996->24997 24999 6fdcc83 24997->24999 25001 6fdcac1 CreateProcessA 25000->25001 25003 6fdcc83 25001->25003 25005 6fdc88b ReadProcessMemory 25004->25005 25007 6fdc8cf 25005->25007 25007->24970 25009 6fdc840 ReadProcessMemory 25008->25009 25011 6fdc8cf 25009->25011 25011->24970 25013 6fdc670 VirtualAllocEx 25012->25013 25015 6fdc6ad 25013->25015 25015->24970 25017 6fdbad8 ResumeThread 25016->25017 25019 6fdbb09 25017->25019 25019->24970 25021 6fdba98 ResumeThread 25020->25021 25023 6fdbb09 25021->25023 25023->24970 25038 e5fd78 25039 e5fd81 CreateWindowExW 25038->25039 25041 e5fe9c 25039->25041 25041->25041 25042 e5b938 DuplicateHandle 25043 e5b9ce 25042->25043

                                      Executed Functions

                                      Function 06FD4C48 Relevance: 2.2, Strings: 1, Instructions: 956COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1052 6fd4c48-6fd4c69 1053 6fd4c6b 1052->1053 1054 6fd4c70-6fd4d64 1052->1054 1053->1054 1056 6fd546c-6fd5494 1054->1056 1057 6fd4d6a-6fd4ec1 1054->1057 1060 6fd5af3-6fd5afc 1056->1060 1101 6fd543a-6fd5469 1057->1101 1102 6fd4ec7-6fd4f22 1057->1102 1062 6fd54a2-6fd54ab 1060->1062 1063 6fd5b02-6fd5b19 1060->1063 1065 6fd54ad 1062->1065 1066 6fd54b2-6fd55a6 1062->1066 1065->1066 1084 6fd55a8-6fd55b4 1066->1084 1085 6fd55d0 1066->1085 1087 6fd55be-6fd55c4 1084->1087 1088 6fd55b6-6fd55bc 1084->1088 1086 6fd55d6-6fd55f6 1085->1086 1092 6fd55f8-6fd5651 1086->1092 1093 6fd5656-6fd56d0 1086->1093 1090 6fd55ce 1087->1090 1088->1090 1090->1086 1106 6fd5af0 1092->1106 1112 6fd5727-6fd576a 1093->1112 1113 6fd56d2-6fd5725 1093->1113 1101->1056 1109 6fd4f24 1102->1109 1110 6fd4f27-6fd4f32 1102->1110 1106->1060 1109->1110 1114 6fd534c-6fd5352 1110->1114 1137 6fd5775-6fd577b 1112->1137 1113->1137 1116 6fd5358-6fd53d5 1114->1116 1117 6fd4f37-6fd4f55 1114->1117 1156 6fd5424-6fd542a 1116->1156 1119 6fd4fac-6fd4fc1 1117->1119 1120 6fd4f57-6fd4f5b 1117->1120 1122 6fd4fc8-6fd4fde 1119->1122 1123 6fd4fc3 1119->1123 1120->1119 1124 6fd4f5d-6fd4f68 1120->1124 1126 6fd4fe5-6fd4ffc 1122->1126 1127 6fd4fe0 1122->1127 1123->1122 1129 6fd4f9e-6fd4fa4 1124->1129 1131 6fd4ffe 1126->1131 1132 6fd5003-6fd5019 1126->1132 1127->1126 1134 6fd4f6a-6fd4f6e 1129->1134 1135 6fd4fa6-6fd4fa7 1129->1135 1131->1132 1141 6fd501b 1132->1141 1142 6fd5020-6fd5027 1132->1142 1139 6fd4f74-6fd4f8c 1134->1139 1140 6fd4f70 1134->1140 1136 6fd502a-6fd5250 1135->1136 1150 6fd52b4-6fd52c9 1136->1150 1151 6fd5252-6fd5256 1136->1151 1143 6fd57d2-6fd57de 1137->1143 1144 6fd4f8e 1139->1144 1145 6fd4f93-6fd4f9b 1139->1145 1140->1139 1141->1142 1142->1136 1147 6fd577d-6fd579f 1143->1147 1148 6fd57e0-6fd5868 1143->1148 1144->1145 1145->1129 1153 6fd57a6-6fd57cf 1147->1153 1154 6fd57a1 1147->1154 1183 6fd599f-6fd59a8 1148->1183 1157 6fd52cb 1150->1157 1158 6fd52d0-6fd52f1 1150->1158 1151->1150 1155 6fd5258-6fd5267 1151->1155 1153->1143 1154->1153 1160 6fd52a6-6fd52ac 1155->1160 1162 6fd542c-6fd5432 1156->1162 1163 6fd53d7-6fd53dd 1156->1163 1157->1158 1164 6fd52f8-6fd5317 1158->1164 1165 6fd52f3 1158->1165 1168 6fd52ae-6fd52af 1160->1168 1169 6fd5269-6fd526d 1160->1169 1162->1101 1175 6fd53e5-6fd5421 1163->1175 1166 6fd531e-6fd533e 1164->1166 1167 6fd5319 1164->1167 1165->1164 1173 6fd5345 1166->1173 1174 6fd5340 1166->1174 1167->1166 1177 6fd5349 1168->1177 1171 6fd526f-6fd5273 1169->1171 1172 6fd5277-6fd5298 1169->1172 1171->1172 1179 6fd529f-6fd52a3 1172->1179 1180 6fd529a 1172->1180 1173->1177 1174->1173 1175->1156 1177->1114 1179->1160 1180->1179 1185 6fd586d-6fd5882 1183->1185 1186 6fd59ae-6fd59fa 1183->1186 1187 6fd588b-6fd5993 1185->1187 1188 6fd5884 1185->1188 1195 6fd59fc-6fd5a20 1186->1195 1196 6fd5a22-6fd5a3d 1186->1196 1198 6fd5999 1187->1198 1188->1187 1189 6fd58fd-6fd592e 1188->1189 1190 6fd58c7-6fd58f8 1188->1190 1191 6fd5891-6fd58c2 1188->1191 1192 6fd5930-6fd5961 1188->1192 1189->1198 1190->1198 1191->1198 1192->1198 1200 6fd5a46-6fd5aca 1195->1200 1196->1200 1198->1183 1205 6fd5ad1-6fd5ae9 1200->1205 1205->1106
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UUUU
                                      • API String ID: 0-1798160573
                                      • Opcode ID: 64f0283f42695553f6e54b3bc0bd194574e21f917b875de921a3f80dbcacbcc0
                                      • Instruction ID: 518cdbf13425cefb16de375234ca9bd190be02a160b6f103fca08685ddb618c5
                                      • Opcode Fuzzy Hash: 64f0283f42695553f6e54b3bc0bd194574e21f917b875de921a3f80dbcacbcc0
                                      • Instruction Fuzzy Hash: DEA2A575E00228DFDB64CF69C984A99BBB2FF89304F1581E9D509AB325D731AE81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 09B372F0 Relevance: 1.9, Strings: 1, Instructions: 670COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.566989419.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_9b30000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (
                                      • API String ID: 0-3887548279
                                      • Opcode ID: 03e4a701bcdb7fb2d5439f86434117a02006a45e278a723db784a2dd20279d0a
                                      • Instruction ID: a52a0a5100f3532fbe060c8fafa971061e565b315a8ddd14714f60353a7d1ade
                                      • Opcode Fuzzy Hash: 03e4a701bcdb7fb2d5439f86434117a02006a45e278a723db784a2dd20279d0a
                                      • Instruction Fuzzy Hash: 6162F274A00228CFDB64DF69C894BDDBBB2EF89310F1081E9E509A7295DB309E85CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5E5E0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H
                                      • API String ID: 0-1105002124
                                      • Opcode ID: 20be446c5cfd6c88460a5cbb49f70b72ba6f99db1f28f7873f33a338baed6027
                                      • Instruction ID: 18ce779d33df8bd8f0eb7e76c73fabf909593b8a8d447bcb447b2e4c1ef52dcd
                                      • Opcode Fuzzy Hash: 20be446c5cfd6c88460a5cbb49f70b72ba6f99db1f28f7873f33a338baed6027
                                      • Instruction Fuzzy Hash: 5AC135B2911B468FE710DF66EC881897BA1BB85328F504728D2697B6E0D7F4148ECF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD6DB1 Relevance: .5, Instructions: 518COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f389cf5eaa0aa80f1567dc7dc85ee2e8a985474568a742afc2599dcb4ec80980
                                      • Instruction ID: fb2041f58653d4db4a91c71de01ced40cdab564d3ac26cffd78ee0faf950fde2
                                      • Opcode Fuzzy Hash: f389cf5eaa0aa80f1567dc7dc85ee2e8a985474568a742afc2599dcb4ec80980
                                      • Instruction Fuzzy Hash: F742B174E01229CFDB64DFA9C984B9DBBB2FF48310F1481A9D909AB355D734AA81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD40C8 Relevance: .5, Instructions: 496COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e399dfdb7a211111cd72ff545ddd373ff0cacecde78970a0377e90f02c04969
                                      • Instruction ID: 62ffd879711f8c8b221c20503c63a6a78208f3bb6f87074e01a61ac0a62d26a0
                                      • Opcode Fuzzy Hash: 5e399dfdb7a211111cd72ff545ddd373ff0cacecde78970a0377e90f02c04969
                                      • Instruction Fuzzy Hash: 7132B070D0021ACFEB90DFA9C984A8DFBF2BF49751F59C195D508AB211CB30A985CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD0858 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 687853723eb7e1b86d1091d923bf9fb8609da7feb9c7fc42db86c217261b5172
                                      • Instruction ID: 6146c57654e74e99d649019bd67c2ec7b27dbf14c482ef7803c20ccefbdb1272
                                      • Opcode Fuzzy Hash: 687853723eb7e1b86d1091d923bf9fb8609da7feb9c7fc42db86c217261b5172
                                      • Instruction Fuzzy Hash: 2461D375E0421C8FDB04DFAAD9446AEBBB7FF88311F108029E519AB259DB345906CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD0848 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6eeb220e6499a20da99f9ab99806a6e5d87658e8bde74329d1d082a5df55acf7
                                      • Instruction ID: 44e2776e7e65378cad3e38dd901ae773e726efa6ce2b2ffaed02fecc455644e0
                                      • Opcode Fuzzy Hash: 6eeb220e6499a20da99f9ab99806a6e5d87658e8bde74329d1d082a5df55acf7
                                      • Instruction Fuzzy Hash: 0441E875E042188FDB04DFAAD94469EFBF3FF88310F14C12A9419AB355DB345946CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5B700 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00E5B770
                                      • GetCurrentThread.KERNEL32 ref: 00E5B7AD
                                      • GetCurrentProcess.KERNEL32 ref: 00E5B7EA
                                      • GetCurrentThreadId.KERNEL32 ref: 00E5B843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID: H
                                      • API String ID: 2063062207-1105002124
                                      • Opcode ID: 4b9254451ac27e69d59cabef720b886a01a5e68a57dcb87d20b2d62ae9800085
                                      • Instruction ID: 70ee136b09e4d691581dddebb889f600b158245a3440b6d6757f1549db75fc65
                                      • Opcode Fuzzy Hash: 4b9254451ac27e69d59cabef720b886a01a5e68a57dcb87d20b2d62ae9800085
                                      • Instruction Fuzzy Hash: 2A5185B0D006488FDB14CFAAD58879EBBF1EF88315F24895AE408B3790D7749844CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5B710 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00E5B770
                                      • GetCurrentThread.KERNEL32 ref: 00E5B7AD
                                      • GetCurrentProcess.KERNEL32 ref: 00E5B7EA
                                      • GetCurrentThreadId.KERNEL32 ref: 00E5B843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID: H
                                      • API String ID: 2063062207-1105002124
                                      • Opcode ID: 56ec08f2d103ae5594baaa90d04ac5a3331ed9a88b1aef68005addd6921fa4bb
                                      • Instruction ID: cc0b8bd0637c1c8b97856fb3d475113576c9867c24556c10fd7a815c43eda31f
                                      • Opcode Fuzzy Hash: 56ec08f2d103ae5594baaa90d04ac5a3331ed9a88b1aef68005addd6921fa4bb
                                      • Instruction Fuzzy Hash: 5F5174B0E006489FDB14CFAAD588B9EBBF1BF88314F20895AE409B3790D7745884CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E57D97 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 268 e57d97-e57d99 269 e57e12 268->269 270 e57d9b-e57da1 268->270 271 e57e14 269->271 272 e57e16-e57e19 269->272 273 e57da3-e57da6 270->273 274 e57e1a-e57e64 270->274 271->272 272->274 277 e57da8-e57db2 273->277 278 e57e66-e57e8e GetSystemMetrics 274->278 279 e57eb2-e57ecb 274->279 280 e57db4 277->280 281 e57e00-e57e01 277->281 282 e57e97-e57eab 278->282 283 e57e90-e57e96 278->283 284 e57dba-e57dce 280->284 282->279 283->282 286 e57dd0-e57de3 call e57164 284->286 287 e57df9 284->287 286->287 290 e57de5-e57df2 call e55188 286->290 287->281 290->287 293 e57df4 290->293 293->287
                                      APIs
                                      • GetSystemMetrics.USER32(0000004B), ref: 00E57E7D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID: H
                                      • API String ID: 4116985748-1105002124
                                      • Opcode ID: 387fd5ffef401087da2d7ca648fd57e87e2c946b85802999835a953506015ccb
                                      • Instruction ID: 5176f4de0e9fc8515bbd7a8374ad3e8b6c0c0fa1c60a0b78c3b3e9d1ba16fcf9
                                      • Opcode Fuzzy Hash: 387fd5ffef401087da2d7ca648fd57e87e2c946b85802999835a953506015ccb
                                      • Instruction Fuzzy Hash: 2F3138718087848FD711CF6AE9053EABFF8AB05305F04489ED888B3251D7786D9DCB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDCA2C Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FDCC6E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 9800a54d60f133666ead732764577412f43275d142bcd7e607f49da14fcdf627
                                      • Instruction ID: 1f2048e217c92e67a24e5c5f4e53544e75ad0d35ba106b07daa165a4f0a375d4
                                      • Opcode Fuzzy Hash: 9800a54d60f133666ead732764577412f43275d142bcd7e607f49da14fcdf627
                                      • Instruction Fuzzy Hash: 4BA15B71D002198FDF54CFA9CC80BDEBBB6BF48314F1885A9D819A7280DB74A985CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDCA38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FDCC6E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 5b2160b24a2a3520e64a75714bdacc7975bf6a847b7c80d77e0e17f7357574b9
                                      • Instruction ID: 6ae289cd790f19ee2d400ef9d9a99f917401b12ee8743a458a5297668ad0f432
                                      • Opcode Fuzzy Hash: 5b2160b24a2a3520e64a75714bdacc7975bf6a847b7c80d77e0e17f7357574b9
                                      • Instruction Fuzzy Hash: 01914A71D002198FDF54CFA9CC81BDEBBB6BF48314F1885A9D819A7280DB74A985CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5FD6C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E5FE8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 278fba2caeb7ba48c23e580ca014c1d095be8f8ceeb5ef10b819fa403b9c8281
                                      • Instruction ID: e01cec50d85d832e1a295a4344b27777579537df71b2c96ba17980f74bbfdb9c
                                      • Opcode Fuzzy Hash: 278fba2caeb7ba48c23e580ca014c1d095be8f8ceeb5ef10b819fa403b9c8281
                                      • Instruction Fuzzy Hash: 1551E0B1D003099FDF14CFA9D880ADEBBB5BF48314F24952AE818BB210D7749945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5FD78 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E5FE8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 2ebb198c13db191641007434cd6a349b21f66c68e19f7a0f991dfbb7ad910c88
                                      • Instruction ID: df138459858e8f22a2e5e253dd6bb4ac2e833bef4460aa5638c1d6e3f8e41520
                                      • Opcode Fuzzy Hash: 2ebb198c13db191641007434cd6a349b21f66c68e19f7a0f991dfbb7ad910c88
                                      • Instruction Fuzzy Hash: 2141CFB1D003099FDF14CFAAD884ADEBBB5BF48314F24852AE819BB210D7749945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55364 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f15a1b78b43c6c5b282dde9a21fdd864cc32f6b57a92a4638a680570503dd1a
                                      • Instruction ID: f2bf2c7324fa9cb06c3a8c20d4dde7507faeebdb5386fa13f9e3bc6489d55026
                                      • Opcode Fuzzy Hash: 2f15a1b78b43c6c5b282dde9a21fdd864cc32f6b57a92a4638a680570503dd1a
                                      • Instruction Fuzzy Hash: E44104B1C00618CFDB24CFA9C854BCEBBB5BF48305F24845AD419BB250D7755989CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E53DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00E55421
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 382e2656d1b225bba82c049d070c410eea0413969d5718f7bef03b3af1f5f713
                                      • Instruction ID: a8b1d2de6ae3c6ed6834350193a5ab45ab4f4661048f56c61d5a441736081050
                                      • Opcode Fuzzy Hash: 382e2656d1b225bba82c049d070c410eea0413969d5718f7bef03b3af1f5f713
                                      • Instruction Fuzzy Hash: 3441E3B1C00618CFDB24CFA9C854BDEBBB5BF58305F208459D419BB251DBB56989CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC719 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FDC7B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: a71c2e0cb1d7d76bbfa78410bff02d28bcb5838d57a99d346bcf9163541674ca
                                      • Instruction ID: a99154eeaef7199a0ec1913f244b22e6d685a2e4d612e8b84cabb68a479646fb
                                      • Opcode Fuzzy Hash: a71c2e0cb1d7d76bbfa78410bff02d28bcb5838d57a99d346bcf9163541674ca
                                      • Instruction Fuzzy Hash: 4D312771D002599FCF50CFAAD9807EEBBF9FF48310F14842AE958A7240D778A944CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FDC7B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 083318d985025ae34b6224f4d7f4b641b615dfc505e2c4cb3240cfbd93f03f82
                                      • Instruction ID: 2f4b9ebd65470dc7fc7d948c042ffa7ec5c86c29c097bda4b8a4e7ec127d2e00
                                      • Opcode Fuzzy Hash: 083318d985025ae34b6224f4d7f4b641b615dfc505e2c4cb3240cfbd93f03f82
                                      • Instruction Fuzzy Hash: C9212675D003199FCB50CFAAC8847EEBBF5FF48314F14842AE918A7240D778A944CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC838 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FDC8C0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: eb51c3591a43bd05b513cf505915be39402980dded319da819194d7489ab8132
                                      • Instruction ID: 80b98c4c33a1ed1e295c41810e8e214a613c4b10dd87c16cb768e06d468bcb18
                                      • Opcode Fuzzy Hash: eb51c3591a43bd05b513cf505915be39402980dded319da819194d7489ab8132
                                      • Instruction Fuzzy Hash: 0D213971D003599FCB10CFAAD980AEEBBF5FF48320F54842AE558A7640D738A944CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDBB71 Relevance: 1.6, APIs: 1, Instructions: 67threadinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 06FDBBF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: 375e8609386c01b8766262de694c188482b0b33dec11f86d266f371b8c25f6e0
                                      • Instruction ID: 057cfde59fd2d6872d7e67185c1d77b98ba562f2b50c116ec138f638fcb1de70
                                      • Opcode Fuzzy Hash: 375e8609386c01b8766262de694c188482b0b33dec11f86d266f371b8c25f6e0
                                      • Instruction Fuzzy Hash: 302159B1D003098FCB50DFAAC4847EEBBF5EF48324F54C42AD459A7641DB78A944CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5B933 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5B9BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: a1b5a75f4be1bdcd68748644dbbfff5f13210bb3af20d66e931bc97ac29a741f
                                      • Instruction ID: 5a7595526266c003bf92ad7e69dba60c50068a19b958c3a897b4022e92c7ff37
                                      • Opcode Fuzzy Hash: a1b5a75f4be1bdcd68748644dbbfff5f13210bb3af20d66e931bc97ac29a741f
                                      • Instruction Fuzzy Hash: 6A21D2B59002189FDB10CF9AD984ADEBBF8EB48324F14841AE954A7710D378A944CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDBB78 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 06FDBBF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: 19cc9f3c3a68f77c558b635b8da55b0981ffc3d9230ed82763000019b70a72cf
                                      • Instruction ID: cd3bc2ea4c7278a36578ff0fee52216f2a8c4f141229e5b89abca7b126609afa
                                      • Opcode Fuzzy Hash: 19cc9f3c3a68f77c558b635b8da55b0981ffc3d9230ed82763000019b70a72cf
                                      • Instruction Fuzzy Hash: 942115B1D006098FCB50DFAAC9847EEBBF5EF48324F54C42AD459A7640DB78A945CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC840 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FDC8C0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: f65c4803a723a986a2f97673065bc187d81294a1c208376e738a98f4606d6331
                                      • Instruction ID: bba707d6286c2651797b8989b72b017a0cd44fa185200f364af878a8532ae7ae
                                      • Opcode Fuzzy Hash: f65c4803a723a986a2f97673065bc187d81294a1c208376e738a98f4606d6331
                                      • Instruction Fuzzy Hash: EE2128B1D002199FCB10DFAAC880AEEBBF5FF48310F54842AE519A7240D778A944CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5B938 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5B9BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 5bb001dedd6f51a1e5675e268822dac7cc465e3644d9a86111ebd1dd998049cc
                                      • Instruction ID: aaa2732d2f69a2bb47aabf13b2d796827898bdc520afefb22de6367313f5e46d
                                      • Opcode Fuzzy Hash: 5bb001dedd6f51a1e5675e268822dac7cc465e3644d9a86111ebd1dd998049cc
                                      • Instruction Fuzzy Hash: B121B0B59002189FDB10CFAAD984ADEBBF8EB48324F14841AE954B3710D378A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E594F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E599D1,00000800,00000000,00000000), ref: 00E59BE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 5112110d2d9ec4d532cd31e6bad2b674bb567e72ba152fd0c2c8a17fdf83978b
                                      • Instruction ID: a2eb96d704de359276f66e018b258ee92fd128b894426ceaf50d0716506e588a
                                      • Opcode Fuzzy Hash: 5112110d2d9ec4d532cd31e6bad2b674bb567e72ba152fd0c2c8a17fdf83978b
                                      • Instruction Fuzzy Hash: C21106B6D002099FDB10CF9AD444ADEFBF8EB58314F10851AD815B7600C378A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E59B73 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E599D1,00000800,00000000,00000000), ref: 00E59BE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 74479b50f6c41a31cb9aa89e3ebe36f27df2552d2026b25e933a5aa29a53f8e3
                                      • Instruction ID: 02600a242803a8860aea0c6d0bf302c4148c115543cde57f8a2e35e7ea819945
                                      • Opcode Fuzzy Hash: 74479b50f6c41a31cb9aa89e3ebe36f27df2552d2026b25e933a5aa29a53f8e3
                                      • Instruction Fuzzy Hash: E31114B6C002499FDB10CF9AD444ADEFBF8EF98324F14845AD815B7600C378A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDBA90 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 38e56e6deb22b76baafcb4be2eb3dc5c8cded9c99a2bc5ce8d9719d33e4fa3ec
                                      • Instruction ID: 31765ba6cc531c0ed51ea7ef1db3ab0f65177153580c7dd601a90a00a8a65225
                                      • Opcode Fuzzy Hash: 38e56e6deb22b76baafcb4be2eb3dc5c8cded9c99a2bc5ce8d9719d33e4fa3ec
                                      • Instruction Fuzzy Hash: 8F1149B1D002498BCB10DFAAC4447EEFBF9EB88324F24841AD459A7640C779A944CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E598E8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E59956
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 7256798435b3de4075f59c96171cdf9c72ab925f169d0b2d78287313524d0a96
                                      • Instruction ID: 67f71e60706d124dd545d365bc1a2299dbd49ce719fd3eb7e9d43bbfd6be4d9c
                                      • Opcode Fuzzy Hash: 7256798435b3de4075f59c96171cdf9c72ab925f169d0b2d78287313524d0a96
                                      • Instruction Fuzzy Hash: 1911F0B6C006498FDB20CF9AD444ADEFBF8EF89324F14841AD859B7601D378A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 09B384E0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 09B38545
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.566989419.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_9b30000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: a4c91397491599ec440d1bdc80be750b33f425c2f11650e9d155d2c7ec7cf56f
                                      • Instruction ID: d25dd691c4f4a555a1c7f05d1c1965768e0b4c7340ecbf93c30d46318bea873b
                                      • Opcode Fuzzy Hash: a4c91397491599ec440d1bdc80be750b33f425c2f11650e9d155d2c7ec7cf56f
                                      • Instruction Fuzzy Hash: 271125B58003499FCB10CF9AD884BDEFFF8EB48324F10845AE454A7600C374A644CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDBA98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 3a3ee9264a1b13eb5f6e856451915af436f4d862591012694cfffc9deea8ef95
                                      • Instruction ID: 13754fe9f572f55cea0c3386123585cecf474cc0e7e5d790d13442a19bc42aa8
                                      • Opcode Fuzzy Hash: 3a3ee9264a1b13eb5f6e856451915af436f4d862591012694cfffc9deea8ef95
                                      • Instruction Fuzzy Hash: A5113AB1D006498FCB10DFAAC4847EEFBF9EF88324F14841AD419B7640D779A944CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E598F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E59956
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 8f7f19e876a4971a5dce4fb00284748bded593b36dfe9a3611cecab5d704fe4a
                                      • Instruction ID: 8d37b8e48eea7fdaae019fd3a71ad886b3dedce54e88cfbc3e37881612d35918
                                      • Opcode Fuzzy Hash: 8f7f19e876a4971a5dce4fb00284748bded593b36dfe9a3611cecab5d704fe4a
                                      • Instruction Fuzzy Hash: F611DFB6C006498FCB10CF9AD544ADEFBF8EF88324F14851AD869B7600D379A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 09B384E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 09B38545
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.566989419.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_9b30000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: da0b43e7551af44c65aaad74ebe09e292202d98782a16717f67904bb01c29a94
                                      • Instruction ID: 352c38e89dfc328161552eb0d2766e7438fdc5a33dd1d2da42e248667ed60b1a
                                      • Opcode Fuzzy Hash: da0b43e7551af44c65aaad74ebe09e292202d98782a16717f67904bb01c29a94
                                      • Instruction Fuzzy Hash: 4911E5B58003499FDB10CF9AD584BDEBBF8FB58324F10845AE559A7600D379A544CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC65E Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FDC69E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 003c653d0baef379460515c2eafc3377c8025b761113872e48816d131ac43670
                                      • Instruction ID: 99b9e9380f06e6dbbd26b3e433470c9b7b6916fdb915255a23d74a73100e4263
                                      • Opcode Fuzzy Hash: 003c653d0baef379460515c2eafc3377c8025b761113872e48816d131ac43670
                                      • Instruction Fuzzy Hash: E2015A729002099FCF10DFA9C8447EEBBF6AF88314F14C82AE519A7250C7799550DF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00DAD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553496152.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dad000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 36c4fdf396c405ee17b92cfa8bb1a8516fe0df1bb38865016738922a9c60f168
                                      • Instruction ID: 3239b37876a228c1dcff84c67d094bbe79dfc467405e98e3fb3d96fe3f760998
                                      • Opcode Fuzzy Hash: 36c4fdf396c405ee17b92cfa8bb1a8516fe0df1bb38865016738922a9c60f168
                                      • Instruction Fuzzy Hash: 57212871904240DFDB01DF14D9C0B26BF66FB8A318F24C569E8460BA46C33AD845DBB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E0D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553573700.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e0d000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ec281adfea2b6e42302e3b1e2d599cfb0f2cb850d0203df340f0db7d770eaf3
                                      • Instruction ID: 2ef1b7d9ca778ff2bcc361e1c1079c4f74e788e628df420fb07fd5268c000478
                                      • Opcode Fuzzy Hash: 3ec281adfea2b6e42302e3b1e2d599cfb0f2cb850d0203df340f0db7d770eaf3
                                      • Instruction Fuzzy Hash: 09214971508340EFDB01DF94DDC0B26BBA5FB84318F20C66DE8095B296C33AD886CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E0D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553573700.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e0d000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d278aac53c3add20cb9deaf113737c567672e4ce7f051e57fe355e50af46df29
                                      • Instruction ID: 9b7e36f18c6b96c6447a53dd98c49031a7e0ee10802e17549c532fcd9d471c2c
                                      • Opcode Fuzzy Hash: d278aac53c3add20cb9deaf113737c567672e4ce7f051e57fe355e50af46df29
                                      • Instruction Fuzzy Hash: 8921F575608240DFDB15DF54D9C0B16BB66FB84318F24C569E84D5B286C33AD886CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E0D005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553573700.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e0d000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b00c586eff519ef68462686ae414327a32e64180b6b861b51ab8098e1d695b9
                                      • Instruction ID: 2ffc70144ca05a7ce449f6ec686eab99d121db155d189b2a1d2820be1b20e044
                                      • Opcode Fuzzy Hash: 1b00c586eff519ef68462686ae414327a32e64180b6b861b51ab8098e1d695b9
                                      • Instruction Fuzzy Hash: 6421807550D3C08FCB12CF24D990715BF72EB46314F28C5EAD8898B697C33A984ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00DAD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553496152.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dad000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                      • Instruction ID: 85779f45fe3c68d5878dab07815048c7506628820b029819178a67dc69a29ca3
                                      • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                      • Instruction Fuzzy Hash: 5D11E676904280DFCB12CF14D5C4B16BF72FB85324F28C6A9D8450BA56C33AD856CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E0D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553573700.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e0d000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                      • Instruction ID: 62dd90009bf4cab92a2d96c43e8b70896fa39c4251ba207b34d779f10458a36d
                                      • Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                      • Instruction Fuzzy Hash: 2311D075508280DFCB12CF54C9C0B15FB71FB84328F24C6ADD8494B6A6C33AD85ACB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00DAD745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553496152.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dad000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfc283079d78c814627058083842e757decde44cd6f1a7f7583d59649e66342a
                                      • Instruction ID: aaa1bfd3b060a6885bcae7c2407d8bca323e0d2dd6d7206e5cba946374ade3e4
                                      • Opcode Fuzzy Hash: bfc283079d78c814627058083842e757decde44cd6f1a7f7583d59649e66342a
                                      • Instruction Fuzzy Hash: AA01F271408380AAE7248E2ADD84B66BF99EF56324F18C51AED475BA42D379D840CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00DAD744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553496152.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dad000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c36785a748b6d600318a7cef28fb6febb62882db1b86e05916e1cdc09ae24200
                                      • Instruction ID: 2be5cca9ae75202a16e641799679193db0ee589d6591c3e33ee6736fe77b6ab4
                                      • Opcode Fuzzy Hash: c36785a748b6d600318a7cef28fb6febb62882db1b86e05916e1cdc09ae24200
                                      • Instruction Fuzzy Hash: 8EF0C271404284AAE7148E16DC88B62FF98EB91334F18C55AED495B686C3799C44CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 09B30006 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.566989419.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_9b30000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: 13e14cff5a766ebb2bc19fe33d34a3b0e2102399c6221d865d73b247ca3a1599
                                      • Instruction ID: e29dda939d285de3948e49f486db1c1606e1eca6477f6a40df89856136ff80bd
                                      • Opcode Fuzzy Hash: 13e14cff5a766ebb2bc19fe33d34a3b0e2102399c6221d865d73b247ca3a1599
                                      • Instruction Fuzzy Hash: 8B51ABB1D056988FEB19CF6B8C40689FFB3AFC5210F08C1FAD448AA169DB350991CF11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 09B30040 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.566989419.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_9b30000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: f026c2ec51c9728dc42be1006e4c6206886ba20fce0645959664a846d34f43a2
                                      • Instruction ID: 52ad9941c4cf111190d7d0f612e72fa26adabdb59d5521c0d877372d1e3bb4ca
                                      • Opcode Fuzzy Hash: f026c2ec51c9728dc42be1006e4c6206886ba20fce0645959664a846d34f43a2
                                      • Instruction Fuzzy Hash: 28414E71E05A588BEB5CCF6B8D4068AFAF7AFC9210F14C1B9D50CAA229DB3105518E11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD9308 Relevance: .4, Instructions: 353COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f52d6470feecee42371182af2435ed232c80368e29dce2bfb5dba56e0dfe93f1
                                      • Instruction ID: dfba54a39baf321d708e585ab47b5dcc1a7707c216706b17f0a4fc318e8c17ee
                                      • Opcode Fuzzy Hash: f52d6470feecee42371182af2435ed232c80368e29dce2bfb5dba56e0dfe93f1
                                      • Instruction Fuzzy Hash: 64F12B74E001598FDB54DFA9C980AADFBB2FF89300F248169D914A7346D771A941CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD99B1 Relevance: .3, Instructions: 340COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 008f3acd00706dfe5ea40d0a7b781176dfa32b6d8f3ffa04d801d784c69590f5
                                      • Instruction ID: 211f09e6339835f915a21fbd430c3af05b475885bb5db5a2a57f5b91800b63e8
                                      • Opcode Fuzzy Hash: 008f3acd00706dfe5ea40d0a7b781176dfa32b6d8f3ffa04d801d784c69590f5
                                      • Instruction Fuzzy Hash: 33E12C74E001198FDB54DF99C990AADFBB2FF89300F288259D914A7359C771AD42CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDC102 Relevance: .3, Instructions: 337COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86b268ac5473264dcb22d9828baa479800f51a699564259e6ab2a37206b301c0
                                      • Instruction ID: caf5914f5bc0eb84da62dbe5ec1536ec2a52d779b048ec316c98ee54452b2649
                                      • Opcode Fuzzy Hash: 86b268ac5473264dcb22d9828baa479800f51a699564259e6ab2a37206b301c0
                                      • Instruction Fuzzy Hash: D7E14C74E00159CFDB54DFA9C9809ADFBB2FF89304F288269D914AB355C731A942CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDB150 Relevance: .3, Instructions: 330COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 833609002f271d67069431ba97e94394f2ef49a317fdd6c80f3c69992b7041a5
                                      • Instruction ID: 1d874c31a9ccecb939d2b43976eed5aee16d09fcc509c9a3221a12afb6344998
                                      • Opcode Fuzzy Hash: 833609002f271d67069431ba97e94394f2ef49a317fdd6c80f3c69992b7041a5
                                      • Instruction Fuzzy Hash: F2E12AB4E00119CFDB54DF99C9909ADFBB2FF89304F298269D914A7349C730A942CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FDBC80 Relevance: .3, Instructions: 325COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c725f76b9453a8401da90f1a00ccbd8a878c9f01e468f1ca7a3e9086b0a70ebc
                                      • Instruction ID: 61f3f526a08f9643414f14dbcd241550b8718248d0586e50730706f8f1e7fa18
                                      • Opcode Fuzzy Hash: c725f76b9453a8401da90f1a00ccbd8a878c9f01e468f1ca7a3e9086b0a70ebc
                                      • Instruction Fuzzy Hash: 28E11AB4E001198FDB54DF99C9909ADFBB2FF89300F298269D914A7359C731AD42CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5E5F0 Relevance: .3, Instructions: 315COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 808139bb05dcf9ca543814bc5b51483c8809e46670b5f6209a2a1843afd135b6
                                      • Instruction ID: 7f2ee49a865b56b10819d8199a90c62cf8dd863999d618b1e0fe56716f198e07
                                      • Opcode Fuzzy Hash: 808139bb05dcf9ca543814bc5b51483c8809e46670b5f6209a2a1843afd135b6
                                      • Instruction Fuzzy Hash: D41292F2811F468EE710CF66EC981993BA1B785328B904729D2693AAF5D7F411CECF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5C1A4 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.553707456.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e50000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6d33e65a90a097b252439f65ba1aaf047d7f8a8bc240b3048f002f2732ae513
                                      • Instruction ID: f1697aa4f6d139155a3ae5bf0acea781c6310b0cb217c049a62ce3dd1dc19d31
                                      • Opcode Fuzzy Hash: f6d33e65a90a097b252439f65ba1aaf047d7f8a8bc240b3048f002f2732ae513
                                      • Instruction Fuzzy Hash: 51A18036E00619CFCF15DFA5C8445DEBBF2FF85301B15896AE805BB261EB31A949CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD4861 Relevance: .2, Instructions: 171COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 78144a453f05594c69e84842bcc1e1dcfe5336b1acbf61f770a2fd3de89f4568
                                      • Instruction ID: 5884561227e4be3e3001dfe6593d53e537257737ae3cff28c3f7658e3bcaaaa8
                                      • Opcode Fuzzy Hash: 78144a453f05594c69e84842bcc1e1dcfe5336b1acbf61f770a2fd3de89f4568
                                      • Instruction Fuzzy Hash: 5F616C74E0120D8FDB48EF7AE94069ABBF3BBC9300F15C529E1149B369DB745906CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06FD4870 Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.565495545.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6fd0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5c604ba3d624f0fa1dc8bad62e1444c58721e03f32ea63a4536795011e1608c
                                      • Instruction ID: 87071dc0af80f876730f793a8b818b1e3b19fccaf51a1c967e0dc31e68ff1d0d
                                      • Opcode Fuzzy Hash: d5c604ba3d624f0fa1dc8bad62e1444c58721e03f32ea63a4536795011e1608c
                                      • Instruction Fuzzy Hash: 63616C74E0120D8FD748EF7AE54069ABBF3BBC9300F15C529E1149B369DB745906CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:14.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:367
                                      Total number of Limit Nodes:27
                                      execution_graph 25697 28c6758 25699 28c6766 25697->25699 25700 28c6344 25697->25700 25701 28c634f 25700->25701 25704 28c6394 25701->25704 25703 28c688d 25703->25699 25705 28c639f 25704->25705 25708 28c63c4 25705->25708 25707 28c6962 25707->25703 25709 28c63cf 25708->25709 25712 28c63f4 25709->25712 25711 28c6a62 25711->25707 25713 28c63ff 25712->25713 25714 28c71bc 25713->25714 25717 28cb408 25713->25717 25723 28cb407 25713->25723 25714->25711 25718 28cb429 25717->25718 25719 28cb44d 25718->25719 25729 28cb5b8 25718->25729 25733 28cb587 25718->25733 25738 28cb5a9 25718->25738 25719->25714 25724 28cb429 25723->25724 25725 28cb44d 25724->25725 25726 28cb5b8 6 API calls 25724->25726 25727 28cb5a9 6 API calls 25724->25727 25728 28cb587 6 API calls 25724->25728 25725->25714 25726->25725 25727->25725 25728->25725 25730 28cb5c5 25729->25730 25731 28cb5ff 25730->25731 25742 28ca0ec 25730->25742 25731->25719 25734 28cb58b 25733->25734 25735 28cb5d3 25733->25735 25734->25719 25736 28cb5ff 25735->25736 25737 28ca0ec 6 API calls 25735->25737 25736->25719 25737->25736 25739 28cb5c5 25738->25739 25740 28cb5ff 25739->25740 25741 28ca0ec 6 API calls 25739->25741 25740->25719 25741->25740 25743 28ca0f7 25742->25743 25745 28cc2f8 25743->25745 25746 28cb904 25743->25746 25745->25745 25747 28cb90f 25746->25747 25748 28cc367 25747->25748 25749 28c63f4 6 API calls 25747->25749 25756 28cc3e0 25748->25756 25760 28cc3d3 25748->25760 25749->25748 25750 28cc375 25754 28ce0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 25750->25754 25755 28ce0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 25750->25755 25751 28cc3a0 25751->25745 25754->25751 25755->25751 25757 28cc40e 25756->25757 25758 28cc4da KiUserCallbackDispatcher 25757->25758 25759 28cc4df 25757->25759 25758->25759 25761 28cc40e 25760->25761 25762 28cc4da KiUserCallbackDispatcher 25761->25762 25763 28cc4df 25761->25763 25762->25763 25830 6545430 25831 6545438 25830->25831 25832 65450b0 2 API calls 25831->25832 25833 6545491 25832->25833 25411 6544318 25412 6544321 25411->25412 25416 6546678 25412->25416 25421 6546688 25412->25421 25413 6544346 25417 6546688 25416->25417 25418 654669e 25417->25418 25426 6544478 25417->25426 25436 6544468 25417->25436 25418->25413 25422 654669a 25421->25422 25423 654669e 25422->25423 25424 6544478 2 API calls 25422->25424 25425 6544468 2 API calls 25422->25425 25423->25413 25424->25423 25425->25423 25427 654449c 25426->25427 25428 654458e 25426->25428 25447 6544618 25427->25447 25452 6544628 25427->25452 25457 6546798 25428->25457 25465 654693b 25428->25465 25473 65467a8 25428->25473 25481 654692f 25428->25481 25429 6544554 25429->25418 25437 6544478 25436->25437 25438 654458e 25437->25438 25439 654449c 25437->25439 25443 654692f 2 API calls 25438->25443 25444 6546798 2 API calls 25438->25444 25445 65467a8 2 API calls 25438->25445 25446 654693b 2 API calls 25438->25446 25441 6544618 2 API calls 25439->25441 25442 6544628 2 API calls 25439->25442 25440 6544554 25440->25418 25441->25440 25442->25440 25443->25440 25444->25440 25445->25440 25446->25440 25448 6544628 25447->25448 25489 65450b0 25448->25489 25495 654508c 25448->25495 25449 654470a 25449->25429 25453 654465c 25452->25453 25455 65450b0 2 API calls 25453->25455 25456 654508c 2 API calls 25453->25456 25454 654470a 25454->25429 25455->25454 25456->25454 25461 65467cb 25457->25461 25458 6546864 25459 6546965 25458->25459 25460 6546688 2 API calls 25458->25460 25459->25429 25460->25458 25461->25458 25632 6546a10 25461->25632 25637 65469ff 25461->25637 25642 6546aad 25461->25642 25466 6546854 25465->25466 25467 6546864 25465->25467 25466->25467 25470 6546a10 2 API calls 25466->25470 25471 6546aad 2 API calls 25466->25471 25472 65469ff 2 API calls 25466->25472 25468 6546688 2 API calls 25467->25468 25469 6546965 25467->25469 25468->25467 25469->25429 25470->25467 25471->25467 25472->25467 25474 65467cb 25473->25474 25476 6546864 25474->25476 25478 6546a10 2 API calls 25474->25478 25479 6546aad 2 API calls 25474->25479 25480 65469ff 2 API calls 25474->25480 25475 6546965 25475->25429 25476->25475 25477 6546688 2 API calls 25476->25477 25477->25476 25478->25476 25479->25476 25480->25476 25482 6546854 25481->25482 25485 6546864 25481->25485 25482->25485 25486 6546a10 2 API calls 25482->25486 25487 6546aad 2 API calls 25482->25487 25488 65469ff 2 API calls 25482->25488 25483 6546688 2 API calls 25483->25485 25484 6546965 25484->25429 25485->25483 25485->25484 25486->25485 25487->25485 25488->25485 25490 6545096 25489->25490 25490->25489 25491 65450da 25490->25491 25501 6545317 25490->25501 25505 65451af 25490->25505 25509 65451c0 25490->25509 25491->25449 25496 6545096 25495->25496 25497 65450da 25496->25497 25498 6545317 2 API calls 25496->25498 25499 65451c0 2 API calls 25496->25499 25500 65451af 2 API calls 25496->25500 25497->25449 25498->25497 25499->25497 25500->25497 25503 6545251 25501->25503 25502 654530f 25502->25491 25503->25502 25513 6544098 25503->25513 25508 65451b3 25505->25508 25506 654530f 25506->25491 25507 6544098 2 API calls 25507->25506 25508->25506 25508->25507 25512 65451ea 25509->25512 25510 654530f 25510->25491 25511 6544098 2 API calls 25511->25510 25512->25510 25512->25511 25514 65440c6 25513->25514 25517 6544105 25513->25517 25515 65440f7 25514->25515 25516 654410a 25514->25516 25514->25517 25522 6544378 25515->25522 25530 6544388 25515->25530 25516->25517 25538 65454b0 25516->25538 25547 65454a0 25516->25547 25517->25502 25524 65443b0 25522->25524 25523 654442a 25523->25517 25524->25523 25525 6544420 25524->25525 25528 6544478 2 API calls 25524->25528 25529 6544468 2 API calls 25524->25529 25556 6545338 25525->25556 25560 6545328 25525->25560 25528->25525 25529->25525 25532 65443b0 25530->25532 25531 654442a 25531->25517 25532->25531 25533 6544420 25532->25533 25536 6544478 2 API calls 25532->25536 25537 6544468 2 API calls 25532->25537 25534 6545338 2 API calls 25533->25534 25535 6545328 2 API calls 25533->25535 25534->25531 25535->25531 25536->25533 25537->25533 25539 65454d1 25538->25539 25542 654553e 25538->25542 25540 65454de 25539->25540 25541 654558c 25539->25541 25540->25542 25564 65456f0 25540->25564 25569 6545700 25540->25569 25541->25542 25543 65454b0 2 API calls 25541->25543 25544 65454a0 2 API calls 25541->25544 25542->25517 25543->25542 25544->25542 25548 65454ab 25547->25548 25549 65454de 25548->25549 25550 654558c 25548->25550 25551 654553e 25548->25551 25549->25551 25554 65456f0 2 API calls 25549->25554 25555 6545700 2 API calls 25549->25555 25550->25551 25552 65454b0 2 API calls 25550->25552 25553 65454a0 2 API calls 25550->25553 25551->25517 25552->25551 25553->25551 25554->25551 25555->25551 25558 6545340 25556->25558 25557 6545368 25557->25523 25558->25557 25559 6544098 2 API calls 25558->25559 25559->25557 25562 654532b 25560->25562 25561 6545368 25561->25523 25562->25561 25563 6544098 2 API calls 25562->25563 25563->25561 25565 6545720 25564->25565 25566 6545740 25565->25566 25574 65457b0 25565->25574 25584 65457c0 25565->25584 25566->25542 25571 6545720 25569->25571 25570 6545740 25570->25542 25571->25570 25572 65457c0 2 API calls 25571->25572 25573 65457b0 2 API calls 25571->25573 25572->25570 25573->25570 25575 65457cc 25574->25575 25578 65457dc 25574->25578 25576 65457d3 25575->25576 25577 65457e9 25575->25577 25575->25578 25594 6545818 25576->25594 25607 6545828 25576->25607 25620 65459e0 25577->25620 25624 6545e08 25577->25624 25628 65459f0 25577->25628 25578->25566 25585 65457cc 25584->25585 25586 65457dc 25584->25586 25585->25586 25587 65457d3 25585->25587 25588 65457e9 25585->25588 25586->25566 25592 6545818 2 API calls 25587->25592 25593 6545828 2 API calls 25587->25593 25589 65459f0 2 API calls 25588->25589 25590 65459e0 2 API calls 25588->25590 25591 6545e08 2 API calls 25588->25591 25589->25586 25590->25586 25591->25586 25592->25586 25593->25586 25595 654581b 25594->25595 25598 654586d 25595->25598 25599 65458ad 25595->25599 25596 65458aa 25596->25578 25597 65458da 25597->25578 25602 6545818 CreateWindowExW CreateWindowExW 25598->25602 25603 6545828 CreateWindowExW CreateWindowExW 25598->25603 25604 65458c8 CreateWindowExW CreateWindowExW 25598->25604 25605 65458b8 CreateWindowExW CreateWindowExW 25598->25605 25606 6545928 CreateWindowExW CreateWindowExW 25598->25606 25599->25597 25600 65450b0 CreateWindowExW CreateWindowExW 25599->25600 25601 65459cb 25600->25601 25601->25578 25602->25596 25603->25596 25604->25596 25605->25596 25606->25596 25608 6545830 25607->25608 25609 654586d 25608->25609 25612 65458ad 25608->25612 25615 6545818 CreateWindowExW CreateWindowExW 25609->25615 25616 6545828 CreateWindowExW CreateWindowExW 25609->25616 25617 65458c8 CreateWindowExW CreateWindowExW 25609->25617 25618 65458b8 CreateWindowExW CreateWindowExW 25609->25618 25619 6545928 CreateWindowExW CreateWindowExW 25609->25619 25610 65458da 25610->25578 25611 65458aa 25611->25578 25612->25610 25613 65450b0 CreateWindowExW CreateWindowExW 25612->25613 25614 65459cb 25613->25614 25614->25578 25615->25611 25616->25611 25617->25611 25618->25611 25619->25611 25621 65459e3 25620->25621 25622 6545c81 25621->25622 25623 65458c8 CreateWindowExW CreateWindowExW 25621->25623 25622->25578 25623->25621 25626 6545e14 25624->25626 25625 6545e1d 25625->25578 25626->25625 25627 65450b0 CreateWindowExW CreateWindowExW 25626->25627 25627->25625 25631 6545a1c 25628->25631 25629 65458c8 CreateWindowExW CreateWindowExW 25629->25631 25630 6545c81 25630->25578 25631->25629 25631->25630 25633 6546af2 25632->25633 25634 6546a3a 25632->25634 25633->25458 25634->25633 25647 6546b30 25634->25647 25653 6546b20 25634->25653 25638 6546af2 25637->25638 25639 6546a3a 25637->25639 25638->25458 25639->25638 25640 6546b30 2 API calls 25639->25640 25641 6546b20 2 API calls 25639->25641 25640->25639 25641->25639 25643 6546a8a 25642->25643 25644 6546af2 25643->25644 25645 6546b30 2 API calls 25643->25645 25646 6546b20 2 API calls 25643->25646 25644->25458 25645->25643 25646->25643 25649 6546b35 25647->25649 25648 6546b3b 25648->25634 25649->25648 25659 6546b70 25649->25659 25663 6546b60 25649->25663 25650 6546b54 25650->25634 25655 6546b30 25653->25655 25654 6546b3b 25654->25634 25655->25654 25657 6546b70 2 API calls 25655->25657 25658 6546b60 2 API calls 25655->25658 25656 6546b54 25656->25634 25657->25656 25658->25656 25660 6546b7b 25659->25660 25667 65411a8 25660->25667 25662 6546b90 25662->25650 25664 6546b65 25663->25664 25665 65411a8 2 API calls 25664->25665 25666 6546b90 25665->25666 25666->25650 25668 65411b8 25667->25668 25669 6541225 25668->25669 25671 65416f0 25668->25671 25669->25662 25675 6541710 25671->25675 25681 6541720 25671->25681 25672 654170e 25672->25669 25677 6541720 25675->25677 25676 654172d 25676->25672 25677->25676 25687 6541938 25677->25687 25692 654191e 25677->25692 25678 6541751 25678->25672 25682 654172d 25681->25682 25683 6541731 25681->25683 25682->25672 25685 654191e 2 API calls 25683->25685 25686 6541938 2 API calls 25683->25686 25684 6541751 25684->25672 25685->25684 25686->25684 25688 6541940 25687->25688 25690 28cedef CreateWindowExW CreateWindowExW 25688->25690 25691 28cee00 CreateWindowExW CreateWindowExW 25688->25691 25689 654195e 25689->25678 25690->25689 25691->25689 25693 6541938 25692->25693 25695 28cedef CreateWindowExW CreateWindowExW 25693->25695 25696 28cee00 CreateWindowExW CreateWindowExW 25693->25696 25694 654195e 25694->25678 25695->25694 25696->25694 25764 28cb6d0 25765 28cb6d4 25764->25765 25769 28cbc88 25765->25769 25772 28cbc98 25765->25772 25766 28cb7e5 25775 28ca14c 25769->25775 25773 28cbcc6 25772->25773 25774 28ca14c DuplicateHandle 25772->25774 25773->25766 25774->25773 25776 28cbd00 DuplicateHandle 25775->25776 25778 28cbcc6 25776->25778 25778->25766 25779 6543488 25780 6543491 25779->25780 25784 65434d8 25780->25784 25789 65434c8 25780->25789 25781 65434c2 25785 65434dd 25784->25785 25794 6543510 25785->25794 25802 6543500 25785->25802 25786 65434f4 25786->25781 25790 65434d8 25789->25790 25792 6543510 3 API calls 25790->25792 25793 6543500 3 API calls 25790->25793 25791 65434f4 25791->25781 25792->25791 25793->25791 25795 654352e 25794->25795 25796 6543556 25795->25796 25797 65435c5 25795->25797 25810 6543618 25795->25810 25814 6543609 25795->25814 25818 6543b00 25796->25818 25822 6543af1 25796->25822 25797->25786 25804 654352e 25802->25804 25803 6543556 25808 6543b00 KiUserExceptionDispatcher 25803->25808 25809 6543af1 KiUserExceptionDispatcher 25803->25809 25804->25803 25805 65435c5 25804->25805 25806 6543618 DnsQuery_A 25804->25806 25807 6543609 DnsQuery_A 25804->25807 25805->25786 25806->25804 25807->25804 25808->25805 25809->25805 25811 6543641 25810->25811 25826 6541b7c 25811->25826 25815 6543641 25814->25815 25816 6541b7c DnsQuery_A 25815->25816 25817 6543682 25816->25817 25817->25795 25819 6543bd4 25818->25819 25820 6543b2a KiUserExceptionDispatcher 25818->25820 25819->25797 25820->25819 25824 6543b00 25822->25824 25823 6543bd4 25823->25797 25824->25823 25825 6543b87 KiUserExceptionDispatcher 25824->25825 25825->25823 25827 6543890 DnsQuery_A 25826->25827 25829 65439ca 25827->25829 25834 28c92f0 25835 28c92ff 25834->25835 25837 28c93e8 25834->25837 25838 28c93fb 25837->25838 25839 28c9413 25838->25839 25845 28c9660 25838->25845 25849 28c9670 25838->25849 25839->25835 25840 28c940b 25840->25839 25841 28c9610 GetModuleHandleW 25840->25841 25842 28c963d 25841->25842 25842->25835 25846 28c9684 25845->25846 25847 28c96a9 25846->25847 25853 28c8768 25846->25853 25847->25840 25850 28c9684 25849->25850 25851 28c96a9 25850->25851 25852 28c8768 LoadLibraryExW 25850->25852 25851->25840 25852->25851 25854 28c9850 LoadLibraryExW 25853->25854 25856 28c98c9 25854->25856 25856->25847

                                      Executed Functions

                                      Function 06543C40 Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 273 6543c40-6543cea LdrInitializeThunk 293 6543ccf call 6543c40 273->293 294 6543ccf call 6543c2f 273->294 282 6543cd4-6543cde 284 6543ce0-6543cf9 282->284 285 6543cfb-6543d00 282->285 287 6543d08-6543d0e 284->287 285->287 289 6543d15-6543d17 287->289 290 6543d67-6543d6e 289->290 291 6543d19-6543d29 289->291 291->290 293->282 294->282
                                      APIs
                                      • LdrInitializeThunk.NTDLL(00000001), ref: 06543CC4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1d2203c13d277a8ec419d97b114cbf42ae3e51f7367290e4ac9a7ffafeb6db24
                                      • Instruction ID: 6ff45d72bb4c9726a9dd44243909838803d994a8d9722204be5e4f43711b5806
                                      • Opcode Fuzzy Hash: 1d2203c13d277a8ec419d97b114cbf42ae3e51f7367290e4ac9a7ffafeb6db24
                                      • Instruction Fuzzy Hash: 4F317C34A00314DFD754EB7AD4416AEBBF6BF89704B50887DE5069B760DA36E842CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CFAA0 Relevance: 1.8, APIs: 1, Instructions: 280COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 36 28cfaa0-28cfb60 37 28cfbc4-28cfbd6 36->37 38 28cfb62-28cfbc3 36->38 40 28cfbd8 call 28cda04 37->40 41 28cfbe0-28cfc5e 37->41 38->37 45 28cfbdd-28cfbde 40->45 43 28cfc69-28cfc70 41->43 44 28cfc60-28cfc66 41->44 46 28cfc7b-28cfd1a CreateWindowExW 43->46 47 28cfc72-28cfc78 43->47 44->43 49 28cfd1c-28cfd22 46->49 50 28cfd23-28cfd5b 46->50 47->46 49->50 54 28cfd5d-28cfd60 50->54 55 28cfd68 50->55 54->55 56 28cfd69 55->56 56->56
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028CFD0A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 9d30ec32431066fab4dc95c92fb5fcc39d643ea69e08fc16c808b9c712d6c5f6
                                      • Instruction ID: 4b5027ef2c1f67d7093da1ffdc4c323d74eb39fc96cca52692a25300546763f9
                                      • Opcode Fuzzy Hash: 9d30ec32431066fab4dc95c92fb5fcc39d643ea69e08fc16c808b9c712d6c5f6
                                      • Instruction Fuzzy Hash: BB919A75C09389DFDB16CFA5D8949C9BFB1FF0A300F1A808BE844AB162D7349959CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 065437D8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 57 65437d8-65437f4 58 65437f6-6543807 57->58 59 654380a-654386b 57->59 68 6543848-6543877 59->68 69 6543879-6543903 59->69 77 6543905-654390f 69->77 78 654393c-654396f 69->78 77->78 79 6543911-6543913 77->79 86 6543977-65439c8 DnsQuery_A 78->86 80 6543915-654391f 79->80 81 6543936-6543939 79->81 83 6543921 80->83 84 6543923-6543932 80->84 81->78 83->84 84->84 85 6543934 84->85 85->81 87 65439d1-6543a1e 86->87 88 65439ca-65439d0 86->88 93 6543a20-6543a24 87->93 94 6543a2e-6543a32 87->94 88->87 93->94 95 6543a26 93->95 96 6543a34-6543a37 94->96 97 6543a41-6543a45 94->97 95->94 96->97 98 6543a56 97->98 99 6543a47-6543a53 97->99 101 6543a57 98->101 99->98 101->101
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a071d89fc091f098e383ede6330aab53ede4404a20278f8c877a3fdc5377759a
                                      • Instruction ID: fa045cf937caad0abd24b4eeb4f43c8d475a0b96631031f8652909a8e0889b9c
                                      • Opcode Fuzzy Hash: a071d89fc091f098e383ede6330aab53ede4404a20278f8c877a3fdc5377759a
                                      • Instruction Fuzzy Hash: 998168B1D002099FDF54DFAAC8806DEFBB5FF48314F20856AD815AB250DB749945CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028C93E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 102 28c93e8-28c93fd call 28c8704 105 28c93ff 102->105 106 28c9413-28c9417 102->106 155 28c9405 call 28c9660 105->155 156 28c9405 call 28c9670 105->156 107 28c9419-28c9423 106->107 108 28c942b-28c946c 106->108 107->108 113 28c946e-28c9476 108->113 114 28c9479-28c9487 108->114 109 28c940b-28c940d 109->106 110 28c9548-28c9608 109->110 150 28c960a-28c960d 110->150 151 28c9610-28c963b GetModuleHandleW 110->151 113->114 116 28c9489-28c948e 114->116 117 28c94ab-28c94ad 114->117 119 28c9499 116->119 120 28c9490-28c9497 call 28c8710 116->120 118 28c94b0-28c94b7 117->118 122 28c94b9-28c94c1 118->122 123 28c94c4-28c94cb 118->123 121 28c949b-28c94a9 119->121 120->121 121->118 122->123 126 28c94cd-28c94d5 123->126 127 28c94d8-28c94e1 call 28c8720 123->127 126->127 132 28c94ee-28c94f3 127->132 133 28c94e3-28c94eb 127->133 135 28c94f5-28c94fc 132->135 136 28c9511-28c9515 132->136 133->132 135->136 138 28c94fe-28c950e call 28c8730 call 28c8740 135->138 157 28c9518 call 28c9958 136->157 158 28c9518 call 28c9968 136->158 138->136 139 28c951b-28c951e 142 28c9520-28c953e 139->142 143 28c9541-28c9547 139->143 142->143 150->151 152 28c963d-28c9643 151->152 153 28c9644-28c9658 151->153 152->153 155->109 156->109 157->139 158->139
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 028C962E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 2c40d692d9e619d8ca69a4658df3fda13099b2b407af4bd5d3f04f1c2b2c513c
                                      • Instruction ID: 7ffb397e4c87b786b3449ee76b98e7bd6a7761d2e3e787f7894ac3c83b000e93
                                      • Opcode Fuzzy Hash: 2c40d692d9e619d8ca69a4658df3fda13099b2b407af4bd5d3f04f1c2b2c513c
                                      • Instruction Fuzzy Hash: 707114B8A00B058FD724DF2AD04476ABBF5FF88314F108A6ED48AD7A50E734E945CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06543884 Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 159 6543884-6543903 162 6543905-654390f 159->162 163 654393c-654396f 159->163 162->163 164 6543911-6543913 162->164 171 6543977-65439c8 DnsQuery_A 163->171 165 6543915-654391f 164->165 166 6543936-6543939 164->166 168 6543921 165->168 169 6543923-6543932 165->169 166->163 168->169 169->169 170 6543934 169->170 170->166 172 65439d1-6543a1e 171->172 173 65439ca-65439d0 171->173 178 6543a20-6543a24 172->178 179 6543a2e-6543a32 172->179 173->172 178->179 180 6543a26 178->180 181 6543a34-6543a37 179->181 182 6543a41-6543a45 179->182 180->179 181->182 183 6543a56 182->183 184 6543a47-6543a53 182->184 186 6543a57 183->186 184->183 186->186
                                      APIs
                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 065439B8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Query_
                                      • String ID:
                                      • API String ID: 428220571-0
                                      • Opcode ID: 1cf416326a007824d4cd62ec12203746afb0044541ad6c8468e5feb024ecb346
                                      • Instruction ID: ac9394ae86bfb70dc8dfb05c21334eb69d0db24efdc5c862672453deb2f852dc
                                      • Opcode Fuzzy Hash: 1cf416326a007824d4cd62ec12203746afb0044541ad6c8468e5feb024ecb346
                                      • Instruction Fuzzy Hash: BF5144B1D006589FDF54DFAAC980ADEBBB1FF48314F24802AE814BB250DB749885CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06541B7C Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 187 6541b7c-6543903 190 6543905-654390f 187->190 191 654393c-65439c8 DnsQuery_A 187->191 190->191 192 6543911-6543913 190->192 200 65439d1-6543a1e 191->200 201 65439ca-65439d0 191->201 193 6543915-654391f 192->193 194 6543936-6543939 192->194 196 6543921 193->196 197 6543923-6543932 193->197 194->191 196->197 197->197 198 6543934 197->198 198->194 206 6543a20-6543a24 200->206 207 6543a2e-6543a32 200->207 201->200 206->207 208 6543a26 206->208 209 6543a34-6543a37 207->209 210 6543a41-6543a45 207->210 208->207 209->210 211 6543a56 210->211 212 6543a47-6543a53 210->212 214 6543a57 211->214 212->211 214->214
                                      APIs
                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 065439B8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Query_
                                      • String ID:
                                      • API String ID: 428220571-0
                                      • Opcode ID: 82791345cdaade680f4e2133a269c88c45fda2b6d8ae6632f48c14f284fe3eab
                                      • Instruction ID: c1fbeddbf608ec9255c0efb5976cad7f26303cfe8ca4424ef181b074addbc3ca
                                      • Opcode Fuzzy Hash: 82791345cdaade680f4e2133a269c88c45fda2b6d8ae6632f48c14f284fe3eab
                                      • Instruction Fuzzy Hash: 015145B1D006589FDF54DFAAC880ADEBBB1FF48314F20842AE814BB250DB749885CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CD9E8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 215 28cd9e8-28cd9f2 217 28cd9f8-28cfc5e 215->217 218 28cd9f4-28cd9f6 215->218 222 28cfc69-28cfc70 217->222 223 28cfc60-28cfc66 217->223 218->217 224 28cfc7b-28cfcb3 222->224 225 28cfc72-28cfc78 222->225 223->222 226 28cfcbb-28cfd1a CreateWindowExW 224->226 225->224 227 28cfd1c-28cfd22 226->227 228 28cfd23-28cfd5b 226->228 227->228 232 28cfd5d-28cfd60 228->232 233 28cfd68 228->233 232->233 234 28cfd69 233->234 234->234
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028CFD0A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: f3758d31796cffed7083ba05d137995c1b99b65c711de9f941e88092afaaeabd
                                      • Instruction ID: 6c11d4d6b8b874b4eb857ed1b4ccb8cfb8d3ca6a5924ac1f9db45a913b5d6166
                                      • Opcode Fuzzy Hash: f3758d31796cffed7083ba05d137995c1b99b65c711de9f941e88092afaaeabd
                                      • Instruction Fuzzy Hash: 865122B5D003489FEB14CFA9C880ADEBFB6BF59314F24812AE509AB210D774A845CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CDA04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 235 28cda04-28cfc5e 237 28cfc69-28cfc70 235->237 238 28cfc60-28cfc66 235->238 239 28cfc7b-28cfd1a CreateWindowExW 237->239 240 28cfc72-28cfc78 237->240 238->237 242 28cfd1c-28cfd22 239->242 243 28cfd23-28cfd5b 239->243 240->239 242->243 247 28cfd5d-28cfd60 243->247 248 28cfd68 243->248 247->248 249 28cfd69 248->249 249->249
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028CFD0A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 44d299e09ba383c7375c4bad617fd37bdbc474483782cd2803ab739912ff902e
                                      • Instruction ID: 327bdabfbe1d56721497f8b4c6cb4311a286c45c7a6f1980ec8d496e1beade8c
                                      • Opcode Fuzzy Hash: 44d299e09ba383c7375c4bad617fd37bdbc474483782cd2803ab739912ff902e
                                      • Instruction Fuzzy Hash: 7851C2B5D00309DFEB14CFA9C884ADEBBB6BF58314F24812AE519AB210D774A845CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06543C2F Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 250 6543c2f-6543cea LdrInitializeThunk 271 6543ccf call 6543c40 250->271 272 6543ccf call 6543c2f 250->272 260 6543cd4-6543cde 262 6543ce0-6543cf9 260->262 263 6543cfb-6543d00 260->263 265 6543d08-6543d0e 262->265 263->265 267 6543d15-6543d17 265->267 268 6543d67-6543d6e 267->268 269 6543d19-6543d29 267->269 269->268 271->260 272->260
                                      APIs
                                      • LdrInitializeThunk.NTDLL(00000001), ref: 06543CC4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: ee390ab109113de4359ec56cef4d60726f52b06a2b0e7d7a3fb5316ce0906f3e
                                      • Instruction ID: 2e62432c5c12146fbbb934284f8bec81dba496c851278f75709f501e911deb21
                                      • Opcode Fuzzy Hash: ee390ab109113de4359ec56cef4d60726f52b06a2b0e7d7a3fb5316ce0906f3e
                                      • Instruction Fuzzy Hash: 7A31A030A002149FDB50EB6AC8416AEBBF2FF89704B54887DE406E7790EA35E841CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CFE03 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 295 28cfe03-28cfe17 296 28cfe1d-28cfe1f 295->296 297 28cfe19-28cfe1b 295->297 298 28cfe25 296->298 299 28cfe21-28cfe23 call 28cda3c 296->299 297->296 305 28cfe27 call 28cda3c 298->305 306 28cfe27 call 28cfe10 298->306 307 28cfe27 call 28cfe03 298->307 299->298 301 28cfe28-28cfeaa SetWindowLongW 302 28cfeac-28cfeb2 301->302 303 28cfeb3-28cfec7 301->303 302->303 305->301 306->301 307->301
                                      APIs
                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,028CFE28,?,?,?,?), ref: 028CFE9D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LongWindow
                                      • String ID:
                                      • API String ID: 1378638983-0
                                      • Opcode ID: 40c92fae7f1854e21b8183d94aeb098560da944ae776312900b1ca089101edbd
                                      • Instruction ID: 0ee0219df58e5bf329811d8335dae7b8fafbb0e9c0865d8a75150d5f9a37b3e4
                                      • Opcode Fuzzy Hash: 40c92fae7f1854e21b8183d94aeb098560da944ae776312900b1ca089101edbd
                                      • Instruction Fuzzy Hash: DD219AB9804248DFDB11DFA9E584BCEBFF5EF58314F24804AE548AB212D734A904CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06543B00 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 315 6543b00-6543b24 316 6543bd4-6543bdb 315->316 317 6543b2a-6543b32 315->317 321 6543b9b-6543b9e 317->321 322 6543ba0 321->322 323 6543b3f-6543b5e 321->323 326 6543b65 322->326 327 6543b39-6543b72 322->327 323->326 329 6543b6a-6543b6e 326->329 327->329 331 6543b70-6543b79 329->331 332 6543b9a 329->332 335 6543b87-6543b98 KiUserExceptionDispatcher 331->335 336 6543b7b-6543b82 331->336 332->321 335->316 336->335
                                      APIs
                                      • KiUserExceptionDispatcher.NTDLL(?), ref: 06543B92
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DispatcherExceptionUser
                                      • String ID:
                                      • API String ID: 6842923-0
                                      • Opcode ID: fc4c3b762e1cee700377c7774eff82153923ad49e7336f4f77492d6427cb182a
                                      • Instruction ID: 2c39e9d68fd739547aa774aa5d9e1c197fe0315149a70579c856582006d76616
                                      • Opcode Fuzzy Hash: fc4c3b762e1cee700377c7774eff82153923ad49e7336f4f77492d6427cb182a
                                      • Instruction Fuzzy Hash: 8E11A230A04914DFCB94FF6AC44067EB7B5FF88619B5084AED40A97250DB30AD02CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CBCF9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 308 28cbcf9-28cbcfe 309 28cbd04-28cbd94 DuplicateHandle 308->309 310 28cbd00-28cbd03 308->310 311 28cbd9d-28cbdba 309->311 312 28cbd96-28cbd9c 309->312 310->309 312->311
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028CBCC6,?,?,?,?,?), ref: 028CBD87
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: d6dacc4074d47406620694c8cf864da5e34de02fed36bfb2dd28bc9dd6766d8e
                                      • Instruction ID: 75c6e4651e581d87d45aaae5e8a256ce5a1e127b3f000f2a28583babb415ebca
                                      • Opcode Fuzzy Hash: d6dacc4074d47406620694c8cf864da5e34de02fed36bfb2dd28bc9dd6766d8e
                                      • Instruction Fuzzy Hash: 0621E6B9D006189FDB10CFAAD584ADEBFF8EB58324F14845AE954A3310D778A944CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CA14C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 337 28ca14c-28cbd94 DuplicateHandle 340 28cbd9d-28cbdba 337->340 341 28cbd96-28cbd9c 337->341 341->340
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028CBCC6,?,?,?,?,?), ref: 028CBD87
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 9e23788071247d17cfbbb80d3e12790808951548440d3f5354a23ab7005bc5e1
                                      • Instruction ID: 741f9fd91d62a26376a5351eb7767241d61d4eda63e79bdb70db7d080c85054b
                                      • Opcode Fuzzy Hash: 9e23788071247d17cfbbb80d3e12790808951548440d3f5354a23ab7005bc5e1
                                      • Instruction Fuzzy Hash: 5D21E9B5D006189FDB10CF9AD584ADEBFF8EB48324F14845AE954B3310D374A944CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06543AF1 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 344 6543af1-6543b24 346 6543bd4-6543bdb 344->346 347 6543b2a-6543b32 344->347 351 6543b9b-6543b9e 347->351 352 6543ba0 351->352 353 6543b3f-6543b5e 351->353 356 6543b65 352->356 357 6543b39-6543b72 352->357 353->356 359 6543b6a-6543b6e 356->359 357->359 361 6543b70-6543b79 359->361 362 6543b9a 359->362 365 6543b87-6543b98 KiUserExceptionDispatcher 361->365 366 6543b7b-6543b82 361->366 362->351 365->346 366->365
                                      APIs
                                      • KiUserExceptionDispatcher.NTDLL(?), ref: 06543B92
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.830195037.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_6540000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DispatcherExceptionUser
                                      • String ID:
                                      • API String ID: 6842923-0
                                      • Opcode ID: b1793d33c6d58beaa3a6112e3f7b6e5b4fbfa15b22db8e7a6b8dcf29052b580c
                                      • Instruction ID: bf99bd83e4a40b97f63bdc82a74f66b7b9e6b7327f33682b8c4f9476e48c9369
                                      • Opcode Fuzzy Hash: b1793d33c6d58beaa3a6112e3f7b6e5b4fbfa15b22db8e7a6b8dcf29052b580c
                                      • Instruction Fuzzy Hash: 5D119E70A05904DFDB94EF5AC580BBAFBB4FF48319B6085AED40A93210DB35A942CFD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028C9849 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028C96A9,00000800,00000000,00000000), ref: 028C98BA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: fcb61924bbeaf57c2d462a6447770986deb57bf829384bfe1678606d6b016a3c
                                      • Instruction ID: 623f74567915ff68659778913d4f435c85bcc410ba234fddbe3966400a03b913
                                      • Opcode Fuzzy Hash: fcb61924bbeaf57c2d462a6447770986deb57bf829384bfe1678606d6b016a3c
                                      • Instruction Fuzzy Hash: 341117BAD042099FDB10CF9AC444ADEFBF8EF58324F24846EE519A7600C374A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028C8768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028C96A9,00000800,00000000,00000000), ref: 028C98BA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 3c86279b9fc1422cd48431af148d5a762caa388450300c2ae7cc3845c5b1f3d2
                                      • Instruction ID: c35fdc4426dbf617631696edd05c8a01e28e0f0ff3e9e846326dcbff9bfa48a0
                                      • Opcode Fuzzy Hash: 3c86279b9fc1422cd48431af148d5a762caa388450300c2ae7cc3845c5b1f3d2
                                      • Instruction Fuzzy Hash: E81114BAD042099FDB10CF9AC544AEEFBF8EB58324F14846EE519B7600C374A945CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028C95C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 028C962E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 6cda987c29f4775e9015f513b85d7e17114c7477e0369f3b3e7493ec5b5f0aab
                                      • Instruction ID: 52ac20c7ddd5995c9d79672ab1dcd347e0bb77c86329d3a026aa4737c2db863e
                                      • Opcode Fuzzy Hash: 6cda987c29f4775e9015f513b85d7e17114c7477e0369f3b3e7493ec5b5f0aab
                                      • Instruction Fuzzy Hash: 771110BAD006498FDB10DF9AC544ADEFBF8EF88324F20845AD459A7640D378A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 028CDA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,028CFE28,?,?,?,?), ref: 028CFE9D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.806583622.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_28c0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LongWindow
                                      • String ID:
                                      • API String ID: 1378638983-0
                                      • Opcode ID: dbc0acbd495484f5bbf6af517af811c09f22d810d2db5ccf42ccd2d5377994db
                                      • Instruction ID: 4efcd42690acabae8999bb205539b0dc4f5d1b11bcd73675fb8cd2f0d42e6f80
                                      • Opcode Fuzzy Hash: dbc0acbd495484f5bbf6af517af811c09f22d810d2db5ccf42ccd2d5377994db
                                      • Instruction Fuzzy Hash: 26114CB99002089FDB10CF9AC584BDFBBF8EB58324F20845AE918B7700C374A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.805403981.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b50e0d669b85d1ad2912ef744899ae17d551a44e450fa9802e78ef70c0f0aea
                                      • Instruction ID: 7b13b6e0c85eb76412f096894a203048999f4b926cd6ac8320ea9a6d2acea49b
                                      • Opcode Fuzzy Hash: 1b50e0d669b85d1ad2912ef744899ae17d551a44e450fa9802e78ef70c0f0aea
                                      • Instruction Fuzzy Hash: F521F275604240EFDB15DF18D9C0F26BBA5FB84324F24C5BDE84A4B246C33AD847CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.805403981.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bf45bcd59d210e8ec1040e452d813014d37bb5121344d681dfbf097566acdee
                                      • Instruction ID: 28d9ac83c4aaf94d45772666f8682b21617b9b635ac0cab283d85ab8afe92aae
                                      • Opcode Fuzzy Hash: 6bf45bcd59d210e8ec1040e452d813014d37bb5121344d681dfbf097566acdee
                                      • Instruction Fuzzy Hash: E42183755093C09FD712CF24D590B15BF71EB46314F28C5EED8898B657C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:11.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:75
                                      Total number of Limit Nodes:7
                                      execution_graph 24035 29bb938 DuplicateHandle 24036 29bb9ce 24035->24036 24037 29bfd78 24038 29bfde0 CreateWindowExW 24037->24038 24040 29bfe9c 24038->24040 23978 6c4c840 23979 6c4c88b ReadProcessMemory 23978->23979 23981 6c4c8cf 23979->23981 24041 6c4c720 24042 6c4c768 WriteProcessMemory 24041->24042 24044 6c4c7bf 24042->24044 23982 29b40d0 23983 29b40e2 23982->23983 23984 29b40ee 23983->23984 23986 29b41e0 23983->23986 23987 29b4205 23986->23987 23991 29b42d1 23987->23991 23995 29b42e0 23987->23995 23992 29b4307 23991->23992 23994 29b43e4 23992->23994 23999 29b3de4 23992->23999 23997 29b4307 23995->23997 23996 29b43e4 23996->23996 23997->23996 23998 29b3de4 CreateActCtxA 23997->23998 23998->23996 24000 29b5370 CreateActCtxA 23999->24000 24002 29b5433 24000->24002 24003 29b9210 24006 29b92f9 24003->24006 24004 29b921f 24007 29b931b 24006->24007 24008 29b932b 24007->24008 24011 29b9989 24007->24011 24015 29b9998 24007->24015 24008->24004 24012 29b99ac 24011->24012 24013 29b99d1 24012->24013 24019 29b94f8 24012->24019 24013->24008 24016 29b99ac 24015->24016 24017 29b99d1 24016->24017 24018 29b94f8 LoadLibraryExW 24016->24018 24017->24008 24018->24017 24020 29b9b78 LoadLibraryExW 24019->24020 24022 29b9bf1 24020->24022 24022->24013 24023 29bb710 GetCurrentProcess 24024 29bb78a GetCurrentThread 24023->24024 24026 29bb783 24023->24026 24025 29bb7c7 GetCurrentProcess 24024->24025 24027 29bb7c0 24024->24027 24030 29bb7fd 24025->24030 24026->24024 24027->24025 24028 29bb825 GetCurrentThreadId 24029 29bb856 24028->24029 24030->24028 24045 29b98f0 24046 29b9938 GetModuleHandleW 24045->24046 24047 29b9932 24045->24047 24048 29b9965 24046->24048 24047->24046 24049 95f9ab0 FindCloseChangeNotification 24050 95f9b17 24049->24050 24051 6c4c5f0 24052 6c4c5f5 24051->24052 24053 6c4c5fe 24052->24053 24055 6c4c65e 24052->24055 24056 6c4c670 VirtualAllocEx 24055->24056 24058 6c4c6ad 24056->24058 24059 95f8268 24060 95f83f3 24059->24060 24061 95f828e 24059->24061 24061->24060 24063 95f84e8 PostMessageW 24061->24063 24064 95f8554 24063->24064 24064->24061 24031 6c4ba98 24032 6c4bad8 ResumeThread 24031->24032 24034 6c4bb09 24032->24034 24065 6c4bb78 24066 6c4bbbd SetThreadContext 24065->24066 24068 6c4bc05 24066->24068 24069 6c4ca38 24070 6c4cac1 CreateProcessA 24069->24070 24072 6c4cc83 24070->24072 24072->24072

                                      Executed Functions

                                      Function 029BB700 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 029BB770
                                      • GetCurrentThread.KERNEL32 ref: 029BB7AD
                                      • GetCurrentProcess.KERNEL32 ref: 029BB7EA
                                      • GetCurrentThreadId.KERNEL32 ref: 029BB843
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: a839aa28d64f81e42afa5362b8343f4e589f781a456d981996ab3817620c3e86
                                      • Instruction ID: ae2ba0b753022a7b7fab9c56715ee412a2db127aa7596c5e954bf37f5a988b2e
                                      • Opcode Fuzzy Hash: a839aa28d64f81e42afa5362b8343f4e589f781a456d981996ab3817620c3e86
                                      • Instruction Fuzzy Hash: 5F5167B4D006488FDB11CFAAD6987EEBBF1AF48308F248599E459A3B90D7345844CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029BB710 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 029BB770
                                      • GetCurrentThread.KERNEL32 ref: 029BB7AD
                                      • GetCurrentProcess.KERNEL32 ref: 029BB7EA
                                      • GetCurrentThreadId.KERNEL32 ref: 029BB843
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 3f01b7c876b4556fdbf3ffad20c4ae4ef3c74b1a0a507508867de802b74777dd
                                      • Instruction ID: 2cdd83564a9ca650391342dac6d87b734d2db2445475547b6a11db34fbac95ff
                                      • Opcode Fuzzy Hash: 3f01b7c876b4556fdbf3ffad20c4ae4ef3c74b1a0a507508867de802b74777dd
                                      • Instruction Fuzzy Hash: 7A5154B4D006488FDB10CFAAD688BDEBBF5BF48318F208599E419A3B90D7345884CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4CA2C Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 192 6c4ca2c-6c4cacd 194 6c4cb06-6c4cb26 192->194 195 6c4cacf-6c4cad9 192->195 200 6c4cb5f-6c4cb8e 194->200 201 6c4cb28-6c4cb32 194->201 195->194 196 6c4cadb-6c4cadd 195->196 198 6c4cb00-6c4cb03 196->198 199 6c4cadf-6c4cae9 196->199 198->194 202 6c4caed-6c4cafc 199->202 203 6c4caeb 199->203 211 6c4cbc7-6c4cc81 CreateProcessA 200->211 212 6c4cb90-6c4cb9a 200->212 201->200 204 6c4cb34-6c4cb36 201->204 202->202 205 6c4cafe 202->205 203->202 206 6c4cb38-6c4cb42 204->206 207 6c4cb59-6c4cb5c 204->207 205->198 209 6c4cb44 206->209 210 6c4cb46-6c4cb55 206->210 207->200 209->210 210->210 213 6c4cb57 210->213 223 6c4cc83-6c4cc89 211->223 224 6c4cc8a-6c4cd10 211->224 212->211 214 6c4cb9c-6c4cb9e 212->214 213->207 216 6c4cba0-6c4cbaa 214->216 217 6c4cbc1-6c4cbc4 214->217 218 6c4cbac 216->218 219 6c4cbae-6c4cbbd 216->219 217->211 218->219 219->219 220 6c4cbbf 219->220 220->217 223->224 234 6c4cd20-6c4cd24 224->234 235 6c4cd12-6c4cd16 224->235 237 6c4cd34-6c4cd38 234->237 238 6c4cd26-6c4cd2a 234->238 235->234 236 6c4cd18 235->236 236->234 240 6c4cd48-6c4cd4c 237->240 241 6c4cd3a-6c4cd3e 237->241 238->237 239 6c4cd2c 238->239 239->237 243 6c4cd5e-6c4cd65 240->243 244 6c4cd4e-6c4cd54 240->244 241->240 242 6c4cd40 241->242 242->240 245 6c4cd67-6c4cd76 243->245 246 6c4cd7c 243->246 244->243 245->246 248 6c4cd7d 246->248 248->248
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C4CC6E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 68e4193e41b8e82c0c289e47b8da41f066ebc0381e4ac8b33effde26d2aee8c8
                                      • Instruction ID: 9be6d828c326aaef10fb19859014a1c123995017f86d34ed0cd2dada80c676e5
                                      • Opcode Fuzzy Hash: 68e4193e41b8e82c0c289e47b8da41f066ebc0381e4ac8b33effde26d2aee8c8
                                      • Instruction Fuzzy Hash: 7FA17C71D012198FDF54DFA8C881BEEBBB2BF48314F1485A9D809A7290DB749A85CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4CA38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 249 6c4ca38-6c4cacd 251 6c4cb06-6c4cb26 249->251 252 6c4cacf-6c4cad9 249->252 257 6c4cb5f-6c4cb8e 251->257 258 6c4cb28-6c4cb32 251->258 252->251 253 6c4cadb-6c4cadd 252->253 255 6c4cb00-6c4cb03 253->255 256 6c4cadf-6c4cae9 253->256 255->251 259 6c4caed-6c4cafc 256->259 260 6c4caeb 256->260 268 6c4cbc7-6c4cc81 CreateProcessA 257->268 269 6c4cb90-6c4cb9a 257->269 258->257 261 6c4cb34-6c4cb36 258->261 259->259 262 6c4cafe 259->262 260->259 263 6c4cb38-6c4cb42 261->263 264 6c4cb59-6c4cb5c 261->264 262->255 266 6c4cb44 263->266 267 6c4cb46-6c4cb55 263->267 264->257 266->267 267->267 270 6c4cb57 267->270 280 6c4cc83-6c4cc89 268->280 281 6c4cc8a-6c4cd10 268->281 269->268 271 6c4cb9c-6c4cb9e 269->271 270->264 273 6c4cba0-6c4cbaa 271->273 274 6c4cbc1-6c4cbc4 271->274 275 6c4cbac 273->275 276 6c4cbae-6c4cbbd 273->276 274->268 275->276 276->276 277 6c4cbbf 276->277 277->274 280->281 291 6c4cd20-6c4cd24 281->291 292 6c4cd12-6c4cd16 281->292 294 6c4cd34-6c4cd38 291->294 295 6c4cd26-6c4cd2a 291->295 292->291 293 6c4cd18 292->293 293->291 297 6c4cd48-6c4cd4c 294->297 298 6c4cd3a-6c4cd3e 294->298 295->294 296 6c4cd2c 295->296 296->294 300 6c4cd5e-6c4cd65 297->300 301 6c4cd4e-6c4cd54 297->301 298->297 299 6c4cd40 298->299 299->297 302 6c4cd67-6c4cd76 300->302 303 6c4cd7c 300->303 301->300 302->303 305 6c4cd7d 303->305 305->305
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C4CC6E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: d964b4a8df9d88741b2d573b19d3c0b02081f4701ad15b8f4968f08876374ede
                                      • Instruction ID: 8fc38bff68e43bfc1918534c55c0cc1269c4ebc3adc566850f62c9634fc19630
                                      • Opcode Fuzzy Hash: d964b4a8df9d88741b2d573b19d3c0b02081f4701ad15b8f4968f08876374ede
                                      • Instruction Fuzzy Hash: B6917A71D012198FDF54DFA8C881BEEBBB2BF48314F1485A9D809A7250DB749A85CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029BFD78 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 557 29bfd78-29bfdde 558 29bfde9-29bfdf0 557->558 559 29bfde0-29bfde6 557->559 560 29bfdfb-29bfe9a CreateWindowExW 558->560 561 29bfdf2-29bfdf8 558->561 559->558 563 29bfe9c-29bfea2 560->563 564 29bfea3-29bfedb 560->564 561->560 563->564 568 29bfee8 564->568 569 29bfedd-29bfee0 564->569 570 29bfee9 568->570 569->568 570->570
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029BFE8A
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 12401a9b098896b6d2c5c8912a51e1f2ec2d2102323fd1d6d0b7c42742727a3d
                                      • Instruction ID: 20f4e67f39fba3aa807d7e601e63b512dbff4a16f1eb94741b065c521b46a933
                                      • Opcode Fuzzy Hash: 12401a9b098896b6d2c5c8912a51e1f2ec2d2102323fd1d6d0b7c42742727a3d
                                      • Instruction Fuzzy Hash: 2041C2B5D003099FDF15CF99C984ADEBBB5FF48314F24822AE819AB250D7749985CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029BFD6C Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 571 29bfd6c-29bfdde 572 29bfde9-29bfdf0 571->572 573 29bfde0-29bfde6 571->573 574 29bfdfb-29bfe33 572->574 575 29bfdf2-29bfdf8 572->575 573->572 576 29bfe3b-29bfe9a CreateWindowExW 574->576 575->574 577 29bfe9c-29bfea2 576->577 578 29bfea3-29bfedb 576->578 577->578 582 29bfee8 578->582 583 29bfedd-29bfee0 578->583 584 29bfee9 582->584 583->582 584->584
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029BFE8A
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 6ae01fc5af6840ef21a6ea47da3ff249525a6ab655f496a0c568657926a9d063
                                      • Instruction ID: c8c1883a8061ba1ebeb9cdc4680d58aca529274619e861dba6b1efcee3d3c5b3
                                      • Opcode Fuzzy Hash: 6ae01fc5af6840ef21a6ea47da3ff249525a6ab655f496a0c568657926a9d063
                                      • Instruction Fuzzy Hash: B351E2B5D00309DFDF15CF99C980ADDBBB5BF48314F24812AE819AB250D7759985CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B3DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 585 29b3de4-29b5431 CreateActCtxA 588 29b543a-29b5494 585->588 589 29b5433-29b5439 585->589 596 29b54a3-29b54a7 588->596 597 29b5496-29b5499 588->597 589->588 598 29b54a9-29b54b5 596->598 599 29b54b8 596->599 597->596 598->599 601 29b54b9 599->601 601->601
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 029B5421
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 1848516f938acb4d38e97a345373f0ddebb83cd78e7fa577bf68db5a2678ee42
                                      • Instruction ID: 212432946b2b7a79818c6494e957363540694a1010a28c9f1b7f4f8f49e85818
                                      • Opcode Fuzzy Hash: 1848516f938acb4d38e97a345373f0ddebb83cd78e7fa577bf68db5a2678ee42
                                      • Instruction Fuzzy Hash: 1441F1B1C0021CCBDB25CFA9C994BCEBBB6BF48304F64806AD409BB250DBB56945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B5364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 602 29b5364-29b5431 CreateActCtxA 604 29b543a-29b5494 602->604 605 29b5433-29b5439 602->605 612 29b54a3-29b54a7 604->612 613 29b5496-29b5499 604->613 605->604 614 29b54a9-29b54b5 612->614 615 29b54b8 612->615 613->612 614->615 617 29b54b9 615->617 617->617
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 029B5421
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: de5f240d25941e7c757db8ca6a8c62a554c796f3777292c9e888bf6f02a86fe4
                                      • Instruction ID: 751ab9db3a89995907b7f8c28bd012a7e3a68b84d150a34b50861fdd59ea9353
                                      • Opcode Fuzzy Hash: de5f240d25941e7c757db8ca6a8c62a554c796f3777292c9e888bf6f02a86fe4
                                      • Instruction Fuzzy Hash: C94112B1C00218CFDB25CFA9C994BDEBBB6BF58304F60806AD409BB250DB755946CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4C719 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 618 6c4c719-6c4c71c 619 6c4c765-6c4c76e 618->619 620 6c4c71e-6c4c761 618->620 621 6c4c770-6c4c77c 619->621 622 6c4c77e-6c4c7bd WriteProcessMemory 619->622 620->619 621->622 624 6c4c7c6-6c4c7f6 622->624 625 6c4c7bf-6c4c7c5 622->625 625->624
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C4C7B0
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: bc88cac741bc19847a62ffa036289a12a2ab78096cb090820d513091a19b3ba5
                                      • Instruction ID: edab9af0ab1cb681eff6d5c8bee1b9f21cf411bcd0f72ac14a86c66975f232b2
                                      • Opcode Fuzzy Hash: bc88cac741bc19847a62ffa036289a12a2ab78096cb090820d513091a19b3ba5
                                      • Instruction Fuzzy Hash: E32124B1D013499FCB50DFA9C984BEEBBF5FF48314F14842AE958A7250D7789A44CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4C720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 629 6c4c720-6c4c76e 631 6c4c770-6c4c77c 629->631 632 6c4c77e-6c4c7bd WriteProcessMemory 629->632 631->632 634 6c4c7c6-6c4c7f6 632->634 635 6c4c7bf-6c4c7c5 632->635 635->634
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C4C7B0
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 6f8670ad727c4b178ea8f255ff0e34be7ce2393662d0633208103ecb18c5d194
                                      • Instruction ID: cafe690c8414d9dd77d147b412c5ab06676220622218bd2e91eb45dfa1b91fed
                                      • Opcode Fuzzy Hash: 6f8670ad727c4b178ea8f255ff0e34be7ce2393662d0633208103ecb18c5d194
                                      • Instruction Fuzzy Hash: 272126B5D013199FCB50DFAAC8847EEBBF5FF48314F10842AE918A7250D778A954CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4C838 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 639 6c4c838-6c4c8cd ReadProcessMemory 643 6c4c8d6-6c4c906 639->643 644 6c4c8cf-6c4c8d5 639->644 644->643
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C4C8C0
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: bacfa2ea32330577233551312634dfa09fd939678b345b0667a805b6588928b9
                                      • Instruction ID: 0119782b594365b6d0132d8c58a532d048a6d6ed483ea50fd517026cfca6f339
                                      • Opcode Fuzzy Hash: bacfa2ea32330577233551312634dfa09fd939678b345b0667a805b6588928b9
                                      • Instruction Fuzzy Hash: 712136B1D012499FCB10DFAAD984BEEBBF5FF48310F50842AE558A7250D7789944CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4BB71 Relevance: 1.6, APIs: 1, Instructions: 67threadinjectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 648 6c4bb71-6c4bbc3 651 6c4bbc5-6c4bbd1 648->651 652 6c4bbd3-6c4bc03 SetThreadContext 648->652 651->652 654 6c4bc05-6c4bc0b 652->654 655 6c4bc0c-6c4bc3c 652->655 654->655
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 06C4BBF6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: 23979f0955a8ba07d737d91f34508751780fad723122971ee96e1869b5cf1cf3
                                      • Instruction ID: a2e32eacfdf502ef3121e0e06a79686af0aeec3b6a3894974a6efa3a339115d2
                                      • Opcode Fuzzy Hash: 23979f0955a8ba07d737d91f34508751780fad723122971ee96e1869b5cf1cf3
                                      • Instruction Fuzzy Hash: 3B213971D003099FCB50DFAAC9847EEBBF4EF48324F54842ED459A7241DB789945CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4BB78 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 06C4BBF6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: 6d68290303a36dcfeef3b5805c2333d097efe4d821180c005be418178ed0ab0e
                                      • Instruction ID: ce2e7470e75fdb5ee96f10e22f9dab2a1f41f79cd1396ec03a598ffa073a4d6d
                                      • Opcode Fuzzy Hash: 6d68290303a36dcfeef3b5805c2333d097efe4d821180c005be418178ed0ab0e
                                      • Instruction Fuzzy Hash: 70211871D003098FCB50DFAAC5847EEBBF4EF48324F54842AD459A7241DB78A945CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4C840 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C4C8C0
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 4a96c0db08498e392fd126465d5f6478189f44565e818d161908c69daebbcfcb
                                      • Instruction ID: 5d74f03fc24a1a72e0b9c1a40001835e75dc60ea750bb18fdbdf81158977482a
                                      • Opcode Fuzzy Hash: 4a96c0db08498e392fd126465d5f6478189f44565e818d161908c69daebbcfcb
                                      • Instruction Fuzzy Hash: E12128B1D002199FCB10DFAAC8807EEBBF5FF48310F50842AE518A7250D7789944CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029BB932 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029BB9BF
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 02b518c22f56e455abe819d1324450483be4ffaedf78e8195559cb4ec94df3d8
                                      • Instruction ID: 165aa8525d37fe3120d7dde5e956c45e123f3ef373945af8c0c04be015894921
                                      • Opcode Fuzzy Hash: 02b518c22f56e455abe819d1324450483be4ffaedf78e8195559cb4ec94df3d8
                                      • Instruction Fuzzy Hash: 3D21E0B5D002589FDB10CFAAD584AEEBFF9EF58324F14845AE855A3350D378A944CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029BB938 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029BB9BF
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 57caa957df60527304e7a5574f92a28552c952a7f4744cb6718b8c16f0db6207
                                      • Instruction ID: c850047196e04b3b501414ffcb29c4e42df862160799ba32fa4377ff00c2cd75
                                      • Opcode Fuzzy Hash: 57caa957df60527304e7a5574f92a28552c952a7f4744cb6718b8c16f0db6207
                                      • Instruction Fuzzy Hash: A721C2B59002189FDB10CFAAD984ADEBFF8FF48324F14845AE954A3350D378A954CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B94F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029B99D1,00000800,00000000,00000000), ref: 029B9BE2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: fcfdcbc3a538e6276cb68cee7604238a46083a086ec434fab8d24e17c08d2d92
                                      • Instruction ID: 13d36d0b4a5ccbbb6e3c6a03f4ef3c9d753f8c806581fe0ca41bcfd355b27485
                                      • Opcode Fuzzy Hash: fcfdcbc3a538e6276cb68cee7604238a46083a086ec434fab8d24e17c08d2d92
                                      • Instruction Fuzzy Hash: 9C11F2B69002199BDB10CF9AC584BDEBBF8EB58324F10856EE515A7600C3B8A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B9B72 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029B99D1,00000800,00000000,00000000), ref: 029B9BE2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 1a02012c4d6175c44bacad396ae96c775367b57f1ce72747ee9554f8d0e2d77e
                                      • Instruction ID: de39c2462d079e6ec0dd2db6295e783fb9f5260187eb6d872c431ed6fcd44486
                                      • Opcode Fuzzy Hash: 1a02012c4d6175c44bacad396ae96c775367b57f1ce72747ee9554f8d0e2d77e
                                      • Instruction Fuzzy Hash: 2E1106B6D002598FDB10CF9AC584BEEFBF5AF98314F14851ED455A7600C379A545CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4BA90 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 1c893af06e2cb39a4d34eb49ae08b6704687993a63aee4060c043b49081c2925
                                      • Instruction ID: 35db29e07c61fbca47653ca9c6bf6c9d394114341950fd8bcf42ae18aed4dedd
                                      • Opcode Fuzzy Hash: 1c893af06e2cb39a4d34eb49ae08b6704687993a63aee4060c043b49081c2925
                                      • Instruction Fuzzy Hash: 5F1158B1D007498BCB10DFAAC8847EFBFF5EF88324F24841AD459A7240C779A940CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4BA98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: eadaee98f221c15db7cb82ebe9f1f480b97a6e36156d390f59959b3690a45a61
                                      • Instruction ID: 504a491188f4aa88c4728f21938b2402f1cac200501f70a8ebd8146054bec3bb
                                      • Opcode Fuzzy Hash: eadaee98f221c15db7cb82ebe9f1f480b97a6e36156d390f59959b3690a45a61
                                      • Instruction Fuzzy Hash: 5E113AB1D006498BCB10DFAAC4847EEFBF9EF88324F24841AD419A7240C779A944CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B98E8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 029B9956
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b217779dd9a09f05fd92d7706f5dba628918cc5fdcf1cb6dae23a9cd610e9361
                                      • Instruction ID: 6de977a428e45df92dc5e302d5ee81f2b2618173e248c1ad5a4a77ef4d1c6efa
                                      • Opcode Fuzzy Hash: b217779dd9a09f05fd92d7706f5dba628918cc5fdcf1cb6dae23a9cd610e9361
                                      • Instruction Fuzzy Hash: 501112B1C002498FDB20CF9AC584BDEBBF4AF88324F10851AD459B7600C378A546CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 095F9AB0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 095F9B08
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.601178060.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 095F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_95f0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: 553a31c40ed841d23101fef401df24d574bbd30e1c2e06a06b013e27be0e36c9
                                      • Instruction ID: 365ab1324dcd8381c8ab4c8f09622f26c9f75a948f92dfec07b259c3ea5aa6ac
                                      • Opcode Fuzzy Hash: 553a31c40ed841d23101fef401df24d574bbd30e1c2e06a06b013e27be0e36c9
                                      • Instruction Fuzzy Hash: 9C1145B28006098FCB10CF9AC584BDEBBF8FF58320F20841AD958A7740D338A584CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 029B98F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 029B9956
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.590903004.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_29b0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: e0a668742f5fa95a811512bfd541f610c9a12a1bab5c646110c5e624cde69ea2
                                      • Instruction ID: bdfc4e30d23d121f3ccaa149d93d808aadb23c1989a34e12b89746fe68820c8a
                                      • Opcode Fuzzy Hash: e0a668742f5fa95a811512bfd541f610c9a12a1bab5c646110c5e624cde69ea2
                                      • Instruction Fuzzy Hash: 53110FB6C002498FDB10CF9AC544BDEFBF8AF88324F10851AD969B7600D378A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 095F84E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 095F8545
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.601178060.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 095F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_95f0000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: dcadb077fc89f69b2c37d1df1a5073814d21d837a330760a43abdef4c546b252
                                      • Instruction ID: 28b21190cfb204dd842138d1e7da075c5cda7216750c268deff696f53a909474
                                      • Opcode Fuzzy Hash: dcadb077fc89f69b2c37d1df1a5073814d21d837a330760a43abdef4c546b252
                                      • Instruction Fuzzy Hash: 5611E5B58003499FDB10CF9AC585BDEBBF8FB58324F10841AE555A7700C375A584CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06C4C65E Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C4C69E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.600301219.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6c40000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 12b7ba9d02a06030b60a2bf12a7572162495ff7154ffbc2ace81e8de0a04f2ae
                                      • Instruction ID: a69ab663fc7b5df850ef6fbb7660ecb3460b1940fcac58a8babd2a2444d87ad9
                                      • Opcode Fuzzy Hash: 12b7ba9d02a06030b60a2bf12a7572162495ff7154ffbc2ace81e8de0a04f2ae
                                      • Instruction Fuzzy Hash: 6D015A729002099FCF10DFA9C8447EEBBF2AF98314F14C82AE519A7260C7799550DF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.587978053.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9131d037eabecb049a63f3b22e3119ee3104af52640354ce960076c35d929e09
                                      • Instruction ID: e0a4bd7d42f9491f3428fcf33ad2dbcae91c26346dc238e42026fbc6e6064c89
                                      • Opcode Fuzzy Hash: 9131d037eabecb049a63f3b22e3119ee3104af52640354ce960076c35d929e09
                                      • Instruction Fuzzy Hash: E021F1B2500240DFDB05DF14D9C0F26BF65FB88328F24C57DE9060A246C33AD946DAA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CDD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.588094914.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_cdd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e388489a0faf8722faed6bae6f58b95ac2077a510afb5c323124527314777b9f
                                      • Instruction ID: f1f2ae83e9249f372ce94424e551654f9511652ba63dd6a4a6eeae9d895767ce
                                      • Opcode Fuzzy Hash: e388489a0faf8722faed6bae6f58b95ac2077a510afb5c323124527314777b9f
                                      • Instruction Fuzzy Hash: 3D21F275A04240DFDB15DF24D9C0B26BBA5FB88314F24C56EEA4A4B346C33AE846CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CDD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.588094914.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_cdd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c7bdb65133065f99d6d0fd63cb3a9af68b89d45190ad8ff6e533a485e7ece5a9
                                      • Instruction ID: a2422de1ca59beded6aa45eee0095f6da5312eafd48fbf8d849539c5cc341143
                                      • Opcode Fuzzy Hash: c7bdb65133065f99d6d0fd63cb3a9af68b89d45190ad8ff6e533a485e7ece5a9
                                      • Instruction Fuzzy Hash: C0212675904240EFDB01DF54D9C0B26BBA5FB84314F24C6AEEA4A4B342C33ADC46CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CDD005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.588094914.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_cdd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2bffc22f24aeae74c05847957608aec4b1b268c2cd29615c2d82651db1a0df5e
                                      • Instruction ID: b4869db7893998e23892fd4e0bdef0388d6a2b9918ade380c4819e7a27a09268
                                      • Opcode Fuzzy Hash: 2bffc22f24aeae74c05847957608aec4b1b268c2cd29615c2d82651db1a0df5e
                                      • Instruction Fuzzy Hash: 882180755093C08FCB12CF24D990715BF71EB86314F28C6EBD9498B697C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.587978053.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                      • Instruction ID: b7f189d973d9b129d454530bf5f3140d4dc531d63d710c7c7ab824d455135564
                                      • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                      • Instruction Fuzzy Hash: 5A11B1B6504280DFCB12CF14D9C4B16BF72FB84324F24C6ADD8490B656C33AD956CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CDD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.588094914.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_cdd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                      • Instruction ID: 6d97066038b8c1fb11a768e6ca8c56cb7d80e4928878f0465d73bfe3434be598
                                      • Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                      • Instruction Fuzzy Hash: 3511BB75904280DFCB12CF10C5C0B15FBB2FB84324F28C6AAD94A4B756C33AD84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.587978053.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf8b6e3a5f0a03f1aefee82456981297091906b6b4fd35ed9ee6b1f22383f7cf
                                      • Instruction ID: 29363cacdff49c531b6dc2ff1291ae8d513d1f8c9e147c27867cea8db9c28b51
                                      • Opcode Fuzzy Hash: bf8b6e3a5f0a03f1aefee82456981297091906b6b4fd35ed9ee6b1f22383f7cf
                                      • Instruction Fuzzy Hash: 8D01F7714043849AE7105A26CD84F66BF98DF51724F18C56EED1A5B24AD3789840CBB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00CCD744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.587978053.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ccd000_x4VGltSj0j.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2004ce6c0cba263b54bccc6e0c8bc528cdf08c138ad65ae5343eb5c381afdcd
                                      • Instruction ID: d1025b24577eed75efd7dd0bcd858174086f91c2425df14edbac375b1e3b424e
                                      • Opcode Fuzzy Hash: c2004ce6c0cba263b54bccc6e0c8bc528cdf08c138ad65ae5343eb5c381afdcd
                                      • Instruction Fuzzy Hash: 75F0C271404384AEE7108E16CDC4B62FF98EB91734F18C15AED585B286C3789884CBB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%