Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gruopon.exe

Overview

General Information

Sample Name:gruopon.exe
Analysis ID:561562
MD5:40d8f956a39a697e1aa509efe0e167f5
SHA1:45814f4a78c727a84c008232de7672461c3be706
SHA256:c46ba296e23895758e7bf5c515e10784e317c4754d53d3c308e0b71110b861ad
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • gruopon.exe (PID: 5992 cmdline: "C:\Users\user\Desktop\gruopon.exe" MD5: 40D8F956A39A697E1AA509EFE0E167F5)
    • RegAsm.exe (PID: 6036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 4628 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4584 cmdline: schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4676 cmdline: cmd" /c copy "C:\Users\user\Desktop\gruopon.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jsdudg.exe (PID: 3448 cmdline: C:\Users\user\AppData\Roaming\jsdudg.exe MD5: 40D8F956A39A697E1AA509EFE0E167F5)
    • RegAsm.exe (PID: 5684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 3980 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5260 cmdline: schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5664 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jsdudg.exe (PID: 6692 cmdline: C:\Users\user\AppData\Roaming\jsdudg.exe MD5: 40D8F956A39A697E1AA509EFE0E167F5)
    • RegAsm.exe (PID: 3900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 6856 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6804 cmdline: schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6900 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "efb71872-e607-4767-b940-43b2f1a4", "Group": "BACK UP", "Domain1": "20.91.192.34", "Domain2": "", "Port": 6422, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 73 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.0.RegAsm.exe.400000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.0.RegAsm.exe.400000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      12.0.RegAsm.exe.400000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.0.RegAsm.exe.400000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 176 entries

        Sigma Overview

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gruopon.exe" , ParentImage: C:\Users\user\Desktop\gruopon.exe, ParentProcessId: 5992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gruopon.exe" , ParentImage: C:\Users\user\Desktop\gruopon.exe, ParentProcessId: 5992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "efb71872-e607-4767-b940-43b2f1a4", "Group": "BACK UP", "Domain1": "20.91.192.34", "Domain2": "", "Port": 6422, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: gruopon.exeVirustotal: Detection: 46%Perma Link
        Source: gruopon.exeReversingLabs: Detection: 39%
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeVirustotal: Detection: 46%Perma Link
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeReversingLabs: Detection: 39%
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTR
        Machine Learning detection for sample
        Source: gruopon.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeJoe Sandbox ML: detected
        Source: 30.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.RegAsm.exe.6070000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: 30.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: gruopon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: gruopon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 20.91.192.34
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: global trafficTCP traffic: 192.168.2.6:49755 -> 20.91.192.34:6422
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: unknownTCP traffic detected without corresponding DNS query: 20.91.192.34
        Source: jsdudg.exe, jsdudg.exe, 0000001C.00000002.524002624.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.includehelp.com:8082/Article/CPrograms/
        Source: gruopon.exe, jsdudg.exe.6.drString found in binary or memory: http://www.includehelp.com:8082/Article/CPrograms/1gmzbbBb9cJRFsuZUXOXWHw==AP12d9eB4sE/Ua3buASP
        Source: gruopon.exe, 00000001.00000002.363671082.0000000000A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: RegAsm.exe, 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.58e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegAsm.exe.28fb674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.2e9ff6c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.RegAsm.exe.323b674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.622103312.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: gruopon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.58e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.58e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegAsm.exe.28fb674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.28fb674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.2e9ff6c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.RegAsm.exe.323b674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.323b674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.622103312.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.622103312.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\gruopon.exeCode function: 1_2_024D4BF81_2_024D4BF8
        Source: C:\Users\user\Desktop\gruopon.exeCode function: 1_2_024D3C481_2_024D3C48
        Source: C:\Users\user\Desktop\gruopon.exeCode function: 1_2_024D3C581_2_024D3C58
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0125E4713_2_0125E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0125E4803_2_0125E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0125BBD43_2_0125BBD4
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 10_2_04B74BF810_2_04B74BF8
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 10_2_04B73C5810_2_04B73C58
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 10_2_04B73C4810_2_04B73C48
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0287E48012_2_0287E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0287E47112_2_0287E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0287BBD412_2_0287BBD4
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 28_2_01734BF828_2_01734BF8
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 28_2_01733C5828_2_01733C58
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 28_2_01733C4828_2_01733C48
        Source: C:\Users\user\Desktop\gruopon.exeCode function: 1_2_024D8610 CreateProcessAsUserA,1_2_024D8610
        Source: gruopon.exe, 00000001.00000000.348340730.0000000000365000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTeamViewer.exel& vs gruopon.exe
        Source: gruopon.exeBinary or memory string: OriginalFilenameTeamViewer.exel& vs gruopon.exe
        Source: gruopon.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jsdudg.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: gruopon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: jsdudg.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: gruopon.exeVirustotal: Detection: 46%
        Source: gruopon.exeReversingLabs: Detection: 39%
        Source: gruopon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\gruopon.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\gruopon.exe "C:\Users\user\Desktop\gruopon.exe"
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\gruopon.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\jsdudg.exe C:\Users\user\AppData\Roaming\jsdudg.exe
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\jsdudg.exe C:\Users\user\AppData\Roaming\jsdudg.exe
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\gruopon.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gruopon.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@33/6@0/1
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\gruopon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: gruopon.exe, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: 1.2.gruopon.exe.2e0000.0.unpack, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: 1.0.gruopon.exe.2e0000.0.unpack, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: jsdudg.exe.6.dr, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: 10.2.jsdudg.exe.380000.0.unpack, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: 10.0.jsdudg.exe.380000.0.unpack, arIpamkknnkjbjf.csBase64 encoded string: 'NihtjyBcTlcJdSURVBwEviLmByt1cD+TNS0vZyUJyRg6Vl3ebypuJLoybSgX6OPlNT7oGdpuJfk='
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{efb71872-e607-4767-b940-43b2f1a43e63}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
        Source: gruopon.exe, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'CreateDecryptor'
        Source: gruopon.exe, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: gruopon.exe, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: gruopon.exe, arIpamkknnkjbjf.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.2.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.gruopon.exe.2e0000.0.unpack, arIpamkknnkjbjf.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.0.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.0.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.0.gruopon.exe.2e0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\gruopon.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: gruopon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: gruopon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: gruopon.exe, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.gruopon.exe.2e0000.0.unpack, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.0.gruopon.exe.2e0000.0.unpack, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: jsdudg.exe.6.dr, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.jsdudg.exe.380000.0.unpack, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.jsdudg.exe.380000.0.unpack, SmartAssembly.AssemblyResolver/AssemblyResolverHelper.cs.Net Code: ResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\gruopon.exeCode function: 1_2_002E84AC push ss; ret 1_2_002E8796
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_012569B0 pushfd ; ret 3_2_012569B1
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 10_2_003884AC push ss; ret 10_2_00388796
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 10_2_04B76200 push 14502910h; ret 10_2_04B762AD
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeCode function: 28_2_00E784AC push ss; ret 28_2_00E78796
        Source: gruopon.exeStatic PE information: real checksum: 0x86878 should be: 0x102878
        Source: jsdudg.exe.6.drStatic PE information: real checksum: 0x86878 should be: 0x102878
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86220693634
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86220693634
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.0.RegAsm.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.0.RegAsm.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\jsdudg.exeJump to dropped file

        Boot Survival

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exe TID: 6232Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exe TID: 2192Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6424Thread sleep time: -11068046444225724s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exe TID: 3016Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exe TID: 852Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exe TID: 4860Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exe TID: 3400Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7129Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2319Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 897Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeThread delayed: delay time: 30000Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 30000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 30000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D4A008Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6D3008Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10B7008Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\gruopon.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\gruopon.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\gruopon.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /fJump to behavior
        Source: RegAsm.exe, 00000003.00000002.620260353.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618605280.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.620297624.000000000340F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618393953.0000000002F45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.620207483.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618664149.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.622598670.0000000006DBE000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.622221181.0000000005F7B000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618074252.0000000002E99000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.622427454.000000000641E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000003.00000002.618605280.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618393953.0000000002F45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.620207483.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618664149.0000000002FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager|$U
        Source: RegAsm.exe, 00000003.00000002.618605280.0000000002FCE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
        Source: RegAsm.exe, 00000003.00000002.622353382.00000000061DD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager`
        Source: RegAsm.exe, 00000003.00000002.622579915.0000000006C7E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager`[
        Source: RegAsm.exe, 00000003.00000002.622450476.000000000655E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager`;
        Source: RegAsm.exe, 00000003.00000002.618393953.0000000002F45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHannh
        Source: RegAsm.exe, 00000003.00000002.620297624.000000000340F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618393953.0000000002F45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.618664149.0000000002FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\
        Source: C:\Users\user\Desktop\gruopon.exeQueries volume information: C:\Users\user\Desktop\gruopon.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeQueries volume information: C:\Users\user\AppData\Roaming\jsdudg.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeQueries volume information: C:\Users\user\AppData\Roaming\jsdudg.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\jsdudg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\gruopon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Detected Nanocore Rat
        Source: RegAsm.exe, 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 00000003.00000002.618074252.0000000002E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.618074252.0000000002E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e9457d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8ff54.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3e8b11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.42f5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3737c60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.377f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.37e5240.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6074629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6070000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.422457d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.369f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421b11e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38db11e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.jsdudg.exe.3817c60.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38dff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegAsm.exe.38e457d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.4327c60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.RegAsm.exe.421ff54.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.gruopon.exe.3705240.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.jsdudg.exe.428f1d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6036, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3900, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		1
        Scheduled Task/Job        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Masquerading        		21
        Input Capture        		1
        Security Software Discovery        		Remote Services21
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1
        Scheduled Task/Job        		1
        Access Token Manipulation        		1
        Valid Accounts        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)1
        DLL Side-Loading        		312
        Process Injection        		1
        Access Token Manipulation        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)1
        Scheduled Task/Job        		1
        Disable or Modify Tools        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSA Secrets12
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common312
        Process Injection        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Deobfuscate/Decode Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Hidden Files and Directories        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)21
        Obfuscated Files or Information        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)13
        Software Packing        		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
        DLL Side-Loading        		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 561562 Sample: gruopon.exe Startdate: 27/01/2022 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 7 gruopon.exe 1 2->7         started        11 jsdudg.exe 1 2->11         started        13 jsdudg.exe 2->13         started        process3 file4 60 C:\Users\user\AppData\...\gruopon.exe.log, ASCII 7->60 dropped 76 Writes to foreign memory regions 7->76 78 Allocates memory in foreign processes 7->78 80 Injects a PE file into a foreign processes 7->80 15 RegAsm.exe 6 7->15         started        20 cmd.exe 3 7->20         started        22 cmd.exe 1 7->22         started        82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 24 cmd.exe 1 11->24         started        26 cmd.exe 1 11->26         started        28 RegAsm.exe 3 11->28         started        30 cmd.exe 1 13->30         started        32 cmd.exe 1 13->32         started        34 RegAsm.exe 2 13->34         started        signatures5 process6 dnsIp7 62 20.91.192.34, 49755, 49756, 49757 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->62 54 C:\Users\user\AppData\Roaming\...\run.dat, data 15->54 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->64 56 C:\Users\user\AppData\Roaming\jsdudg.exe, PE32 20->56 dropped 58 C:\Users\user\...\jsdudg.exe:Zone.Identifier, ASCII 20->58 dropped 36 conhost.exe 20->36         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 22->66 38 conhost.exe 22->38         started        40 schtasks.exe 1 22->40         started        42 conhost.exe 24->42         started        44 schtasks.exe 1 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 30->48         started        50 schtasks.exe 1 30->50         started        52 conhost.exe 32->52         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        gruopon.exe47%VirustotalBrowse
        gruopon.exe40%ReversingLabsByteCode-MSIL.Backdoor.Crysan
        gruopon.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\jsdudg.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\jsdudg.exe47%VirustotalBrowse
        C:\Users\user\AppData\Roaming\jsdudg.exe40%ReversingLabsByteCode-MSIL.Backdoor.Crysan

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        30.0.RegAsm.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.RegAsm.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.RegAsm.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.RegAsm.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.RegAsm.exe.6070000.6.unpack100%AviraTR/NanoCore.fadteDownload File
        30.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        20.91.192.340%VirustotalBrowse
        20.91.192.340%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        20.91.192.34true
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.includehelp.com:8082/Article/CPrograms/jsdudg.exe, jsdudg.exe, 0000001C.00000002.524002624.0000000003221000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.includehelp.com:8082/Article/CPrograms/1gmzbbBb9cJRFsuZUXOXWHw==AP12d9eB4sE/Ua3buASPgruopon.exe, jsdudg.exe.6.drfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            20.91.192.34
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:561562
            Start date:27.01.2022
            Start time:16:12:50
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 48s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:gruopon.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:41
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@33/6@0/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 0.6% (good quality ratio 0.1%)
            • Quality average: 15.1%
            • Quality standard deviation: 26.5%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 113
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe

            Warnings

            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:13:51API Interceptor1x Sleep call for process: gruopon.exe modified
            16:13:58Task SchedulerRun new task: Nania path: "C:\Users\user\AppData\Roaming\jsdudg.exe"
            16:14:01API Interceptor958x Sleep call for process: RegAsm.exe modified
            16:14:03API Interceptor2x Sleep call for process: jsdudg.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            MICROSOFT-CORP-MSN-AS-BLOCKUSSz3UuCg0pxGet hashmaliciousBrowse
            • 104.147.78.187
            U8aGf4OtLRGet hashmaliciousBrowse
            • 40.85.254.44
            fKWEtqaAtAGet hashmaliciousBrowse
            • 13.95.41.254
            eZITFZM4MJGet hashmaliciousBrowse
            • 20.36.90.130
            message_zdm.htmGet hashmaliciousBrowse
            • 52.97.218.82
            IWdqQvHEF7Get hashmaliciousBrowse
            • 20.106.255.165
            AN_NGOB32751400.docGet hashmaliciousBrowse
            • 20.51.217.113
            ua1oTmkw68.exeGet hashmaliciousBrowse
            • 104.47.54.36
            Karau.htmlGet hashmaliciousBrowse
            • 52.250.42.157
            loligang.arm7Get hashmaliciousBrowse
            • 13.81.205.219
            hGX7v1zhOeGet hashmaliciousBrowse
            • 20.219.235.211
            3Z6FoHYZcDGet hashmaliciousBrowse
            • 72.154.232.250
            loligang.armGet hashmaliciousBrowse
            • 168.61.5.240
            sys.exeGet hashmaliciousBrowse
            • 20.12.166.197
            42ySB8UkHNGet hashmaliciousBrowse
            • 20.237.102.60
            lessie.arm7Get hashmaliciousBrowse
            • 40.65.190.87
            mirai.x86Get hashmaliciousBrowse
            • 40.114.236.117
            UAicb1MHGYGet hashmaliciousBrowse
            • 20.18.207.33
            x86Get hashmaliciousBrowse
            • 20.254.50.244
            L4J1KK3v10Get hashmaliciousBrowse
            • 20.109.201.145

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.355304211458859
            Encrypted:false
            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
            MD5:69206D3AF7D6EFD08F4B4726998856D3
            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gruopon.exe.log

            Download File
            Process:C:\Users\user\Desktop\gruopon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):520
            Entropy (8bit):5.345981753770044
            Encrypted:false
            SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhk
            MD5:044A637E42FE9A819D7E43C8504CA769
            SHA1:6FCA27B1A571B73563C8424C84F4F64F3CBCBE2F
            SHA-256:E88E04654826CE00CC7A840745254164DDBD175066D6E4EA6858BF0FE463EBB4
            SHA-512:C9A74FA4154FA5E5951B0EEAC5330CA4BAC981FF9AD24C08575A76AD5D99CFB68556B9857C9C8209A1BFCB43F82E00F14962987A18A92A715F45AD0D4E4A718C
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsdudg.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\jsdudg.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):520
            Entropy (8bit):5.345981753770044
            Encrypted:false
            SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhk
            MD5:044A637E42FE9A819D7E43C8504CA769
            SHA1:6FCA27B1A571B73563C8424C84F4F64F3CBCBE2F
            SHA-256:E88E04654826CE00CC7A840745254164DDBD175066D6E4EA6858BF0FE463EBB4
            SHA-512:C9A74FA4154FA5E5951B0EEAC5330CA4BAC981FF9AD24C08575A76AD5D99CFB68556B9857C9C8209A1BFCB43F82E00F14962987A18A92A715F45AD0D4E4A718C
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:data
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:RBwWE8:wo
            MD5:4F63C92E941685D840E1F8C918DA040C
            SHA1:CC23DD55D88908CA02F832A5E847BC0D37AE3109
            SHA-256:BC5A282C96E4E148742AE3AE417F69DA08F3013C14A6BD0DD99050F445F7DE0A
            SHA-512:011DADAA70A1EC2708D62A9E822898F7B06A600166C8C245ECD53F2E9A12D30FD8D5FD99B9EDA83058957410EBD5BFE5B046C55B04EE77D3E82BF3B89EA87E36
            Malicious:true
            Preview:.....H

            C:\Users\user\AppData\Roaming\jsdudg.exe

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1048576
            Entropy (8bit):4.092360282456018
            Encrypted:false
            SSDEEP:3072:cTEGnCEOwfiswpqNKhIrkWzJxDBvkYRZPhgmWwHEnSswFiP6XzDPFPmusk/d5Gfn:cFHOwfwp+0Ir/gYswSvMPRmRk1dP
            MD5:40D8F956A39A697E1AA509EFE0E167F5
            SHA1:45814F4A78C727A84C008232DE7672461C3BE706
            SHA-256:C46BA296E23895758E7BF5C515E10784E317C4754D53D3C308E0B71110B861AD
            SHA-512:4FF6767BE043B2612591CB48B979F8AC47DF86879767C1DC6E482DC8CF97ACCB1D31AB24B7223265B597F96C05737DA485D731463D68D5330A770C893FFDABE1
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 47%, Browse
            • Antivirus: ReversingLabs, Detection: 40%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................h......B.... ........@.. ..............................xh....@.....................................J........e........................................................................... ............... ..H............text...H.... ...................... ..`.rsrc....e.......f..................@..@.reloc...............>..............@..B................(.......H.......<n..tW..............H....m.......................................(3...(C...*.0..........(B...s......o....*...0..x.......(.......(....r...p(......r...pr...p(.....r...p(....(....&..........r...pr...p(...........r...p.......r...p..(....(....&*.0.......... 0u..(....r...pr...ps....&r...pr...p(.....r...ps......o....,.r...p(....+.r~..p(......r...p(......{.......(....&(....o....(....r...p(......(....r...p(....(....&.(.....(....*.0...........(....s.........o....t......*....0..

            C:\Users\user\AppData\Roaming\jsdudg.exe:Zone.Identifier

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):4.092360282456018
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:gruopon.exe
            File size:1048576
            MD5:40d8f956a39a697e1aa509efe0e167f5
            SHA1:45814f4a78c727a84c008232de7672461c3be706
            SHA256:c46ba296e23895758e7bf5c515e10784e317c4754d53d3c308e0b71110b861ad
            SHA512:4ff6767be043b2612591cb48b979f8ac47df86879767c1dc6e482dc8cf97accb1d31ab24b7223265b597f96c05737da485d731463d68d5330a770c893ffdabe1
            SSDEEP:3072:cTEGnCEOwfiswpqNKhIrkWzJxDBvkYRZPhgmWwHEnSswFiP6XzDPFPmusk/d5Gfn:cFHOwfwp+0Ir/gYswSvMPRmRk1dP
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................h......B.... ........@.. ..............................xh....@................................

            File Icon

            Icon Hash:71e0d49292c07033

            Static PE Info

            General

            Entrypoint:0x43f442
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x61F0A093 [Wed Jan 26 01:14:59 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3f3f80x4a.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x465c2.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x3d4480x3d600False0.919158127546data7.86220693634IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x400000x465c20x46600False0.0908151087922data3.80490586802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x402200x468GLS_BINARY_LSB_FIRST
            RT_ICON0x406880x10a8data
            RT_ICON0x417300x25a8data
            RT_ICON0x43cd80x42028data
            RT_DIALOG0x85d000x11cdataEnglishUnited States
            RT_GROUP_ICON0x85e1c0x3edata
            RT_VERSION0x85e5c0x390data
            RT_MANIFEST0x861ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
            RT_MANIFEST0x863d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            LegalCopyrightTeamViewer Germany GmbH
            InternalNameTeamViewer
            FileVersion15.25.8.0
            CompanyNameTeamViewer Germany GmbH
            PrivateBuildTeamViewer Remote Control Application
            LegalTrademarksTeamViewer
            ProductNameTeamViewer
            ProductVersion15.25.8.0
            FileDescriptionTeamViewer
            OriginalFilenameTeamViewer.exe
            Translation0x0809 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 27, 2022 16:14:03.481580973 CET497556422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:03.520590067 CET64224975520.91.192.34192.168.2.6
            Jan 27, 2022 16:14:04.141484022 CET497556422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:04.180322886 CET64224975520.91.192.34192.168.2.6
            Jan 27, 2022 16:14:04.750864983 CET497556422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:04.791598082 CET64224975520.91.192.34192.168.2.6
            Jan 27, 2022 16:14:09.114737988 CET497566422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:09.153383017 CET64224975620.91.192.34192.168.2.6
            Jan 27, 2022 16:14:09.751334906 CET497566422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:09.789781094 CET64224975620.91.192.34192.168.2.6
            Jan 27, 2022 16:14:10.298145056 CET497566422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:10.336327076 CET64224975620.91.192.34192.168.2.6
            Jan 27, 2022 16:14:14.362154007 CET497576422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:14.400962114 CET64224975720.91.192.34192.168.2.6
            Jan 27, 2022 16:14:14.907911062 CET497576422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:14.947107077 CET64224975720.91.192.34192.168.2.6
            Jan 27, 2022 16:14:15.454879999 CET497576422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:15.494359016 CET64224975720.91.192.34192.168.2.6
            Jan 27, 2022 16:14:19.508656025 CET497606422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:19.552504063 CET64224976020.91.192.34192.168.2.6
            Jan 27, 2022 16:14:20.189660072 CET497606422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:20.232242107 CET64224976020.91.192.34192.168.2.6
            Jan 27, 2022 16:14:20.877394915 CET497606422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:20.920118093 CET64224976020.91.192.34192.168.2.6
            Jan 27, 2022 16:14:24.925941944 CET497616422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:24.964318991 CET64224976120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:25.486973047 CET497616422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:25.525273085 CET64224976120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:26.190160036 CET497616422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:26.228506088 CET64224976120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:31.144836903 CET497626422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:31.183727980 CET64224976220.91.192.34192.168.2.6
            Jan 27, 2022 16:14:31.690680981 CET497626422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:31.729521036 CET64224976220.91.192.34192.168.2.6
            Jan 27, 2022 16:14:32.237577915 CET497626422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:32.276534081 CET64224976220.91.192.34192.168.2.6
            Jan 27, 2022 16:14:36.286027908 CET497646422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:36.328948975 CET64224976420.91.192.34192.168.2.6
            Jan 27, 2022 16:14:36.831656933 CET497646422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:36.874859095 CET64224976420.91.192.34192.168.2.6
            Jan 27, 2022 16:14:37.378576040 CET497646422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:37.421597004 CET64224976420.91.192.34192.168.2.6
            Jan 27, 2022 16:14:41.427139044 CET497686422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:41.465615034 CET64224976820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:41.972743988 CET497686422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:42.011251926 CET64224976820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:42.519690990 CET497686422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:42.558180094 CET64224976820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:46.568538904 CET497716422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:46.611680984 CET64224977120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:47.113739014 CET497716422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:47.156301975 CET64224977120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:47.660779953 CET497716422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:47.703424931 CET64224977120.91.192.34192.168.2.6
            Jan 27, 2022 16:14:51.709007025 CET497786422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:51.747689962 CET64224977820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:52.442375898 CET497786422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:52.480648041 CET64224977820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:53.129972935 CET497786422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:53.168431044 CET64224977820.91.192.34192.168.2.6
            Jan 27, 2022 16:14:57.228086948 CET497876422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:57.270548105 CET64224978720.91.192.34192.168.2.6
            Jan 27, 2022 16:14:57.880299091 CET497876422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:57.919070959 CET64224978720.91.192.34192.168.2.6
            Jan 27, 2022 16:14:58.567869902 CET497876422192.168.2.620.91.192.34
            Jan 27, 2022 16:14:58.606945038 CET64224978720.91.192.34192.168.2.6
            Jan 27, 2022 16:15:03.288552999 CET498016422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:03.326960087 CET64224980120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:03.943295956 CET498016422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:03.981626987 CET64224980120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:04.630893946 CET498016422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:04.700164080 CET64224980120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:08.714263916 CET498216422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:08.757319927 CET64224982120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:09.287698030 CET498216422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:09.330332041 CET64224982120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:09.881283045 CET498216422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:09.923932076 CET64224982120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:13.930715084 CET498246422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:13.971927881 CET64224982420.91.192.34192.168.2.6
            Jan 27, 2022 16:15:14.570421934 CET498246422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:14.609199047 CET64224982420.91.192.34192.168.2.6
            Jan 27, 2022 16:15:15.178658962 CET498246422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:15.216936111 CET64224982420.91.192.34192.168.2.6
            Jan 27, 2022 16:15:19.244520903 CET498286422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:19.283020020 CET64224982820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:19.788497925 CET498286422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:19.826865911 CET64224982820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:20.335362911 CET498286422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:20.373646975 CET64224982820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:24.393471956 CET498306422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:24.432435036 CET64224983020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:25.030731916 CET498306422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:25.069500923 CET64224983020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:25.631659031 CET498306422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:25.670325994 CET64224983020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:29.688962936 CET498326422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:29.727541924 CET64224983220.91.192.34192.168.2.6
            Jan 27, 2022 16:15:30.291636944 CET498326422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:30.332921028 CET64224983220.91.192.34192.168.2.6
            Jan 27, 2022 16:15:30.840477943 CET498326422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:30.880263090 CET64224983220.91.192.34192.168.2.6
            Jan 27, 2022 16:15:34.889707088 CET498416422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:34.928414106 CET64224984120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:35.481369972 CET498416422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:35.520441055 CET64224984120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:36.075177908 CET498416422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:36.115710020 CET64224984120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:40.140350103 CET498586422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:40.179231882 CET64224985820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:40.685051918 CET498586422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:40.724018097 CET64224985820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:41.231940031 CET498586422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:41.271511078 CET64224985820.91.192.34192.168.2.6
            Jan 27, 2022 16:15:45.296178102 CET498606422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:45.334826946 CET64224986020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:45.841638088 CET498606422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:45.880392075 CET64224986020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:46.388623953 CET498606422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:46.427495956 CET64224986020.91.192.34192.168.2.6
            Jan 27, 2022 16:15:50.437202930 CET498616422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:50.476109982 CET64224986120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:50.982676983 CET498616422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:51.021534920 CET64224986120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:51.529593945 CET498616422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:51.568382025 CET64224986120.91.192.34192.168.2.6
            Jan 27, 2022 16:15:55.577996016 CET498636422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:55.616211891 CET64224986320.91.192.34192.168.2.6
            Jan 27, 2022 16:15:56.123704910 CET498636422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:56.162033081 CET64224986320.91.192.34192.168.2.6
            Jan 27, 2022 16:15:56.670665026 CET498636422192.168.2.620.91.192.34
            Jan 27, 2022 16:15:56.708894968 CET64224986320.91.192.34192.168.2.6
            Jan 27, 2022 16:16:00.718959093 CET498646422192.168.2.620.91.192.34
            Jan 27, 2022 16:16:00.757636070 CET64224986420.91.192.34192.168.2.6
            Jan 27, 2022 16:16:01.264955044 CET498646422192.168.2.620.91.192.34
            Jan 27, 2022 16:16:01.304119110 CET64224986420.91.192.34192.168.2.6
            Jan 27, 2022 16:16:01.812325954 CET498646422192.168.2.620.91.192.34
            Jan 27, 2022 16:16:01.852289915 CET64224986420.91.192.34192.168.2.6

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:16:13:50
            Start date:27/01/2022
            Path:C:\Users\user\Desktop\gruopon.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\gruopon.exe"
            Imagebase:0x2e0000
            File size:1048576 bytes
            MD5 hash:40D8F956A39A697E1AA509EFE0E167F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.364995852.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            General

            Target ID:3
            Start time:16:13:52
            Start date:27/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0xaf0000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.616660623.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.354914710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.354654523.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.622304121.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.620364814.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.354407215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.353836119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.622103312.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.622103312.00000000058E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            Reputation:high

            General

            Target ID:5
            Start time:16:13:55
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:6
            Start time:16:13:56
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\Desktop\gruopon.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:7
            Start time:16:13:56
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:8
            Start time:16:13:57
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x1070000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:9
            Start time:16:13:57
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:10
            Start time:16:14:01
            Start date:27/01/2022
            Path:C:\Users\user\AppData\Roaming\jsdudg.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\jsdudg.exe
            Imagebase:0x380000
            File size:1048576 bytes
            MD5 hash:40D8F956A39A697E1AA509EFE0E167F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.401676808.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 47%, Virustotal, Browse
            • Detection: 40%, ReversingLabs
            Reputation:low

            General

            Target ID:12
            Start time:16:14:09
            Start date:27/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0x5b0000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.391198929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.390187170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.418957983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.390440654.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.419442563.0000000003899000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.390876269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.419329024.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:high

            General

            Target ID:13
            Start time:16:14:12
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:15
            Start time:16:14:13
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:16
            Start time:16:14:13
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:17
            Start time:16:14:14
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x1070000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:18
            Start time:16:14:14
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:28
            Start time:16:15:02
            Start date:27/01/2022
            Path:C:\Users\user\AppData\Roaming\jsdudg.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\jsdudg.exe
            Imagebase:0xe70000
            File size:1048576 bytes
            MD5 hash:40D8F956A39A697E1AA509EFE0E167F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.524101575.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            General

            Target ID:30
            Start time:16:15:04
            Start date:27/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0xe20000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.543378506.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.510638096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.510140831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.545333473.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.545542079.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.509750431.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.509298666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            General

            Target ID:33
            Start time:16:15:08
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:34
            Start time:16:15:09
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\jsdudg.exe" "C:\Users\user\AppData\Roaming\jsdudg.exe
            Imagebase:0x2a0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:35
            Start time:16:15:10
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:36
            Start time:16:15:10
            Start date:27/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\user\AppData\Roaming\jsdudg.exe'" /f
            Imagebase:0x1070000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:37
            Start time:16:15:11
            Start date:27/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff61de10000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:17%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:2.6%
              Total number of Nodes:115
              Total number of Limit Nodes:6
              execution_graph 6118 24d3048 GetCurrentProcess 6119 24d30bb 6118->6119 6120 24d30c2 GetCurrentThread 6118->6120 6119->6120 6121 24d30ff GetCurrentProcess 6120->6121 6122 24d30f8 6120->6122 6123 24d3135 6121->6123 6122->6121 6124 24d315d GetCurrentThreadId 6123->6124 6125 24d318e 6124->6125 6126 24d3270 DuplicateHandle 6127 24d3306 6126->6127 6128 24d0590 6129 24d059a 6128->6129 6135 24d05c0 6128->6135 6140 24d05d0 6128->6140 6145 24d4a28 6129->6145 6153 24d4a12 6129->6153 6130 24d05b6 6136 24d05e1 6135->6136 6137 24d05fb 6136->6137 6161 24d0618 6136->6161 6166 24d0628 6136->6166 6137->6129 6141 24d05e1 6140->6141 6142 24d05fb 6141->6142 6143 24d0618 SetProcessWorkingSetSize 6141->6143 6144 24d0628 SetProcessWorkingSetSize 6141->6144 6142->6129 6143->6142 6144->6142 6146 24d4a3a 6145->6146 6183 24d76d8 6146->6183 6187 24d76e8 6146->6187 6147 24d4adf 6151 24d76d8 12 API calls 6147->6151 6152 24d76e8 12 API calls 6147->6152 6148 24d4aef 6148->6130 6151->6148 6152->6148 6154 24d4a23 6153->6154 6159 24d76d8 12 API calls 6154->6159 6160 24d76e8 12 API calls 6154->6160 6155 24d4adf 6157 24d76d8 12 API calls 6155->6157 6158 24d76e8 12 API calls 6155->6158 6156 24d4aef 6156->6130 6157->6156 6158->6156 6159->6155 6160->6155 6162 24d0641 6161->6162 6171 24d4750 6162->6171 6175 24d4760 6162->6175 6163 24d067d 6163->6137 6167 24d0641 6166->6167 6169 24d4750 SetProcessWorkingSetSize 6167->6169 6170 24d4760 SetProcessWorkingSetSize 6167->6170 6168 24d067d 6168->6137 6169->6168 6170->6168 6174 24d4753 6171->6174 6172 24d47be 6172->6163 6174->6172 6179 24d2eec 6174->6179 6176 24d477d 6175->6176 6177 24d2eec SetProcessWorkingSetSize 6176->6177 6178 24d47be 6176->6178 6177->6176 6178->6163 6180 24d47e8 SetProcessWorkingSetSize 6179->6180 6182 24d485c 6180->6182 6182->6174 6184 24d76f9 6183->6184 6185 24d77d5 6184->6185 6191 24d7eb7 6184->6191 6185->6147 6188 24d76f9 6187->6188 6189 24d77d5 6188->6189 6190 24d7eb7 12 API calls 6188->6190 6189->6147 6190->6188 6193 24d7ec5 6191->6193 6192 24d7e89 6193->6192 6221 24d8604 6193->6221 6226 24d8610 6193->6226 6195 24d8232 6196 24d8399 6195->6196 6238 24d8a4a 6195->6238 6241 24d8a50 6195->6241 6198 24d8531 6196->6198 6203 24d8bb8 WriteProcessMemory 6196->6203 6204 24d8bb2 WriteProcessMemory 6196->6204 6197 24d8268 6244 24d8b08 6197->6244 6247 24d8b10 6197->6247 6209 24d8988 GetThreadContext 6198->6209 6210 24d8990 GetThreadContext 6198->6210 6199 24d82aa 6199->6196 6250 24d8bb2 6199->6250 6254 24d8bb8 6199->6254 6200 24d8558 6258 24d8c88 6200->6258 6263 24d8c90 6200->6263 6201 24d8302 6201->6196 6211 24d8bb8 WriteProcessMemory 6201->6211 6212 24d8bb2 WriteProcessMemory 6201->6212 6202 24d8569 6202->6184 6203->6196 6204->6196 6209->6200 6210->6200 6211->6201 6212->6201 6222 24d81c7 6221->6222 6223 24d860b CreateProcessAsUserA 6221->6223 6222->6196 6230 24d8988 6222->6230 6234 24d8990 6222->6234 6225 24d8861 6223->6225 6227 24d86a0 CreateProcessAsUserA 6226->6227 6229 24d8861 6227->6229 6231 24d89d8 GetThreadContext 6230->6231 6233 24d8a16 6231->6233 6233->6195 6235 24d89d8 GetThreadContext 6234->6235 6237 24d8a16 6235->6237 6237->6195 6239 24d8a98 ReadProcessMemory 6238->6239 6240 24d8ad5 6239->6240 6240->6197 6242 24d8a98 ReadProcessMemory 6241->6242 6243 24d8ad5 6242->6243 6243->6197 6245 24d8b53 VirtualAllocEx 6244->6245 6246 24d8b8a 6245->6246 6246->6199 6248 24d8b53 VirtualAllocEx 6247->6248 6249 24d8b8a 6248->6249 6249->6199 6251 24d8c03 WriteProcessMemory 6250->6251 6253 24d8c54 6251->6253 6253->6201 6255 24d8c03 WriteProcessMemory 6254->6255 6257 24d8c54 6255->6257 6257->6201 6259 24d8c4f 6258->6259 6260 24d8c8b ResumeThread 6258->6260 6259->6202 6262 24d8cfe 6260->6262 6262->6202 6264 24d8cd1 ResumeThread 6263->6264 6265 24d8cfe 6264->6265 6265->6202

              Executed Functions

              Function 024D8610 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 101 24d8610-24d86ac 103 24d86ae-24d86b8 101->103 104 24d86e5-24d8705 101->104 103->104 105 24d86ba-24d86bc 103->105 109 24d873e-24d876d 104->109 110 24d8707-24d8711 104->110 106 24d86df-24d86e2 105->106 107 24d86be-24d86c8 105->107 106->104 111 24d86cc-24d86db 107->111 112 24d86ca 107->112 120 24d876f-24d8779 109->120 121 24d87a6-24d885f CreateProcessAsUserA 109->121 110->109 113 24d8713-24d8715 110->113 111->111 114 24d86dd 111->114 112->111 115 24d8738-24d873b 113->115 116 24d8717-24d8721 113->116 114->106 115->109 118 24d8725-24d8734 116->118 119 24d8723 116->119 118->118 122 24d8736 118->122 119->118 120->121 123 24d877b-24d877d 120->123 131 24d8868-24d88dc 121->131 132 24d8861-24d8867 121->132 122->115 125 24d877f-24d8789 123->125 126 24d87a0-24d87a3 123->126 127 24d878d-24d879c 125->127 128 24d878b 125->128 126->121 127->127 130 24d879e 127->130 128->127 130->126 140 24d88ec-24d88f0 131->140 141 24d88de-24d88e2 131->141 132->131 143 24d8900-24d8904 140->143 144 24d88f2-24d88f6 140->144 141->140 142 24d88e4 141->142 142->140 146 24d8914-24d8918 143->146 147 24d8906-24d890a 143->147 144->143 145 24d88f8 144->145 145->143 148 24d892a-24d8931 146->148 149 24d891a-24d8920 146->149 147->146 150 24d890c 147->150 151 24d8948 148->151 152 24d8933-24d8942 148->152 149->148 150->146 154 24d8949 151->154 152->151 154->154
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 024D884C
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: c5734b65a84a6f00b9868591956b217bd7526f072e45fbcdc136d6a150d0dc89
              • Instruction ID: 2501cc6452efb5f207b34232ba8dcb350fe8dceaf56400b5d05d4fedd5138ce3
              • Opcode Fuzzy Hash: c5734b65a84a6f00b9868591956b217bd7526f072e45fbcdc136d6a150d0dc89
              • Instruction Fuzzy Hash: D7915771D006199FDB10CFA9C951BEEBBB6FF48314F0481AAE858A3350DB709986CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D4BF8 Relevance: .5, Instructions: 520COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ede1f83adcd17eb36859457c6742f8af1c3177758cb52d8d4ed370c3383512dd
              • Instruction ID: 9e05be6e4c7139c927644f23f7320ea32f87cb196e5293e69fcb958900643b05
              • Opcode Fuzzy Hash: ede1f83adcd17eb36859457c6742f8af1c3177758cb52d8d4ed370c3383512dd
              • Instruction Fuzzy Hash: FA12C330B00215DFDB14DB68D8A0BAEB7F6BF85318F14852AE4069B795DB70EC46CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D3018 Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 024D30A8
              • GetCurrentThread.KERNEL32 ref: 024D30E5
              • GetCurrentProcess.KERNEL32 ref: 024D3122
              • GetCurrentThreadId.KERNEL32 ref: 024D317B
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: cd68b292e07b939a098971a863f99b4122ab07ab90cb1da3cd35ba10ce69417b
              • Instruction ID: 8fae7cbca1918d9c0803ace892190fa6ba38c8692b345485841c171177be3eb9
              • Opcode Fuzzy Hash: cd68b292e07b939a098971a863f99b4122ab07ab90cb1da3cd35ba10ce69417b
              • Instruction Fuzzy Hash: 7F5199B0E002858FDB05CFA9C5887DEBFF0AF49318F2484AAE009A7391D7745844CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D3048 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 024D30A8
              • GetCurrentThread.KERNEL32 ref: 024D30E5
              • GetCurrentProcess.KERNEL32 ref: 024D3122
              • GetCurrentThreadId.KERNEL32 ref: 024D317B
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 1ab151e0e5bf04a84cc8be6af828368c6b858c4defccc89d9bbf96c74320f71d
              • Instruction ID: 6649d92afdbff7dd8e78e52ef2fd7f9234fcc8237d507c87fd60550e05e7cf44
              • Opcode Fuzzy Hash: 1ab151e0e5bf04a84cc8be6af828368c6b858c4defccc89d9bbf96c74320f71d
              • Instruction Fuzzy Hash: 925145B0E006498FDB14CFAAC6887DFBBF4EB49318F24859AE009A7294D7745844CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8604 Relevance: 1.8, APIs: 1, Instructions: 257processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 43 24d8604-24d8609 44 24d85cf-24d85e9 43->44 45 24d860b-24d86ac 43->45 48 24d86ae-24d86b8 45->48 49 24d86e5-24d8705 45->49 48->49 51 24d86ba-24d86bc 48->51 55 24d873e-24d876d 49->55 56 24d8707-24d8711 49->56 52 24d86df-24d86e2 51->52 53 24d86be-24d86c8 51->53 52->49 57 24d86cc-24d86db 53->57 58 24d86ca 53->58 66 24d876f-24d8779 55->66 67 24d87a6-24d885f CreateProcessAsUserA 55->67 56->55 59 24d8713-24d8715 56->59 57->57 60 24d86dd 57->60 58->57 61 24d8738-24d873b 59->61 62 24d8717-24d8721 59->62 60->52 61->55 64 24d8725-24d8734 62->64 65 24d8723 62->65 64->64 68 24d8736 64->68 65->64 66->67 69 24d877b-24d877d 66->69 77 24d8868-24d88dc 67->77 78 24d8861-24d8867 67->78 68->61 71 24d877f-24d8789 69->71 72 24d87a0-24d87a3 69->72 73 24d878d-24d879c 71->73 74 24d878b 71->74 72->67 73->73 76 24d879e 73->76 74->73 76->72 86 24d88ec-24d88f0 77->86 87 24d88de-24d88e2 77->87 78->77 89 24d8900-24d8904 86->89 90 24d88f2-24d88f6 86->90 87->86 88 24d88e4 87->88 88->86 92 24d8914-24d8918 89->92 93 24d8906-24d890a 89->93 90->89 91 24d88f8 90->91 91->89 94 24d892a-24d8931 92->94 95 24d891a-24d8920 92->95 93->92 96 24d890c 93->96 97 24d8948 94->97 98 24d8933-24d8942 94->98 95->94 96->92 100 24d8949 97->100 98->97 100->100
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 024D884C
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 5dd5ab193dee0f26eea98efbb866c0dec1e414b89cd605c79c65b621818535da
              • Instruction ID: 2b87f3e909c2b19f0221b061479a69a7a3b39082c88798f53135bc4e605337b0
              • Opcode Fuzzy Hash: 5dd5ab193dee0f26eea98efbb866c0dec1e414b89cd605c79c65b621818535da
              • Instruction Fuzzy Hash: E1A16A71D002198FDB10CFA9C951BEEBBB2FF48314F0485AAE858A7350DB719986CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8BB2 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 380 24d8bb2-24d8c09 382 24d8c19-24d8c52 WriteProcessMemory 380->382 383 24d8c0b-24d8c17 380->383 384 24d8c5b-24d8c7c 382->384 385 24d8c54-24d8c5a 382->385 383->382 385->384
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024D8C45
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: d5d8d557ca25315543faf75be5f9adc444874263ca630d78abc4f89acae7fc61
              • Instruction ID: f9193c0c604f17a243b5dc6af9a37ac7a8a1fddc3c89e8c621bae21bb917380e
              • Opcode Fuzzy Hash: d5d8d557ca25315543faf75be5f9adc444874263ca630d78abc4f89acae7fc61
              • Instruction Fuzzy Hash: E62107B5901259DFCB10CF99C984BDEBBF4FB48324F14842AE518A3350D774A945CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D3268 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 387 24d3268-24d3304 DuplicateHandle 388 24d330d-24d332a 387->388 389 24d3306-24d330c 387->389 389->388
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024D32F7
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 9f85a417c04c8d28151c21210efa4809ae076653a3ddf59c2c7122bd4b9cd879
              • Instruction ID: e195100f9b8bdca7761fa5c998d2543850d60ca2134c6c7fef74d920b6a96005
              • Opcode Fuzzy Hash: 9f85a417c04c8d28151c21210efa4809ae076653a3ddf59c2c7122bd4b9cd879
              • Instruction Fuzzy Hash: 6921FFB5D012489FDB10CFAAD984AEEBFF8EB48324F14845AE955A3310C374A955CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8BB8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 392 24d8bb8-24d8c09 394 24d8c19-24d8c52 WriteProcessMemory 392->394 395 24d8c0b-24d8c17 392->395 396 24d8c5b-24d8c7c 394->396 397 24d8c54-24d8c5a 394->397 395->394 397->396
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024D8C45
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: bb17e8d8f7b33f6e71d94ceb192bfeddc7f3d2bc21a31c74b6f521ef2299d67d
              • Instruction ID: 53e82be2fd77f3c2023f24cca0d8e5ed1f63fd773c72d0de5617a8c093e4b4d7
              • Opcode Fuzzy Hash: bb17e8d8f7b33f6e71d94ceb192bfeddc7f3d2bc21a31c74b6f521ef2299d67d
              • Instruction Fuzzy Hash: 6E21E5B1901249DFCB10CF9AC985BDEBBF4FB48324F10842AE518A3250D774A555CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8C88 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 399 24d8c88-24d8c89 400 24d8c4f-24d8c7c 399->400 401 24d8c8b-24d8cfc ResumeThread 399->401 405 24d8cfe-24d8d04 401->405 406 24d8d05-24d8d19 401->406 405->406
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: ce626c1204935ed1fe302eddd5577c0f8422985669ebdbd880a5231b9a95553f
              • Instruction ID: fe4c9c9ac4bb0cad279eceea88434a4bda956307eda15e9ddeb032160dceac85
              • Opcode Fuzzy Hash: ce626c1204935ed1fe302eddd5577c0f8422985669ebdbd880a5231b9a95553f
              • Instruction Fuzzy Hash: DC2133B2901649CFDB10CF9AD954BEEFBF4FB48324F14846AD818A3640D378A545CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D3270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 408 24d3270-24d3304 DuplicateHandle 409 24d330d-24d332a 408->409 410 24d3306-24d330c 408->410 410->409
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024D32F7
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: d2f9c6df8354444df769435fee1b2a5526b4175a6902f4e7aec607f62d3973f4
              • Instruction ID: f9a784f139ccdb2fd09f146b9918e2a344a2b9592b5002909784e422d07da133
              • Opcode Fuzzy Hash: d2f9c6df8354444df769435fee1b2a5526b4175a6902f4e7aec607f62d3973f4
              • Instruction Fuzzy Hash: 2521E2B5D002489FDB10CFAAD984ADEBFF8FB48324F14845AE914A3310C374A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8988 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 413 24d8988-24d89dc 415 24d89de-24d89e6 413->415 416 24d89e8-24d8a14 GetThreadContext 413->416 415->416 417 24d8a1d-24d8a3e 416->417 418 24d8a16-24d8a1c 416->418 418->417
              APIs
              • GetThreadContext.KERNELBASE(?,00000000), ref: 024D8A07
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: 3e70b8155f8e85cfc0b2d9ced7ec6ce2781e1faf29e5ace21afa8ab08a3d1d2f
              • Instruction ID: 2563f33761b40415a464a630a2e8049088171d79e9e327d86717c992643db85f
              • Opcode Fuzzy Hash: 3e70b8155f8e85cfc0b2d9ced7ec6ce2781e1faf29e5ace21afa8ab08a3d1d2f
              • Instruction Fuzzy Hash: 2A21F4B1E006199FCB10CF9AD9857EEFBF4BB48224F54816AE418B3740D778A945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8990 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 420 24d8990-24d89dc 422 24d89de-24d89e6 420->422 423 24d89e8-24d8a14 GetThreadContext 420->423 422->423 424 24d8a1d-24d8a3e 423->424 425 24d8a16-24d8a1c 423->425 425->424
              APIs
              • GetThreadContext.KERNELBASE(?,00000000), ref: 024D8A07
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: d8f3f8c2ecdec074415d23ac9ca2e2abbfb5353626230b64806983e8163d51a3
              • Instruction ID: fe2099d8be19443bd33697acb88b0cae696f6e21c6884ebf888333caa5ecc45e
              • Opcode Fuzzy Hash: d8f3f8c2ecdec074415d23ac9ca2e2abbfb5353626230b64806983e8163d51a3
              • Instruction Fuzzy Hash: 012108B1E006199FCB00CF9AC9857EEFBF4BB48224F54816AD418B3340D774A9458FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8A4A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 427 24d8a4a-24d8ad3 ReadProcessMemory 429 24d8adc-24d8afd 427->429 430 24d8ad5-24d8adb 427->430 430->429
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024D8AC6
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: ed5c2c84d6683ae28fc33acfdf5980a23669649c83a1ba168334055ff05db394
              • Instruction ID: fcf0d46c6ecfb252a791c307c75d1b6af71e54f1fc1a468d2d34db1f525dbcbe
              • Opcode Fuzzy Hash: ed5c2c84d6683ae28fc33acfdf5980a23669649c83a1ba168334055ff05db394
              • Instruction Fuzzy Hash: CD21E3B5900249DFCB10CF9AC984BDFBBF4FB48324F14842AE558A7250D374A945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8A50 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 432 24d8a50-24d8ad3 ReadProcessMemory 434 24d8adc-24d8afd 432->434 435 24d8ad5-24d8adb 432->435 435->434
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024D8AC6
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 709e2a5e20dc5aa7aa12f66dfeab8574934046b7be8c476610f3753fa2c0d6f1
              • Instruction ID: a12d62931b17c4c324bb470f8e23136a5ba65d1072ff038a8454189c9d2543d3
              • Opcode Fuzzy Hash: 709e2a5e20dc5aa7aa12f66dfeab8574934046b7be8c476610f3753fa2c0d6f1
              • Instruction Fuzzy Hash: 6721D3B59002499FCB10CF9AC984BDFBBF8FB48324F14842AE958A7350D378A545CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D2EE5 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 024D484D
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 3019ec554b114c0a204febaee8f945e9d43e631ce795ae4ebdc802d89056faf4
              • Instruction ID: 77c5f0e236235ea669d228c97e496d589bace7ae25dca1e95e4223dc5c670e50
              • Opcode Fuzzy Hash: 3019ec554b114c0a204febaee8f945e9d43e631ce795ae4ebdc802d89056faf4
              • Instruction Fuzzy Hash: 801134B59046899FCB10DF9AC884BDFBFF8EB49324F14846AE558A7200C3746944CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8B08 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024D8B7B
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: eec3ca429431255bce6ece2dba69ddaee8c30c82f188714f68aa88429aa0f878
              • Instruction ID: 033f18a5a845028a41a84239fc4dfae995499ff33782c651357080cd01d0e43c
              • Opcode Fuzzy Hash: eec3ca429431255bce6ece2dba69ddaee8c30c82f188714f68aa88429aa0f878
              • Instruction Fuzzy Hash: 1C1102B5900248DFCB10DF99C984BDFBBF4FB48324F24841AE528A7210C375A955CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D2EEC Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 024D484D
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: b9b24b662c2f796e7d49e365d1576ef4aa19d479b3eff7e15db00786423e63a0
              • Instruction ID: 3da4072a5757315d37c4bf0fbc24fe3702259a28ccf52837c5b3fdd16583da4e
              • Opcode Fuzzy Hash: b9b24b662c2f796e7d49e365d1576ef4aa19d479b3eff7e15db00786423e63a0
              • Instruction Fuzzy Hash: 911125B59006489FCB10CF9AC884BDFBBF8EB48324F10842AE519A7200C374A940CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D47E2 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 024D484D
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 3d6172faca86645e3a4628d7b5b7552c5da1b60d8aa26e6a335f7f913dd31c47
              • Instruction ID: e5e9bcccb7cb67bf78ff1cffb90f89f8fb0f8ceb51923745296cd439811ebcc0
              • Opcode Fuzzy Hash: 3d6172faca86645e3a4628d7b5b7552c5da1b60d8aa26e6a335f7f913dd31c47
              • Instruction Fuzzy Hash: 0E1116B59002898FCB50CF9AD484BDEBFF4EB48324F148459E559A7200C375A945CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8B10 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024D8B7B
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 1c3c2fed19de0f11ea74f107f0c85339b361b78e6022b0ea2eb4b35210d09f66
              • Instruction ID: 96b2768bb9f3cf543e6da5ddf7420880f34dfbb530ffcfeb4675bfd4a3ba093d
              • Opcode Fuzzy Hash: 1c3c2fed19de0f11ea74f107f0c85339b361b78e6022b0ea2eb4b35210d09f66
              • Instruction Fuzzy Hash: 0611E0B59003499FCB10CF9AC884BDFBBF8FB48324F14841AE529A7250C375A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D8C90 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 5e271e8e8effaa1bb63bd735766bf283187bea19cfe63fd0da8dee2d12f222e3
              • Instruction ID: 7fb586559d659809f58f16503f1ad554647e746543252a7b5fef63e2f5c9d3ee
              • Opcode Fuzzy Hash: 5e271e8e8effaa1bb63bd735766bf283187bea19cfe63fd0da8dee2d12f222e3
              • Instruction Fuzzy Hash: C51112B19002488FCB10CF9AD888BDFBBF8EB48324F20845AD519A3240C774A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 024D3C58 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dfb130504e41e939ea733e59d7b1e4a56d4853ef1de92c7abdae7ba7082e9412
              • Instruction ID: 53b4ff48a9f3f4b9cf48af9fb0b26df8318dcb5e0f8a29f3779d750aa50b63ef
              • Opcode Fuzzy Hash: dfb130504e41e939ea733e59d7b1e4a56d4853ef1de92c7abdae7ba7082e9412
              • Instruction Fuzzy Hash: 6912D8F1C917468BD710CF56E8D818E3BA0B744328BD06A09D2631AAD9D7B815EEEF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024D3C48 Relevance: .2, Instructions: 226COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.364756338.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24d0000_gruopon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cd5babe43aa98682d28e697d4675aa0aa6f17e25c22bcf8349c39c63b778993
              • Instruction ID: 825bb4d7d70df563376f430e9f7572d6533e4bf71764b5fb8f5abc43520ad586
              • Opcode Fuzzy Hash: 0cd5babe43aa98682d28e697d4675aa0aa6f17e25c22bcf8349c39c63b778993
              • Instruction Fuzzy Hash: 52C14CB1C917458BD710CF66E8D818E3BB1BB85328F906B09D1632B6D8D7B414EAEF44
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:12.9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:129
              Total number of Limit Nodes:5
              execution_graph 16635 6680968 16637 6680978 16635->16637 16636 66809e5 16637->16636 16639 6680eb0 16637->16639 16643 6680ecf 16639->16643 16649 6680ee0 16639->16649 16640 6680ece 16640->16636 16644 6680eed 16643->16644 16645 6680ef1 16643->16645 16644->16640 16655 66810f8 16645->16655 16660 66810de 16645->16660 16650 6680eed 16649->16650 16651 6680ef1 16649->16651 16650->16640 16653 66810f8 2 API calls 16651->16653 16654 66810de 2 API calls 16651->16654 16652 6680f11 16652->16640 16653->16652 16654->16652 16656 6681100 16655->16656 16665 125ee00 16656->16665 16670 125edef 16656->16670 16661 66810ed 16660->16661 16663 125ee00 2 API calls 16661->16663 16664 125edef 2 API calls 16661->16664 16662 6680f11 16662->16640 16663->16662 16664->16662 16666 125ee2a 16665->16666 16667 125eed1 16666->16667 16675 125fba8 16666->16675 16678 125fb98 16666->16678 16671 125ee00 16670->16671 16672 125eed1 16671->16672 16673 125fba8 CreateWindowExW 16671->16673 16674 125fb98 2 API calls 16671->16674 16673->16672 16674->16672 16685 125da04 16675->16685 16679 125fbae 16678->16679 16682 125fbe6 CreateWindowExW 16678->16682 16680 125fbdd 16679->16680 16681 125da04 CreateWindowExW 16679->16681 16680->16667 16681->16680 16684 125fd1c 16682->16684 16686 125fbf8 CreateWindowExW 16685->16686 16688 125fd1c 16686->16688 16689 125fe10 16692 125da3c 16689->16692 16693 125fe40 SetWindowLongW 16692->16693 16694 125fe28 16693->16694 16695 125b6d0 16696 125b736 16695->16696 16700 125bc88 16696->16700 16704 125bc98 16696->16704 16697 125b7e5 16701 125bc98 16700->16701 16707 125a14c 16701->16707 16705 125a14c DuplicateHandle 16704->16705 16706 125bcc6 16705->16706 16706->16697 16708 125bd00 DuplicateHandle 16707->16708 16709 125bcc6 16708->16709 16709->16697 16710 1256758 16712 1256766 16710->16712 16713 1256344 16710->16713 16714 125634f 16713->16714 16717 1256394 16714->16717 16716 125688d 16716->16712 16718 125639f 16717->16718 16721 12563c4 16718->16721 16720 1256962 16720->16716 16722 12563cf 16721->16722 16725 12563f4 16722->16725 16724 1256a62 16724->16720 16726 12563ff 16725->16726 16728 125717e 16726->16728 16732 12592b9 16726->16732 16727 12571bc 16727->16724 16728->16727 16736 125b408 16728->16736 16741 125b3f9 16728->16741 16746 12592e1 16732->16746 16750 12592f0 16732->16750 16733 12592ce 16733->16728 16737 125b429 16736->16737 16738 125b44d 16737->16738 16773 125b5b8 16737->16773 16777 125b5aa 16737->16777 16738->16727 16742 125b429 16741->16742 16743 125b44d 16742->16743 16744 125b5b8 6 API calls 16742->16744 16745 125b5aa 6 API calls 16742->16745 16743->16727 16744->16743 16745->16743 16747 12592f0 16746->16747 16753 12593e8 16747->16753 16748 12592ff 16748->16733 16752 12593e8 2 API calls 16750->16752 16751 12592ff 16751->16733 16752->16751 16754 12593fb 16753->16754 16755 1259413 16754->16755 16761 1259660 16754->16761 16765 1259670 16754->16765 16755->16748 16756 1259610 GetModuleHandleW 16758 125963d 16756->16758 16757 125940b 16757->16755 16757->16756 16758->16748 16762 1259670 16761->16762 16764 12596a9 16762->16764 16769 1258768 16762->16769 16764->16757 16767 1259684 16765->16767 16766 12596a9 16766->16757 16767->16766 16768 1258768 LoadLibraryExW 16767->16768 16768->16766 16770 1259850 LoadLibraryExW 16769->16770 16772 12598c9 16770->16772 16772->16764 16775 125b5c5 16773->16775 16774 125b5ff 16774->16738 16775->16774 16781 125a0ec 16775->16781 16779 125b5b2 16777->16779 16778 125b5ff 16778->16738 16779->16778 16780 125a0ec 6 API calls 16779->16780 16780->16778 16782 125a0f7 16781->16782 16784 125c2f8 16782->16784 16785 125b904 16782->16785 16786 125b90f 16785->16786 16787 12563f4 6 API calls 16786->16787 16788 125c367 16787->16788 16797 125c3e0 16788->16797 16801 125c3d1 16788->16801 16789 125c375 16790 125b914 LoadLibraryExW GetModuleHandleW 16789->16790 16791 125c38f 16790->16791 16795 125e0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 16791->16795 16796 125e0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 16791->16796 16792 125c3a0 16792->16784 16795->16792 16796->16792 16798 125c40e 16797->16798 16799 125c4da KiUserCallbackDispatcher 16798->16799 16800 125c4df 16798->16800 16799->16800 16802 125c3e0 16801->16802 16803 125c4df 16802->16803 16804 125c4da KiUserCallbackDispatcher 16802->16804 16804->16803

              Executed Functions

              Function 06682A02 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 6682a02-6682a53 9 6682a5d-6682b48 0->9
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: %on$ %on$ %on
              • API String ID: 0-849424741
              • Opcode ID: ddbb6733e91742722c5883d8186e7283c8991b41f701be85543bf0bdbc762ace
              • Instruction ID: 421a40390d8c91a5cd2c821cfa9c0fe02ef2db131add4995e8bcff33b10a563a
              • Opcode Fuzzy Hash: ddbb6733e91742722c5883d8186e7283c8991b41f701be85543bf0bdbc762ace
              • Instruction Fuzzy Hash: 4A3185317013418FD751EBB0C4A02DEB7A7AFD2208B588D2EC0865F786DB71BC0A9B95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066829D1 Relevance: 2.6, Strings: 2, Instructions: 85COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 26 66829d1-66829d3 27 6682a41-6682a53 26->27 28 66829d5-6682b49 26->28 33 6682a5d-6682b48 27->33 34 6682b51 28->34 34->34
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: %on$ %on
              • API String ID: 0-2029269471
              • Opcode ID: 746e16fd572f7e593acdbd0729df073857f543a427a7130ae0bb7aa9ab1c341f
              • Instruction ID: 7e3e10daa3c46edbcd111257779b327576d3b716a0eba5610e210229eb90006f
              • Opcode Fuzzy Hash: 746e16fd572f7e593acdbd0729df073857f543a427a7130ae0bb7aa9ab1c341f
              • Instruction Fuzzy Hash: 593172316013418FD750ABB0C4A06DAB7A6AFC2208B548D2AC1865F746DB71BC0ADB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 012593E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 51 12593e8-12593fd call 1258704 54 1259413-1259417 51->54 55 12593ff 51->55 56 1259419-1259423 54->56 57 125942b-125946c 54->57 105 1259405 call 1259660 55->105 106 1259405 call 1259670 55->106 56->57 62 125946e-1259476 57->62 63 1259479-1259487 57->63 58 125940b-125940d 58->54 60 1259548-1259608 58->60 100 1259610-125963b GetModuleHandleW 60->100 101 125960a-125960d 60->101 62->63 65 1259489-125948e 63->65 66 12594ab-12594ad 63->66 67 1259490-1259497 call 1258710 65->67 68 1259499 65->68 69 12594b0-12594b7 66->69 72 125949b-12594a9 67->72 68->72 73 12594c4-12594cb 69->73 74 12594b9-12594c1 69->74 72->69 76 12594cd-12594d5 73->76 77 12594d8-12594e1 call 1258720 73->77 74->73 76->77 81 12594e3-12594eb 77->81 82 12594ee-12594f3 77->82 81->82 84 12594f5-12594fc 82->84 85 1259511-1259515 82->85 84->85 86 12594fe-125950e call 1258730 call 1258740 84->86 107 1259518 call 1259968 85->107 108 1259518 call 1259958 85->108 86->85 89 125951b-125951e 92 1259541-1259547 89->92 93 1259520-125953e 89->93 93->92 102 1259644-1259658 100->102 103 125963d-1259643 100->103 101->100 103->102 105->58 106->58 107->89 108->89
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 0125962E
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: ef70d508d841c429dd0e12006747e19359138a30f494411e1dc349ba7eb3b9dc
              • Instruction ID: 27e9fec821c8f84fa8ae80fc700a05f0c209906814152335ab8103390f1d88df
              • Opcode Fuzzy Hash: ef70d508d841c429dd0e12006747e19359138a30f494411e1dc349ba7eb3b9dc
              • Instruction Fuzzy Hash: A7714970A10B068FDB64DF6AD49075ABBF5FF88218F00892DD98AD7A40DB74E845CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125FB98 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 109 125fb98-125fbac 110 125fbe6-125fc5e 109->110 111 125fbae-125fbd5 109->111 115 125fc60-125fc66 110->115 116 125fc69-125fc70 110->116 112 125fbdd-125fbde 111->112 113 125fbd8 call 125da04 111->113 113->112 115->116 117 125fc72-125fc78 116->117 118 125fc7b-125fd1a CreateWindowExW 116->118 117->118 120 125fd23-125fd5b 118->120 121 125fd1c-125fd22 118->121 125 125fd5d-125fd60 120->125 126 125fd68 120->126 121->120 125->126 127 125fd69 126->127 127->127
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125FD0A
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 84fb20415f42a7059c7a348374b837ca0eed3d67f1ba37d210fed15627d848d9
              • Instruction ID: 4e20ccd78f56f113da5379c8f3a92bdab0e326ebd2e8f112a9d3daea4bf4e31a
              • Opcode Fuzzy Hash: 84fb20415f42a7059c7a348374b837ca0eed3d67f1ba37d210fed15627d848d9
              • Instruction Fuzzy Hash: 9B5100B1C14249EFDF01CFA9C980ADEBFB2BF49314F24816AE918AB221D7719955CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125FB61 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 128 125fb61-125fb88 129 125fbec-125fc5e 128->129 130 125fb8a-125fb93 128->130 131 125fc60-125fc66 129->131 132 125fc69-125fc70 129->132 131->132 133 125fc72-125fc78 132->133 134 125fc7b-125fcb3 132->134 133->134 135 125fcbb-125fd1a CreateWindowExW 134->135 136 125fd23-125fd5b 135->136 137 125fd1c-125fd22 135->137 141 125fd5d-125fd60 136->141 142 125fd68 136->142 137->136 141->142 143 125fd69 142->143 143->143
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125FD0A
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: db6a1f6a1187f297ceefa7ba6fab83f8003ca8509871f112c864d552fae81588
              • Instruction ID: 3d1b90f05ada1c441a3067b43ea6c2aee81d996c5c6632112a73437543bd662a
              • Opcode Fuzzy Hash: db6a1f6a1187f297ceefa7ba6fab83f8003ca8509871f112c864d552fae81588
              • Instruction Fuzzy Hash: 3C5100B1D103499FDF14CFA9D984ADEBFB5BF49314F24812AE818AB210D774A945CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125DA04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 144 125da04-125fc5e 146 125fc60-125fc66 144->146 147 125fc69-125fc70 144->147 146->147 148 125fc72-125fc78 147->148 149 125fc7b-125fd1a CreateWindowExW 147->149 148->149 151 125fd23-125fd5b 149->151 152 125fd1c-125fd22 149->152 156 125fd5d-125fd60 151->156 157 125fd68 151->157 152->151 156->157 158 125fd69 157->158 158->158
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125FD0A
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 47ee82aa285a38228581caa1d783a50e5fae0f7f93f745d53eab188ad5e02fa7
              • Instruction ID: fb90cc07422a7cdf9943bb20cb14db3b735037ba463fc5e4fc4062d2e024a813
              • Opcode Fuzzy Hash: 47ee82aa285a38228581caa1d783a50e5fae0f7f93f745d53eab188ad5e02fa7
              • Instruction Fuzzy Hash: 6451CEB1D10349DFDF14CFAAC984ADEBBB5BF48314F24812AE919AB210D774A845CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125A14C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 159 125a14c-125bd94 DuplicateHandle 161 125bd96-125bd9c 159->161 162 125bd9d-125bdba 159->162 161->162
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0125BCC6,?,?,?,?,?), ref: 0125BD87
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 9882b74b059aaaccec02b1f769666614733b0befade003e8ca4f96433740b24e
              • Instruction ID: 429e947abe2c460e84f98493f131f0a8ee885ee590102b1e5dd42642d3ec0d75
              • Opcode Fuzzy Hash: 9882b74b059aaaccec02b1f769666614733b0befade003e8ca4f96433740b24e
              • Instruction Fuzzy Hash: 9921E6B59012489FDB10CF9AD484AEEFBF5EB48324F14841AE954A3310D374A954CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125BCF9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 165 125bcf9-125bcfb 166 125bd00-125bd94 DuplicateHandle 165->166 167 125bd96-125bd9c 166->167 168 125bd9d-125bdba 166->168 167->168
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0125BCC6,?,?,?,?,?), ref: 0125BD87
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 4d8bf551734632243eb40c5eaaac840c4526ee8d6bc67bdf6e38c5621b761998
              • Instruction ID: e4fd1c8e353700fce4acdba8ab776a5f239046034f79b5bc258ad46166dc10cc
              • Opcode Fuzzy Hash: 4d8bf551734632243eb40c5eaaac840c4526ee8d6bc67bdf6e38c5621b761998
              • Instruction Fuzzy Hash: EB21E4B59012499FDB10CFAAD884ADEFFF9EF48324F14841AE958A3310D374A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01258768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 171 1258768-1259890 173 1259892-1259895 171->173 174 1259898-12598c7 LoadLibraryExW 171->174 173->174 175 12598d0-12598ed 174->175 176 12598c9-12598cf 174->176 176->175
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012596A9,00000800,00000000,00000000), ref: 012598BA
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 2216cbb3de4ab05547c23feb717d9849a2fc8f57c15b5da2d4c223f3e17df37a
              • Instruction ID: 72e1c8ecc47e25bba24e436e7d1a3d1596cdba17f560043c5d10874c558fed85
              • Opcode Fuzzy Hash: 2216cbb3de4ab05547c23feb717d9849a2fc8f57c15b5da2d4c223f3e17df37a
              • Instruction Fuzzy Hash: 0711CFB6900249DFDB10CF9AC488BDEBBF4AB48324F14842AE919A7600C775A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01259849 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 179 1259849-1259890 181 1259892-1259895 179->181 182 1259898-12598c7 LoadLibraryExW 179->182 181->182 183 12598d0-12598ed 182->183 184 12598c9-12598cf 182->184 184->183
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012596A9,00000800,00000000,00000000), ref: 012598BA
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 68eb298c7e781e7a65d5d4281059f2b4c934f14784d403d34e1afdbb9444d5b5
              • Instruction ID: 7e773ddfbd0539f74c9de508ee132b10ee9afe3900f84e2608a852ff486045f7
              • Opcode Fuzzy Hash: 68eb298c7e781e7a65d5d4281059f2b4c934f14784d403d34e1afdbb9444d5b5
              • Instruction Fuzzy Hash: AF1114B6D00249DFDF10CFAAC488ADEFBF4AB49324F14842AE955A7600C774A545CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 012595C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 187 12595c8-1259608 188 1259610-125963b GetModuleHandleW 187->188 189 125960a-125960d 187->189 190 1259644-1259658 188->190 191 125963d-1259643 188->191 189->188 191->190
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 0125962E
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 2246c75249c8f6e964e61b02da4db394f46c5124d44ac8745fbb750db3de966c
              • Instruction ID: b95d38fea4f5ee6dd65dae60be9810ef1263a9ffbc6873536d5d4c8ca75599c1
              • Opcode Fuzzy Hash: 2246c75249c8f6e964e61b02da4db394f46c5124d44ac8745fbb750db3de966c
              • Instruction Fuzzy Hash: 2811E0B5D106498FDB10CF9AC484BDEFBF4AF89328F14842AD929A7600D374A549CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125DA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 193 125da3c-125feaa SetWindowLongW 195 125feb3-125fec7 193->195 196 125feac-125feb2 193->196 196->195
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0125FE28,?,?,?,?), ref: 0125FE9D
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: f2032382e0144debbc84b4406ee02050667e2a197b54216299df69e681df6533
              • Instruction ID: 4f4adf3f674f1c7f7fa3bc82fc9fbf4b80c2ed6515eeb3eab31a6ee29c560987
              • Opcode Fuzzy Hash: f2032382e0144debbc84b4406ee02050667e2a197b54216299df69e681df6533
              • Instruction Fuzzy Hash: CD1133B59002488FDB10CF9AC589BDFBBF8EB48724F20841AE919A3300C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0125FE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 198 125fe38-125fe3a 199 125fe40-125feaa SetWindowLongW 198->199 200 125feb3-125fec7 199->200 201 125feac-125feb2 199->201 201->200
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0125FE28,?,?,?,?), ref: 0125FE9D
              Memory Dump Source
              • Source File: 00000003.00000002.617616065.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_1250000_RegAsm.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 0aefc0594756788a1ba92affaae0bd4e9893ad8dc08c20147a0a2bc954a8c23f
              • Instruction ID: a194159787eaf3053948b3d7c0b74683a04b90cbc3212afe2230fea0de4fce32
              • Opcode Fuzzy Hash: 0aefc0594756788a1ba92affaae0bd4e9893ad8dc08c20147a0a2bc954a8c23f
              • Instruction Fuzzy Hash: 6E1100B59002499FDB10CF9AD589BDFFBF8EB48724F20841AE959A7301C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681AFA Relevance: .4, Instructions: 381COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48aac9a166ad50fdb051648487dff9e195be5688e1cc4f3ce605dff8652c3cb0
              • Instruction ID: fb8e5a7334275ef3829d780381f0d81e90294ac83e1509f9a65638ee159488a4
              • Opcode Fuzzy Hash: 48aac9a166ad50fdb051648487dff9e195be5688e1cc4f3ce605dff8652c3cb0
              • Instruction Fuzzy Hash: 7EE0C23A01C710CFC3012B11B830745BF68EB57311F005962D2008A096AB24480ACAA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066830A8 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 374ca47271ef81175c020785f700dd152cfc4fe324c836c453d7276fea89e21e
              • Instruction ID: ee0a018a01cd2ddd6896122ca7fb3860686fcab51cf5ce3423f34ea12f2d4b1c
              • Opcode Fuzzy Hash: 374ca47271ef81175c020785f700dd152cfc4fe324c836c453d7276fea89e21e
              • Instruction Fuzzy Hash: 90718C30A04204CFEB54EBB8C494BAAB7F2BF88B04F148659D456B7750DB76ED46CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066833C0 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45f168708ff0f00ffa8947c5eab8cbb1147612d9ba32d1a1a95021d36fd8fa7a
              • Instruction ID: 807cdb1756be551156df101a7e89f32a1b47444d48d36bde1b6b0ecd2edc5444
              • Opcode Fuzzy Hash: 45f168708ff0f00ffa8947c5eab8cbb1147612d9ba32d1a1a95021d36fd8fa7a
              • Instruction Fuzzy Hash: 2A315E30A05B40CFD779EFBAC45036ABBE1AF84605F14C96D809B96B60DB76E846CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682E85 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7b416644d3777d628b97af37fd63a6e2890de4cabdf708d280bb513e0ecef2c
              • Instruction ID: 421557d4f76bd21966944cff8e9d9cc777994b480952ade53379f509331c51d9
              • Opcode Fuzzy Hash: c7b416644d3777d628b97af37fd63a6e2890de4cabdf708d280bb513e0ecef2c
              • Instruction Fuzzy Hash: 6F3148B1D012489FDB50DFE5D994ADEBBF5BF48314F24802AE809AB350DB349945CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682B6A Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d0df968a5903d3bc748cbbbfab22eb4ed61436d55ebd293750dca7c8c8f8958
              • Instruction ID: 63c473bbfe0970b737033478403034002bbba1a9d7131d0a5e4767d830d69d3f
              • Opcode Fuzzy Hash: 1d0df968a5903d3bc748cbbbfab22eb4ed61436d55ebd293750dca7c8c8f8958
              • Instruction Fuzzy Hash: CE31AF706013048FD794EFB4D850AAEBBFAFF89700B50492AE446AB351DB31E945CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680880 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9e7a726db3e3b0c01151fc3d614563d3409dc4308660eb81a3e4b62080cfa35
              • Instruction ID: d47adbb987055934259a3dd0f3cca56f1168280c8b78ab41de55e4f61e510248
              • Opcode Fuzzy Hash: e9e7a726db3e3b0c01151fc3d614563d3409dc4308660eb81a3e4b62080cfa35
              • Instruction Fuzzy Hash: 0E21F931B10114CFCB44DB78D884A6DB7B5FF89324B1586AAD519DB362CB30EC0ACB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681F18 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec2307cc7b8f9af42abb4989b626bbd1c6f9dd9375d27a4eb222c9fdbbcbd420
              • Instruction ID: d4bf0faf61df6ec13091a429892c5c63d076006c2d8c5abaca3ac941f7d28436
              • Opcode Fuzzy Hash: ec2307cc7b8f9af42abb4989b626bbd1c6f9dd9375d27a4eb222c9fdbbcbd420
              • Instruction Fuzzy Hash: 46216930B102019FDB45ABB5E82D2AEFFE6ABC5304F00852AE016D7794DF348906DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682B80 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bcbe5f6138576c1326e25604414f18605f05f790cccef11802a2fe80322fed06
              • Instruction ID: 343a4fc18477987d355ba77b294c652ddbac80a7cdab03aff55cfac1840f55fd
              • Opcode Fuzzy Hash: bcbe5f6138576c1326e25604414f18605f05f790cccef11802a2fe80322fed06
              • Instruction Fuzzy Hash: 2E31AD70B013048FD794EFB4C4506AEBBFAFF89200B50492AE4429B750DB31E946CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682E90 Relevance: .1, Instructions: 83COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d5438720aa9a244d12101974e18931883a35ea6b865678d241384bb8901484e
              • Instruction ID: b4d2295b0fa5c01ca0109db0a4e830044dfa129549484bc898cb9d491ecd2101
              • Opcode Fuzzy Hash: 7d5438720aa9a244d12101974e18931883a35ea6b865678d241384bb8901484e
              • Instruction Fuzzy Hash: B1312670D012489FDB10DFAAC594ADEBBF5AF48314F24842AE419AB350DB749945CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682888 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9bf7da4e1453ac78a833794d10f869ac22668f5010817853a71f18933c2200f5
              • Instruction ID: 05456f1bf26284476449f0d9b42a420d4177edaa7b31a69b59bdb6a794de763b
              • Opcode Fuzzy Hash: 9bf7da4e1453ac78a833794d10f869ac22668f5010817853a71f18933c2200f5
              • Instruction Fuzzy Hash: E421D871A04224DFDF55AB75C4206FDB7BAFB89301F00463AD446AB340DB359A5AC7D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681F28 Relevance: .1, Instructions: 80COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17aed57f790d762aae91f26665cb06af8e448eb28d1e48c8c87044ccef090f65
              • Instruction ID: cf2cd4ed3e267d33c3e1bb0d79aca425e9deedc55341baf98bc3f65335ca4fc7
              • Opcode Fuzzy Hash: 17aed57f790d762aae91f26665cb06af8e448eb28d1e48c8c87044ccef090f65
              • Instruction Fuzzy Hash: 4D216B30B103018FDB45ABB5E82D2AEFBE6AFC5305F00852AE416D7790DF349906DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066834E0 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed933abd996e0da9462c6bfddf5281abc6231b9c99034902f8ec16abad0b316d
              • Instruction ID: bce2300afc4aee7b5376e4c2516c69c9379a2e3097ebc26df66b5b3e16b1ce75
              • Opcode Fuzzy Hash: ed933abd996e0da9462c6bfddf5281abc6231b9c99034902f8ec16abad0b316d
              • Instruction Fuzzy Hash: EF318875D00308DFCB04DFA4D490A9DBBB1FF48714F20866AE405AB301D772A946CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680EE0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22fcb6535a58c0b23dea82557774f0b7c8895bccb8d9874c08a7793e6a0d39e2
              • Instruction ID: 3d1ded0df36a766fcdffcb764fda6bf9d8e965a87d8a40b27f788656be61b61f
              • Opcode Fuzzy Hash: 22fcb6535a58c0b23dea82557774f0b7c8895bccb8d9874c08a7793e6a0d39e2
              • Instruction Fuzzy Hash: FC11B6303042418FD3546778D46026F77E6AFD1224794CE5EE45B8B644DF72A807C795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681138 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d725dab96223eeb020c684de99db7fbec8d7a9e67257fdf52ddbf9f87c1e73c9
              • Instruction ID: 072693c6c79f72596da5498a8a8c1eaa30b4da8e279e62fb970e802c23661ff5
              • Opcode Fuzzy Hash: d725dab96223eeb020c684de99db7fbec8d7a9e67257fdf52ddbf9f87c1e73c9
              • Instruction Fuzzy Hash: 5411E234700602AFC764E665D8D0D2AF3A6FFCA220B54C21AD49A83B84CB31BC03C790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680968 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 017bdfde35857ea4bbb7e4d62119cf81ad242997288ac22102052fb37c2e8aff
              • Instruction ID: 0cdd3c7cb90e704cca999cbc55ab673cc2fe732e71acbe05c95eec4870c7942b
              • Opcode Fuzzy Hash: 017bdfde35857ea4bbb7e4d62119cf81ad242997288ac22102052fb37c2e8aff
              • Instruction Fuzzy Hash: 6911C174B043A49FE351EB24E0646967FF2EB09210F404A59E0A68B655CB30AC8ACBD4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066826F0 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95024de74dc55e83304f490d669f93926e3a55211800e7a0dd1297840528673a
              • Instruction ID: 4e2bc09379ebfd6c4ba4554664cfcdba0fb19af0650ed70bee10b7bdab26e9e9
              • Opcode Fuzzy Hash: 95024de74dc55e83304f490d669f93926e3a55211800e7a0dd1297840528673a
              • Instruction Fuzzy Hash: 8D01D131710250AFE7107B79A8699ABBBEAFB8C614741467EF50AD7300DE319C0A87E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682700 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 823d5e636ab2653c4cc446123d12045222ebfc4fbfc64d05e25f6b0f01880598
              • Instruction ID: e2d8bb7e3ce81a5c8544a93dbd6fb95b643ead713dc4cf573a75c4df9afdc16e
              • Opcode Fuzzy Hash: 823d5e636ab2653c4cc446123d12045222ebfc4fbfc64d05e25f6b0f01880598
              • Instruction Fuzzy Hash: 16F0C235710210AF97003B7AA8294AFBBEDEBCC610340453AF90BC7300DE319C0287E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680959 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a28175ae3c24f5c313e7272ce215703df8384e08ed2e5f41df0e0415607a12a
              • Instruction ID: 1390ac6e425868057c0f2740b139a71e8901ee8488344493996bf4b2b7681420
              • Opcode Fuzzy Hash: 4a28175ae3c24f5c313e7272ce215703df8384e08ed2e5f41df0e0415607a12a
              • Instruction Fuzzy Hash: A801F574B003A09FE342EB34E0257617FF2EB0E220F454B99E0958B256CB309C8ACBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682E30 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44103db6a7c2ce116595222d885348b9ed0609b6d6056f8979af23093ca3064e
              • Instruction ID: 087bbf6d26965070ea34bb620b8147bc8f2a4b48fc95a18408688ea9d25214cc
              • Opcode Fuzzy Hash: 44103db6a7c2ce116595222d885348b9ed0609b6d6056f8979af23093ca3064e
              • Instruction Fuzzy Hash: 0EE0E533B082E05EEB74317DA8AC7EAAA8CE7C4276F090277EA0EC775185514945C3E5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680218 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
              • Instruction ID: 620bc7afa901c1912cb86c7530355a94bbb407dfbb11ec9f08e9296174b7e3ec
              • Opcode Fuzzy Hash: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
              • Instruction Fuzzy Hash: 85F07436700A049F8364DA6EE444C57F7F9EFC9621315CA6AE59EC3B24D670F805CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682DA0 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd13b7983f63375cdbc6e1baac62e522b32d7efb893e11724a61a325c4328424
              • Instruction ID: 4c5b4e73c8e226b527931aa29fbcf42fc819e03189979ff0d9cb8a05a3da2080
              • Opcode Fuzzy Hash: bd13b7983f63375cdbc6e1baac62e522b32d7efb893e11724a61a325c4328424
              • Instruction Fuzzy Hash: FEF0E53A3042519FD351E668E83066ABBA9DFC5630B44852ED48A8B300CF61E90787E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681128 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b766d9041b04e549a50b69f419799723bcfd9fbcfaa16c92a89910b0bb505439
              • Instruction ID: f1a0a27d955421ad05d1fa9be4c05c9a2e1f70834f8d553c3bf395fe16a72bf6
              • Opcode Fuzzy Hash: b766d9041b04e549a50b69f419799723bcfd9fbcfaa16c92a89910b0bb505439
              • Instruction Fuzzy Hash: E4E09232304502AFD3149656F890D67FBDAEBCA374B54C12AD51D87B00CA32AC03CA90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066810DE Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 659cd4ea8f646cc9f2795d1d8b3a3d22f810270373d4af23dd076c50f6f7c043
              • Instruction ID: 25f350654300a0d230abc7843bc818d826e2c3d045f2d77671ef8de8629146dc
              • Opcode Fuzzy Hash: 659cd4ea8f646cc9f2795d1d8b3a3d22f810270373d4af23dd076c50f6f7c043
              • Instruction Fuzzy Hash: 71E06832B0D2419FDB85B7B4A8306A47BB49F5F59170101CBE089CB2A2C9105C17C3D5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682DB0 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed0e64cdaae8c9a6db7e911da690529fb91b27b5b771bfcf112ae4ea6abee0fc
              • Instruction ID: 2610173edff773df6048d6af0a8b5169ba6145b206a4170a5c3e3180a86ac295
              • Opcode Fuzzy Hash: ed0e64cdaae8c9a6db7e911da690529fb91b27b5b771bfcf112ae4ea6abee0fc
              • Instruction Fuzzy Hash: D0E0D8353005145F4251E668D83049AB79DDEC5524340852ED55A8B300DF61DD0387D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066810F8 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffc69da10017526c52a5969a7f65c8c181868d91256c31ade62285c4bf61303f
              • Instruction ID: 9ef2f7768fab4bc2ae3abdf882f62c2bfbd18daea9760026efa3cbb96c37201d
              • Opcode Fuzzy Hash: ffc69da10017526c52a5969a7f65c8c181868d91256c31ade62285c4bf61303f
              • Instruction Fuzzy Hash: 06D0A531714016DF5B44F778A4644B8B3ED9B5F951300125AD18FCB350DD515C2383D5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06683881 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a76501796739ff01ddb3babf9c37c4adc901ee08a4bbb93f5260f097b136bb18
              • Instruction ID: a003dc50d3139cfd3223042b21dd12f736f9fc69ae5e813ee2ae3b4842840589
              • Opcode Fuzzy Hash: a76501796739ff01ddb3babf9c37c4adc901ee08a4bbb93f5260f097b136bb18
              • Instruction Fuzzy Hash: 77E0DF321087818FC380CF38D8A0982FBA4AB412107048A9E906A8B202C720B909CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681AE8 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47b7ffeb3754679a6ed9bbe19306de05309f9f88e4b7991ff75c10d7de57ac6b
              • Instruction ID: 62e2acd60aef556d654285e4011a06de84ba9320944182ffcdfe2e4898694d3b
              • Opcode Fuzzy Hash: 47b7ffeb3754679a6ed9bbe19306de05309f9f88e4b7991ff75c10d7de57ac6b
              • Instruction Fuzzy Hash: 16D012715002109F8390EF68D45449AB7E5EB451143448E5E94AA9B300DB61AC068BD4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682E00 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7acb9be2f1dd312a2bc42bdbfc9befdac759e899631a18584382994afcc0d326
              • Instruction ID: 772a653aaeac24cf9c77d6c5180c03371c5a7617d7eb667fa590ca4388a8cefd
              • Opcode Fuzzy Hash: 7acb9be2f1dd312a2bc42bdbfc9befdac759e899631a18584382994afcc0d326
              • Instruction Fuzzy Hash: 88D0C934208248CFD7946B70906C434B76CAB482093104669900B4B301CA23EAB3C7C8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06682DF0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9711655f1afc0d4bafc1db12b52ce2532390f3326db9e2143dbb0437c8ecbecf
              • Instruction ID: b1a097f5619f4be01620b59d84a1379d775696ea484c714d865812e21eb50a14
              • Opcode Fuzzy Hash: 9711655f1afc0d4bafc1db12b52ce2532390f3326db9e2143dbb0437c8ecbecf
              • Instruction Fuzzy Hash: 9FD0C773956240CFC34B47A0D5554A17F31FF1975171B049FE44C8A255D66945178710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06683604 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3352c2c693b27f5ec59c3d8e6b6d914666ec60a310fa775791c780c80d4ab604
              • Instruction ID: d8b158775c0cd61931f28103aff944237ee0738d4bef946be2bf1996962156d4
              • Opcode Fuzzy Hash: 3352c2c693b27f5ec59c3d8e6b6d914666ec60a310fa775791c780c80d4ab604
              • Instruction Fuzzy Hash: 18C04C36A041098EEB005BD4F4563ECFB64F780329F100167E61D525418675066686D2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066838C1 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d49769fe6255aede65972b1f9667edfdc871a8047224813e8591c6fb99391a8
              • Instruction ID: 37b4fc4443908355c96863aafe79af561f019da33f03e964f3fe32ebd17e088a
              • Opcode Fuzzy Hash: 7d49769fe6255aede65972b1f9667edfdc871a8047224813e8591c6fb99391a8
              • Instruction Fuzzy Hash: EAC080355082408FCE0477F0757D6A87F401F10216F55025DD40987690CF215C15C745
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06680EB0 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2a26ada5c3fef55105947d798d73d7bdb7234a7f73981ea9ac7e6ad98b580df
              • Instruction ID: 8b4d9ff230adbbb8b77d931651a7b12d981231cae99d9a823037e006d15353bc
              • Opcode Fuzzy Hash: f2a26ada5c3fef55105947d798d73d7bdb7234a7f73981ea9ac7e6ad98b580df
              • Instruction Fuzzy Hash: C8C048BD220254CBEB069B21F065B407FA1FB88366F0019A9E02289251DF39888ADF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 06681DF0 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1595ff41c97482bf42c4ea26bea2e7d065925c896352c879ae0456e52744efac
              • Instruction ID: c6b603a4a9b36bafe71a86c139ffeb97d18482873eab941201ae501201d9ba22
              • Opcode Fuzzy Hash: 1595ff41c97482bf42c4ea26bea2e7d065925c896352c879ae0456e52744efac
              • Instruction Fuzzy Hash: 4DB0923401C215DF9395BB62D926D9AFBADEA432017408A12E212450689BA5AA27C5E6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 066838D0 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.622520136.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6680000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe5e79b875dea6c97b6e2cd66f596acf56840ada5208eed4f5128990423fa6e0
              • Instruction ID: c75de8c4a1c3164a0b461ee42eeda17b008484a10f36c98cc22c74bce2ab959a
              • Opcode Fuzzy Hash: fe5e79b875dea6c97b6e2cd66f596acf56840ada5208eed4f5128990423fa6e0
              • Instruction Fuzzy Hash: 7FB012305003084B4D8033F1292D06C7BCC1A402163C00615F80DC37409F267408449A
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:24.7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:331
              Total number of Limit Nodes:5
              execution_graph 6430 4b70590 6438 4b705d0 6430->6438 6443 4b705c0 6430->6443 6431 4b7059a 6432 4b705b6 6431->6432 6448 4b749d1 6431->6448 6456 4b74a12 6431->6456 6464 4b74a28 6431->6464 6439 4b705e1 6438->6439 6440 4b705fb 6439->6440 6472 4b70628 6439->6472 6477 4b70618 6439->6477 6440->6431 6444 4b705e1 6443->6444 6445 4b705fb 6444->6445 6446 4b70628 SetProcessWorkingSetSize 6444->6446 6447 4b70618 SetProcessWorkingSetSize 6444->6447 6445->6431 6446->6445 6447->6445 6449 4b749e1 6448->6449 6495 4b776e8 6449->6495 6506 4b776d8 6449->6506 6450 4b74adf 6452 4b776e8 12 API calls 6450->6452 6453 4b776d8 12 API calls 6450->6453 6451 4b74aef 6451->6432 6452->6451 6453->6451 6457 4b749e1 6456->6457 6457->6456 6460 4b776e8 12 API calls 6457->6460 6461 4b776d8 12 API calls 6457->6461 6458 4b74adf 6462 4b776e8 12 API calls 6458->6462 6463 4b776d8 12 API calls 6458->6463 6459 4b74aef 6459->6432 6460->6458 6461->6458 6462->6459 6463->6459 6465 4b74a3a 6464->6465 6468 4b776e8 12 API calls 6465->6468 6469 4b776d8 12 API calls 6465->6469 6466 4b74adf 6470 4b776e8 12 API calls 6466->6470 6471 4b776d8 12 API calls 6466->6471 6467 4b74aef 6467->6432 6468->6466 6469->6466 6470->6467 6471->6467 6473 4b70641 6472->6473 6482 4b74760 6473->6482 6486 4b74750 6473->6486 6478 4b70641 6477->6478 6480 4b74760 SetProcessWorkingSetSize 6478->6480 6481 4b74750 SetProcessWorkingSetSize 6478->6481 6479 4b7067d 6479->6440 6480->6479 6481->6479 6483 4b7477d 6482->6483 6491 4b72eec 6483->6491 6487 4b74753 6486->6487 6488 4b7067d 6486->6488 6487->6488 6489 4b72eec SetProcessWorkingSetSize 6487->6489 6488->6440 6490 4b74796 6489->6490 6490->6490 6492 4b747e8 SetProcessWorkingSetSize 6491->6492 6494 4b74796 6492->6494 6496 4b776f9 6495->6496 6497 4b777d5 6496->6497 6517 4b77eb6 6496->6517 6546 4b77e89 6496->6546 6575 4b77e99 6496->6575 6604 4b77e8d 6496->6604 6633 4b77e9d 6496->6633 6662 4b77e91 6496->6662 6691 4b77e85 6496->6691 6720 4b77e95 6496->6720 6497->6450 6507 4b776f9 6506->6507 6508 4b777d5 6507->6508 6509 4b77eb6 12 API calls 6507->6509 6510 4b77e95 12 API calls 6507->6510 6511 4b77e85 12 API calls 6507->6511 6512 4b77e91 12 API calls 6507->6512 6513 4b77e9d 12 API calls 6507->6513 6514 4b77e8d 12 API calls 6507->6514 6515 4b77e99 12 API calls 6507->6515 6516 4b77e89 12 API calls 6507->6516 6508->6450 6509->6507 6510->6507 6511->6507 6512->6507 6513->6507 6514->6507 6515->6507 6516->6507 6518 4b77e94 6517->6518 6518->6517 6749 4b78607 6518->6749 6754 4b78610 6518->6754 6520 4b78232 6527 4b78399 6520->6527 6766 4b78a50 6520->6766 6769 4b78a4b 6520->6769 6521 4b78268 6772 4b78b10 6521->6772 6775 4b78b0b 6521->6775 6522 4b78531 6528 4b78990 SetThreadContext 6522->6528 6529 4b7898b SetThreadContext 6522->6529 6523 4b782aa 6523->6527 6778 4b78bb3 6523->6778 6782 4b78bb8 6523->6782 6524 4b78558 6786 4b78c88 6524->6786 6791 4b78c90 6524->6791 6525 4b78569 6525->6496 6526 4b78302 6526->6527 6530 4b78bb3 WriteProcessMemory 6526->6530 6531 4b78bb8 WriteProcessMemory 6526->6531 6527->6522 6540 4b78bb3 WriteProcessMemory 6527->6540 6541 4b78bb8 WriteProcessMemory 6527->6541 6528->6524 6529->6524 6530->6526 6531->6526 6540->6527 6541->6527 6547 4b77e94 6546->6547 6571 4b78607 CreateProcessAsUserA 6547->6571 6572 4b78610 CreateProcessAsUserA 6547->6572 6548 4b781c7 6556 4b78399 6548->6556 6563 4b78990 SetThreadContext 6548->6563 6564 4b7898b SetThreadContext 6548->6564 6549 4b78232 6549->6556 6567 4b78a50 ReadProcessMemory 6549->6567 6568 4b78a4b ReadProcessMemory 6549->6568 6550 4b78268 6573 4b78b10 VirtualAllocEx 6550->6573 6574 4b78b0b VirtualAllocEx 6550->6574 6551 4b78531 6557 4b78990 SetThreadContext 6551->6557 6558 4b7898b SetThreadContext 6551->6558 6552 4b782aa 6552->6556 6561 4b78bb3 WriteProcessMemory 6552->6561 6562 4b78bb8 WriteProcessMemory 6552->6562 6553 4b78558 6565 4b78c90 ResumeThread 6553->6565 6566 4b78c88 ResumeThread 6553->6566 6554 4b78569 6554->6496 6555 4b78302 6555->6556 6559 4b78bb3 WriteProcessMemory 6555->6559 6560 4b78bb8 WriteProcessMemory 6555->6560 6556->6551 6569 4b78bb3 WriteProcessMemory 6556->6569 6570 4b78bb8 WriteProcessMemory 6556->6570 6557->6553 6558->6553 6559->6555 6560->6555 6561->6555 6562->6555 6563->6549 6564->6549 6565->6554 6566->6554 6567->6550 6568->6550 6569->6556 6570->6556 6571->6548 6572->6548 6573->6552 6574->6552 6576 4b77e94 6575->6576 6586 4b78607 CreateProcessAsUserA 6576->6586 6587 4b78610 CreateProcessAsUserA 6576->6587 6577 4b781c7 6579 4b78399 6577->6579 6596 4b78990 SetThreadContext 6577->6596 6597 4b7898b SetThreadContext 6577->6597 6578 4b78232 6578->6579 6600 4b78a50 ReadProcessMemory 6578->6600 6601 4b78a4b ReadProcessMemory 6578->6601 6581 4b78531 6579->6581 6602 4b78bb3 WriteProcessMemory 6579->6602 6603 4b78bb8 WriteProcessMemory 6579->6603 6580 4b78268 6588 4b78b10 VirtualAllocEx 6580->6588 6589 4b78b0b VirtualAllocEx 6580->6589 6590 4b78990 SetThreadContext 6581->6590 6591 4b7898b SetThreadContext 6581->6591 6582 4b782aa 6582->6579 6594 4b78bb3 WriteProcessMemory 6582->6594 6595 4b78bb8 WriteProcessMemory 6582->6595 6583 4b78558 6598 4b78c90 ResumeThread 6583->6598 6599 4b78c88 ResumeThread 6583->6599 6584 4b78569 6584->6496 6585 4b78302 6585->6579 6592 4b78bb3 WriteProcessMemory 6585->6592 6593 4b78bb8 WriteProcessMemory 6585->6593 6586->6577 6587->6577 6588->6582 6589->6582 6590->6583 6591->6583 6592->6585 6593->6585 6594->6585 6595->6585 6596->6578 6597->6578 6598->6584 6599->6584 6600->6580 6601->6580 6602->6579 6603->6579 6605 4b77e94 6604->6605 6631 4b78607 CreateProcessAsUserA 6605->6631 6632 4b78610 CreateProcessAsUserA 6605->6632 6606 4b781c7 6614 4b78399 6606->6614 6623 4b78990 SetThreadContext 6606->6623 6624 4b7898b SetThreadContext 6606->6624 6607 4b78232 6607->6614 6627 4b78a50 ReadProcessMemory 6607->6627 6628 4b78a4b ReadProcessMemory 6607->6628 6608 4b78268 6615 4b78b10 VirtualAllocEx 6608->6615 6616 4b78b0b VirtualAllocEx 6608->6616 6609 4b78531 6617 4b78990 SetThreadContext 6609->6617 6618 4b7898b SetThreadContext 6609->6618 6610 4b782aa 6610->6614 6621 4b78bb3 WriteProcessMemory 6610->6621 6622 4b78bb8 WriteProcessMemory 6610->6622 6611 4b78558 6625 4b78c90 ResumeThread 6611->6625 6626 4b78c88 ResumeThread 6611->6626 6612 4b78569 6612->6496 6613 4b78302 6613->6614 6619 4b78bb3 WriteProcessMemory 6613->6619 6620 4b78bb8 WriteProcessMemory 6613->6620 6614->6609 6629 4b78bb3 WriteProcessMemory 6614->6629 6630 4b78bb8 WriteProcessMemory 6614->6630 6615->6610 6616->6610 6617->6611 6618->6611 6619->6613 6620->6613 6621->6613 6622->6613 6623->6607 6624->6607 6625->6612 6626->6612 6627->6608 6628->6608 6629->6614 6630->6614 6631->6606 6632->6606 6634 4b77e94 6633->6634 6648 4b78607 CreateProcessAsUserA 6634->6648 6649 4b78610 CreateProcessAsUserA 6634->6649 6635 4b781c7 6637 4b78399 6635->6637 6658 4b78990 SetThreadContext 6635->6658 6659 4b7898b SetThreadContext 6635->6659 6636 4b78232 6636->6637 6644 4b78a50 ReadProcessMemory 6636->6644 6645 4b78a4b ReadProcessMemory 6636->6645 6639 4b78531 6637->6639 6646 4b78bb3 WriteProcessMemory 6637->6646 6647 4b78bb8 WriteProcessMemory 6637->6647 6638 4b78268 6650 4b78b10 VirtualAllocEx 6638->6650 6651 4b78b0b VirtualAllocEx 6638->6651 6652 4b78990 SetThreadContext 6639->6652 6653 4b7898b SetThreadContext 6639->6653 6640 4b782aa 6640->6637 6656 4b78bb3 WriteProcessMemory 6640->6656 6657 4b78bb8 WriteProcessMemory 6640->6657 6641 4b78558 6660 4b78c90 ResumeThread 6641->6660 6661 4b78c88 ResumeThread 6641->6661 6642 4b78569 6642->6496 6643 4b78302 6643->6637 6654 4b78bb3 WriteProcessMemory 6643->6654 6655 4b78bb8 WriteProcessMemory 6643->6655 6644->6638 6645->6638 6646->6637 6647->6637 6648->6635 6649->6635 6650->6640 6651->6640 6652->6641 6653->6641 6654->6643 6655->6643 6656->6643 6657->6643 6658->6636 6659->6636 6660->6642 6661->6642 6663 4b77e94 6662->6663 6673 4b78607 CreateProcessAsUserA 6663->6673 6674 4b78610 CreateProcessAsUserA 6663->6674 6664 4b781c7 6672 4b78399 6664->6672 6683 4b78990 SetThreadContext 6664->6683 6684 4b7898b SetThreadContext 6664->6684 6665 4b78232 6665->6672 6687 4b78a50 ReadProcessMemory 6665->6687 6688 4b78a4b ReadProcessMemory 6665->6688 6666 4b78268 6675 4b78b10 VirtualAllocEx 6666->6675 6676 4b78b0b VirtualAllocEx 6666->6676 6667 4b78531 6677 4b78990 SetThreadContext 6667->6677 6678 4b7898b SetThreadContext 6667->6678 6668 4b782aa 6668->6672 6681 4b78bb3 WriteProcessMemory 6668->6681 6682 4b78bb8 WriteProcessMemory 6668->6682 6669 4b78558 6685 4b78c90 ResumeThread 6669->6685 6686 4b78c88 ResumeThread 6669->6686 6670 4b78569 6670->6496 6671 4b78302 6671->6672 6679 4b78bb3 WriteProcessMemory 6671->6679 6680 4b78bb8 WriteProcessMemory 6671->6680 6672->6667 6689 4b78bb3 WriteProcessMemory 6672->6689 6690 4b78bb8 WriteProcessMemory 6672->6690 6673->6664 6674->6664 6675->6668 6676->6668 6677->6669 6678->6669 6679->6671 6680->6671 6681->6671 6682->6671 6683->6665 6684->6665 6685->6670 6686->6670 6687->6666 6688->6666 6689->6672 6690->6672 6692 4b77e94 6691->6692 6718 4b78607 CreateProcessAsUserA 6692->6718 6719 4b78610 CreateProcessAsUserA 6692->6719 6693 4b781c7 6701 4b78399 6693->6701 6710 4b78990 SetThreadContext 6693->6710 6711 4b7898b SetThreadContext 6693->6711 6694 4b78232 6694->6701 6714 4b78a50 ReadProcessMemory 6694->6714 6715 4b78a4b ReadProcessMemory 6694->6715 6695 4b78268 6702 4b78b10 VirtualAllocEx 6695->6702 6703 4b78b0b VirtualAllocEx 6695->6703 6696 4b78531 6704 4b78990 SetThreadContext 6696->6704 6705 4b7898b SetThreadContext 6696->6705 6697 4b782aa 6697->6701 6708 4b78bb3 WriteProcessMemory 6697->6708 6709 4b78bb8 WriteProcessMemory 6697->6709 6698 4b78558 6712 4b78c90 ResumeThread 6698->6712 6713 4b78c88 ResumeThread 6698->6713 6699 4b78569 6699->6496 6700 4b78302 6700->6701 6706 4b78bb3 WriteProcessMemory 6700->6706 6707 4b78bb8 WriteProcessMemory 6700->6707 6701->6696 6716 4b78bb3 WriteProcessMemory 6701->6716 6717 4b78bb8 WriteProcessMemory 6701->6717 6702->6697 6703->6697 6704->6698 6705->6698 6706->6700 6707->6700 6708->6700 6709->6700 6710->6694 6711->6694 6712->6699 6713->6699 6714->6695 6715->6695 6716->6701 6717->6701 6718->6693 6719->6693 6721 4b77e94 6720->6721 6747 4b78607 CreateProcessAsUserA 6721->6747 6748 4b78610 CreateProcessAsUserA 6721->6748 6722 4b781c7 6730 4b78399 6722->6730 6739 4b78990 SetThreadContext 6722->6739 6740 4b7898b SetThreadContext 6722->6740 6723 4b78232 6723->6730 6743 4b78a50 ReadProcessMemory 6723->6743 6744 4b78a4b ReadProcessMemory 6723->6744 6724 4b78268 6731 4b78b10 VirtualAllocEx 6724->6731 6732 4b78b0b VirtualAllocEx 6724->6732 6725 4b78531 6733 4b78990 SetThreadContext 6725->6733 6734 4b7898b SetThreadContext 6725->6734 6726 4b782aa 6726->6730 6737 4b78bb3 WriteProcessMemory 6726->6737 6738 4b78bb8 WriteProcessMemory 6726->6738 6727 4b78558 6741 4b78c90 ResumeThread 6727->6741 6742 4b78c88 ResumeThread 6727->6742 6728 4b78569 6728->6496 6729 4b78302 6729->6730 6735 4b78bb3 WriteProcessMemory 6729->6735 6736 4b78bb8 WriteProcessMemory 6729->6736 6730->6725 6745 4b78bb3 WriteProcessMemory 6730->6745 6746 4b78bb8 WriteProcessMemory 6730->6746 6731->6726 6732->6726 6733->6727 6734->6727 6735->6729 6736->6729 6737->6729 6738->6729 6739->6723 6740->6723 6741->6728 6742->6728 6743->6724 6744->6724 6745->6730 6746->6730 6747->6722 6748->6722 6750 4b781c7 6749->6750 6751 4b7860b CreateProcessAsUserA 6749->6751 6750->6527 6758 4b7898b 6750->6758 6762 4b78990 6750->6762 6753 4b78861 6751->6753 6753->6753 6755 4b786a0 CreateProcessAsUserA 6754->6755 6757 4b78861 6755->6757 6757->6757 6759 4b789d8 SetThreadContext 6758->6759 6761 4b78a16 6759->6761 6761->6520 6763 4b789d8 SetThreadContext 6762->6763 6765 4b78a16 6763->6765 6765->6520 6767 4b78a98 ReadProcessMemory 6766->6767 6768 4b78ad5 6767->6768 6768->6521 6770 4b78a98 ReadProcessMemory 6769->6770 6771 4b78ad5 6770->6771 6771->6521 6773 4b78b53 VirtualAllocEx 6772->6773 6774 4b78b8a 6773->6774 6774->6523 6776 4b78b53 VirtualAllocEx 6775->6776 6777 4b78b8a 6776->6777 6777->6523 6779 4b78c03 WriteProcessMemory 6778->6779 6781 4b78c54 6779->6781 6781->6526 6783 4b78c03 WriteProcessMemory 6782->6783 6785 4b78c54 6783->6785 6785->6526 6787 4b78c8b ResumeThread 6786->6787 6788 4b78c5a 6786->6788 6790 4b78cfe 6787->6790 6788->6525 6790->6525 6792 4b78cd1 ResumeThread 6791->6792 6793 4b78cfe 6792->6793 6793->6525 6794 4b73270 DuplicateHandle 6795 4b73306 6794->6795 6796 4b73048 GetCurrentProcess 6797 4b730c2 GetCurrentThread 6796->6797 6798 4b730bb 6796->6798 6799 4b730ff GetCurrentProcess 6797->6799 6800 4b730f8 6797->6800 6798->6797 6801 4b73135 6799->6801 6800->6799 6802 4b7315d GetCurrentThreadId 6801->6802 6803 4b7318e 6802->6803

              Executed Functions

              Function 04B73048 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 04B730A8
              • GetCurrentThread.KERNEL32 ref: 04B730E5
              • GetCurrentProcess.KERNEL32 ref: 04B73122
              • GetCurrentThreadId.KERNEL32 ref: 04B7317B
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: f8dcbd05847d68e0818449c747c0efd31317e9d3cd53eebe3fbfa4f334e63efb
              • Instruction ID: 4c99c54ed8be67c91901c8f0bcc6d54e0c3a1b5bb7c5e46a0d077d712830858c
              • Opcode Fuzzy Hash: f8dcbd05847d68e0818449c747c0efd31317e9d3cd53eebe3fbfa4f334e63efb
              • Instruction Fuzzy Hash: 155177B0A012488FDB10CFAAC5487DEBBF4EF48318F24849AE459B7350D775A840CF66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78607 Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 20 4b78607-4b78609 21 4b7860b-4b786ac 20->21 22 4b785da-4b785e9 20->22 24 4b786e5-4b78705 21->24 25 4b786ae-4b786b8 21->25 32 4b78707-4b78711 24->32 33 4b7873e-4b7876d 24->33 25->24 26 4b786ba-4b786bc 25->26 27 4b786df-4b786e2 26->27 28 4b786be-4b786c8 26->28 27->24 30 4b786cc-4b786db 28->30 31 4b786ca 28->31 30->30 34 4b786dd 30->34 31->30 32->33 35 4b78713-4b78715 32->35 41 4b787a6-4b7885f CreateProcessAsUserA 33->41 42 4b7876f-4b78779 33->42 34->27 36 4b78717-4b78721 35->36 37 4b78738-4b7873b 35->37 39 4b78725-4b78734 36->39 40 4b78723 36->40 37->33 39->39 43 4b78736 39->43 40->39 52 4b78861-4b78867 41->52 53 4b78868-4b788dc 41->53 42->41 44 4b7877b-4b7877d 42->44 43->37 46 4b787a0-4b787a3 44->46 47 4b7877f-4b78789 44->47 46->41 48 4b7878d-4b7879c 47->48 49 4b7878b 47->49 48->48 51 4b7879e 48->51 49->48 51->46 52->53 61 4b788de-4b788e2 53->61 62 4b788ec-4b788f0 53->62 61->62 63 4b788e4 61->63 64 4b788f2-4b788f6 62->64 65 4b78900-4b78904 62->65 63->62 64->65 66 4b788f8 64->66 67 4b78906-4b7890a 65->67 68 4b78914-4b78918 65->68 66->65 67->68 69 4b7890c 67->69 70 4b7892a-4b78931 68->70 71 4b7891a-4b78920 68->71 69->68 72 4b78933-4b78942 70->72 73 4b78948 70->73 71->70 72->73 75 4b78949 73->75 75->75
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 04B7884C
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: b6014cebeac8fc103c89edb4f92cface7dde916f1aaaad19530f338ec08b6e19
              • Instruction ID: 443e11a1f8c043554d39a5dd8f2e3b98f972c32d3ceb070b5524d9b0391855b4
              • Opcode Fuzzy Hash: b6014cebeac8fc103c89edb4f92cface7dde916f1aaaad19530f338ec08b6e19
              • Instruction Fuzzy Hash: E6A16D71D002199FDF10DFA9C885BDEBBB2FF48314F0485A9E829A7250DB74A985CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78610 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 76 4b78610-4b786ac 78 4b786e5-4b78705 76->78 79 4b786ae-4b786b8 76->79 86 4b78707-4b78711 78->86 87 4b7873e-4b7876d 78->87 79->78 80 4b786ba-4b786bc 79->80 81 4b786df-4b786e2 80->81 82 4b786be-4b786c8 80->82 81->78 84 4b786cc-4b786db 82->84 85 4b786ca 82->85 84->84 88 4b786dd 84->88 85->84 86->87 89 4b78713-4b78715 86->89 95 4b787a6-4b7885f CreateProcessAsUserA 87->95 96 4b7876f-4b78779 87->96 88->81 90 4b78717-4b78721 89->90 91 4b78738-4b7873b 89->91 93 4b78725-4b78734 90->93 94 4b78723 90->94 91->87 93->93 97 4b78736 93->97 94->93 106 4b78861-4b78867 95->106 107 4b78868-4b788dc 95->107 96->95 98 4b7877b-4b7877d 96->98 97->91 100 4b787a0-4b787a3 98->100 101 4b7877f-4b78789 98->101 100->95 102 4b7878d-4b7879c 101->102 103 4b7878b 101->103 102->102 105 4b7879e 102->105 103->102 105->100 106->107 115 4b788de-4b788e2 107->115 116 4b788ec-4b788f0 107->116 115->116 117 4b788e4 115->117 118 4b788f2-4b788f6 116->118 119 4b78900-4b78904 116->119 117->116 118->119 120 4b788f8 118->120 121 4b78906-4b7890a 119->121 122 4b78914-4b78918 119->122 120->119 121->122 123 4b7890c 121->123 124 4b7892a-4b78931 122->124 125 4b7891a-4b78920 122->125 123->122 126 4b78933-4b78942 124->126 127 4b78948 124->127 125->124 126->127 129 4b78949 127->129 129->129
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 04B7884C
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 70558c98bb7b383298b7f95599a8cd5b96bc6e9133c0613ee1f09448790424c6
              • Instruction ID: fb2e5352af9dfc80739240b21d5413e6ab64ca9626003dc4427118856cd42fec
              • Opcode Fuzzy Hash: 70558c98bb7b383298b7f95599a8cd5b96bc6e9133c0613ee1f09448790424c6
              • Instruction Fuzzy Hash: 47917E71D002199FDF10DFA9C885BDEBBB2FF48314F0485A9E829A7250DB74A985CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78BB3 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 264 4b78bb3-4b78c09 266 4b78c0b-4b78c17 264->266 267 4b78c19-4b78c52 WriteProcessMemory 264->267 266->267 268 4b78c54-4b78c5a 267->268 269 4b78c5b-4b78c7c 267->269 268->269
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04B78C45
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: fe36e0c282b74813cbce022010ac0e258760858e3caf0662a6869260ffa6576e
              • Instruction ID: 3854f958cc53e96919793ede46b0f9848c170bdc585bd92b3a810eb117f61d50
              • Opcode Fuzzy Hash: fe36e0c282b74813cbce022010ac0e258760858e3caf0662a6869260ffa6576e
              • Instruction Fuzzy Hash: 7A2116B19012499FCB10CFAAD985BDEBFF4FB48314F10842AE529A3250D774A945CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78BB8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 271 4b78bb8-4b78c09 273 4b78c0b-4b78c17 271->273 274 4b78c19-4b78c52 WriteProcessMemory 271->274 273->274 275 4b78c54-4b78c5a 274->275 276 4b78c5b-4b78c7c 274->276 275->276
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04B78C45
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: c1ca4310a342cc5f3ffa27445579fc108b95a4b18359ced732bd010c312a4377
              • Instruction ID: 5786c3b12dea816d30728a8ef1a7ad8cc3fb4d5c2aee9334721695c952499e1c
              • Opcode Fuzzy Hash: c1ca4310a342cc5f3ffa27445579fc108b95a4b18359ced732bd010c312a4377
              • Instruction Fuzzy Hash: 6021E6B19013499FCB10CFAAD885BDEBFF4FB48314F14842AE519A3240D774A554CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B73268 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 278 4b73268-4b73304 DuplicateHandle 279 4b73306-4b7330c 278->279 280 4b7330d-4b7332a 278->280 279->280
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B732F7
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: bd4e498d1ef3fb16b6a862f2d87e34aa583fa79ebdcdf126a97af1edb7decef9
              • Instruction ID: bb44073070d0d61ed6008258403e45d49f4f94c7b8b47e19466fc5494d2efb08
              • Opcode Fuzzy Hash: bd4e498d1ef3fb16b6a862f2d87e34aa583fa79ebdcdf126a97af1edb7decef9
              • Instruction Fuzzy Hash: 4021E4B6D00208AFDB10CF9AD584ADEBFF4EB48324F14841AE958A7310D774A954DFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B73270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 283 4b73270-4b73304 DuplicateHandle 284 4b73306-4b7330c 283->284 285 4b7330d-4b7332a 283->285 284->285
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B732F7
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 38e85ff0d49ebb39c24a1ba8e14a5378d757b8185c2575ceb0a2794990df2659
              • Instruction ID: 57def6f4d16dd10f825795f130cb3c62549983931cea4fcbaae15c80f5eef075
              • Opcode Fuzzy Hash: 38e85ff0d49ebb39c24a1ba8e14a5378d757b8185c2575ceb0a2794990df2659
              • Instruction Fuzzy Hash: 5A21F5B5900208AFDB10CF9AD584ADEBFF8FB48324F14841AE914A3310C374A954DFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78C88 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 288 4b78c88-4b78c89 289 4b78c8b-4b78cfc ResumeThread 288->289 290 4b78c5a-4b78c7c 288->290 293 4b78d05-4b78d19 289->293 294 4b78cfe-4b78d04 289->294 294->293
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 8729a3cedba050469eaa6474f6ceffd8eeea936eef155ac7a63124d1164355ca
              • Instruction ID: fb5e7d5cabe1fa2cdf3d1194a637f8c4274f9f1adc1f655c2d05c5b0b3ceb0f2
              • Opcode Fuzzy Hash: 8729a3cedba050469eaa6474f6ceffd8eeea936eef155ac7a63124d1164355ca
              • Instruction Fuzzy Hash: CB2106B2900649CFDB10DF9AD449BDEFBF4FB48324F24846AD929A3240D378A545CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B7898B Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 296 4b7898b-4b789dc 298 4b789de-4b789e6 296->298 299 4b789e8-4b78a14 SetThreadContext 296->299 298->299 300 4b78a16-4b78a1c 299->300 301 4b78a1d-4b78a3e 299->301 300->301
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 04B78A07
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: 7479282d07ca082fa09e94c9c8e4d805df11c192937e2d6958cf71dcacb09294
              • Instruction ID: 252efb4e0451e2770884dd70d651781613c6a5bee9342a2c6064e22338b72a3c
              • Opcode Fuzzy Hash: 7479282d07ca082fa09e94c9c8e4d805df11c192937e2d6958cf71dcacb09294
              • Instruction Fuzzy Hash: A421F7B1D006199FDB00CF9AD4857DEFBF4FB48224F14856AD428B7240D778A9458FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78A4B Relevance: 1.6, APIs: 1, Instructions: 59COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 303 4b78a4b-4b78ad3 ReadProcessMemory 305 4b78ad5-4b78adb 303->305 306 4b78adc-4b78afd 303->306 305->306
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04B78AC6
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: aab32b80f39e80ad7deec1fd81031be14e6f62e4d7a7509cbbcfa0d9ec3d59ac
              • Instruction ID: 02cb894cac82ebcca3c7185da64fa823782d5133c6e771c1114d5e10aa56ec82
              • Opcode Fuzzy Hash: aab32b80f39e80ad7deec1fd81031be14e6f62e4d7a7509cbbcfa0d9ec3d59ac
              • Instruction Fuzzy Hash: 722106B29002499FCB10CF9AD884BDEFBF4FF48324F148429E529A7250D378A945DFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78990 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 308 4b78990-4b789dc 310 4b789de-4b789e6 308->310 311 4b789e8-4b78a14 SetThreadContext 308->311 310->311 312 4b78a16-4b78a1c 311->312 313 4b78a1d-4b78a3e 311->313 312->313
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 04B78A07
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: fcd8eff77f953e49487b75526057a37b067ede2f20cbc4c555aed7b050916b66
              • Instruction ID: 8c306a5f72fdb3cb38d6c714a5081da77e40a535b40f178e26256e259f43e44c
              • Opcode Fuzzy Hash: fcd8eff77f953e49487b75526057a37b067ede2f20cbc4c555aed7b050916b66
              • Instruction Fuzzy Hash: BD2106B1D006199FCB00CF9AC889BDEFBF4FB48324F54816AE418B3240D778A9448FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78A50 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 315 4b78a50-4b78ad3 ReadProcessMemory 317 4b78ad5-4b78adb 315->317 318 4b78adc-4b78afd 315->318 317->318
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04B78AC6
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: c46cab459c24b814ffb3a4d470ebc002f3c71448998aeed0398f93394febcc2a
              • Instruction ID: 8200d8d28198574b316ad56b4d3003bdb497c410d319360b95b49efb36635d94
              • Opcode Fuzzy Hash: c46cab459c24b814ffb3a4d470ebc002f3c71448998aeed0398f93394febcc2a
              • Instruction Fuzzy Hash: 5E21D6B29002499FCB10DF9AD884BDEBBF4FF48324F148429E569A7250D374A545DFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78B0B Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 320 4b78b0b-4b78b88 VirtualAllocEx 322 4b78b91-4b78ba5 320->322 323 4b78b8a-4b78b90 320->323 323->322
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04B78B7B
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: b58a24656bb978b7f93ecf0d6fce1bc155617ad146517e4429c272395f771a59
              • Instruction ID: 6498c4246545080272faa0d970a62ee3b7119cb48cb2e72cb3286d41b60d7757
              • Opcode Fuzzy Hash: b58a24656bb978b7f93ecf0d6fce1bc155617ad146517e4429c272395f771a59
              • Instruction Fuzzy Hash: E51113B29002499FCB10DF9AD888BDEBFF4FB48324F148819E529A7210C375A945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B72EEC Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 325 4b72eec-4b7485a SetProcessWorkingSetSize 328 4b74863-4b74877 325->328 329 4b7485c-4b74862 325->329 329->328
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 04B7484D
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 33c679521e4dc7b480eb4d8bf0508f294f773462cd69bf6b7563fa10d0681881
              • Instruction ID: a0f761bdd91a9144b67879540fd31e8a144274439877edead0a019c771692c21
              • Opcode Fuzzy Hash: 33c679521e4dc7b480eb4d8bf0508f294f773462cd69bf6b7563fa10d0681881
              • Instruction Fuzzy Hash: C61106B59007489FCB10DF9AD888BDFBFF4EB48324F148469E529A7240D374A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78B10 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04B78B7B
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 0c95e4a2f451b4e5b44af2779244f958458825dd5d74c8750da9bfd48984af02
              • Instruction ID: a4eef7a868bbfa748c7cdb90a01dd1a1426ed83d2f387465eee9df3bcf3ef2e8
              • Opcode Fuzzy Hash: 0c95e4a2f451b4e5b44af2779244f958458825dd5d74c8750da9bfd48984af02
              • Instruction Fuzzy Hash: 1911E3B69003499FCB10DF9AD888BDEBFF4EB48324F148419E529A7250C375A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B747E2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 04B7484D
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 089f66b90da1fe3208c7b5cb57a128a3d7cdf498d22d2e5c04155fce5565a460
              • Instruction ID: 9955cb2af49981ed2681a8352c9b56bf577e002db129d618b1bc7913e2544550
              • Opcode Fuzzy Hash: 089f66b90da1fe3208c7b5cb57a128a3d7cdf498d22d2e5c04155fce5565a460
              • Instruction Fuzzy Hash: 8B1106B29002489FCB10DF9AD484BDEBFF4EB48324F248469D529A7240C374A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B78C90 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.401928164.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_4b70000_jsdudg.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 66862ed8f068e4ee972acfdd4bad56656930f2dd875eaf3d3e6dff7cfff78132
              • Instruction ID: f353de427adaf354dd7b869ab156b30652af9c864fd79103c5d5e699faa90481
              • Opcode Fuzzy Hash: 66862ed8f068e4ee972acfdd4bad56656930f2dd875eaf3d3e6dff7cfff78132
              • Instruction Fuzzy Hash: 1C11E2B19002499FDB10DF9AD888BDEBBF8EB48324F24845AD529A7240D774A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:11.8%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:90
              Total number of Limit Nodes:4
              execution_graph 13984 287b6d0 13985 287b6d4 13984->13985 13989 287bc88 13985->13989 13992 287bc98 13985->13992 13986 287b7e5 13995 287a14c 13989->13995 13993 287bcc6 13992->13993 13994 287a14c DuplicateHandle 13992->13994 13993->13986 13994->13993 13996 287bd00 DuplicateHandle 13995->13996 13998 287bcc6 13996->13998 13998->13986 13999 28792f0 14000 28792ff 13999->14000 14003 28793d9 13999->14003 14011 28793e8 13999->14011 14004 28793e8 14003->14004 14005 2879413 14004->14005 14019 2879660 14004->14019 14023 2879670 14004->14023 14005->14000 14006 287940b 14006->14005 14007 2879610 GetModuleHandleW 14006->14007 14008 287963d 14007->14008 14008->14000 14012 28793ea 14011->14012 14013 2879413 14012->14013 14017 2879660 LoadLibraryExW 14012->14017 14018 2879670 LoadLibraryExW 14012->14018 14013->14000 14014 287940b 14014->14013 14015 2879610 GetModuleHandleW 14014->14015 14016 287963d 14015->14016 14016->14000 14017->14014 14018->14014 14020 2879684 14019->14020 14022 28796a9 14020->14022 14027 2878768 14020->14027 14022->14006 14024 2879684 14023->14024 14025 28796a9 14024->14025 14026 2878768 LoadLibraryExW 14024->14026 14025->14006 14026->14025 14028 2879850 LoadLibraryExW 14027->14028 14030 28798c9 14028->14030 14030->14022 14031 2876758 14033 2876766 14031->14033 14034 2876344 14031->14034 14035 287634f 14034->14035 14038 2876394 14035->14038 14037 287688d 14037->14033 14039 287639f 14038->14039 14042 28763c4 14039->14042 14041 2876962 14041->14037 14043 28763cf 14042->14043 14046 28763f4 14043->14046 14045 2876a62 14045->14041 14048 28763ff 14046->14048 14047 28771bc 14047->14045 14048->14047 14051 287b407 14048->14051 14057 287b408 14048->14057 14052 287b429 14051->14052 14053 287b44d 14052->14053 14063 287b587 14052->14063 14068 287b5b8 14052->14068 14072 287b5a9 14052->14072 14053->14047 14058 287b429 14057->14058 14059 287b44d 14058->14059 14060 287b587 6 API calls 14058->14060 14061 287b5a9 6 API calls 14058->14061 14062 287b5b8 6 API calls 14058->14062 14059->14047 14060->14059 14061->14059 14062->14059 14064 287b58b 14063->14064 14065 287b5d3 14063->14065 14064->14053 14066 287b5ff 14065->14066 14076 287a0ec 14065->14076 14066->14053 14069 287b5c5 14068->14069 14070 287a0ec 6 API calls 14069->14070 14071 287b5ff 14069->14071 14070->14071 14071->14053 14073 287b5c5 14072->14073 14074 287b5ff 14073->14074 14075 287a0ec 6 API calls 14073->14075 14074->14053 14075->14074 14077 287a0f7 14076->14077 14079 287c2f8 14077->14079 14080 287b904 14077->14080 14081 287b90f 14080->14081 14082 287c367 14081->14082 14083 28763f4 6 API calls 14081->14083 14090 287c3d3 14082->14090 14094 287c3e0 14082->14094 14083->14082 14084 287c375 14088 287e0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 14084->14088 14089 287e0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 14084->14089 14085 287c3a0 14085->14079 14088->14085 14089->14085 14091 287c40e 14090->14091 14092 287c4da KiUserCallbackDispatcher 14091->14092 14093 287c4df 14091->14093 14092->14093 14095 287c40e 14094->14095 14096 287c4da KiUserCallbackDispatcher 14095->14096 14097 287c4df 14095->14097 14096->14097

              Executed Functions

              Function 0287FAA0 Relevance: 1.8, APIs: 1, Instructions: 280COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 287faa0-287fb60 1 287fbc4-287fbd6 0->1 2 287fb62-287fbc3 0->2 4 287fbe0-287fc5e 1->4 5 287fbd8 call 287da04 1->5 2->1 6 287fc60-287fc66 4->6 7 287fc69-287fc70 4->7 9 287fbdd-287fbde 5->9 6->7 10 287fc72-287fc78 7->10 11 287fc7b-287fd1a CreateWindowExW 7->11 10->11 13 287fd23-287fd5b 11->13 14 287fd1c-287fd22 11->14 18 287fd5d-287fd60 13->18 19 287fd68 13->19 14->13 18->19 20 287fd69 19->20 20->20
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0287FD0A
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 6dcf74aad42c3a6e8df63c7e5d698c34cff2b8d9a00999ad884276aa78ca01c7
              • Instruction ID: 3cbb220eb4b582d766d9445c4d8e4544972fcc2ff1c4ed9beedb2c5bd017d8da
              • Opcode Fuzzy Hash: 6dcf74aad42c3a6e8df63c7e5d698c34cff2b8d9a00999ad884276aa78ca01c7
              • Instruction Fuzzy Hash: 1F917CB5C08388DFDB16DFA9C8909CDBFB1FF0A314F19819AE844AB162DB349955CB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028793E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0287962E
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 70abe337c45524a89d37b40ac3a998a1f989d243d388c6ba547993adad9cefa6
              • Instruction ID: 179c2dcdb5968b6cb11231e3d75ec3b2a2c58f659b83ea1cfe72f955169fa7d8
              • Opcode Fuzzy Hash: 70abe337c45524a89d37b40ac3a998a1f989d243d388c6ba547993adad9cefa6
              • Instruction Fuzzy Hash: 58713478A00B058FD724DF6AD44579ABBF1BF88318F008A2ED48AD7A50D734E845CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287D9E8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 79 287d9e8-287d9f2 81 287d9f4-287d9f6 79->81 82 287d9f8-287fc5e 79->82 81->82 86 287fc60-287fc66 82->86 87 287fc69-287fc70 82->87 86->87 88 287fc72-287fc78 87->88 89 287fc7b-287fcb3 87->89 88->89 90 287fcbb-287fd1a CreateWindowExW 89->90 91 287fd23-287fd5b 90->91 92 287fd1c-287fd22 90->92 96 287fd5d-287fd60 91->96 97 287fd68 91->97 92->91 96->97 98 287fd69 97->98 98->98
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0287FD0A
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 1fac88ac53f7eb7764f8c65b5254d202924b0f20cc364301a720cdebeda10208
              • Instruction ID: 9dcecf357b270efe44298b91ec644b31a94a0d9da7eb56e4ac0c34b3df13f7d5
              • Opcode Fuzzy Hash: 1fac88ac53f7eb7764f8c65b5254d202924b0f20cc364301a720cdebeda10208
              • Instruction Fuzzy Hash: 4851FEB5D003589FDF14CFAAC890ADEBFB5BF59314F24812AE819AB210D770A845CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287DA04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 99 287da04-287fc5e 101 287fc60-287fc66 99->101 102 287fc69-287fc70 99->102 101->102 103 287fc72-287fc78 102->103 104 287fc7b-287fd1a CreateWindowExW 102->104 103->104 106 287fd23-287fd5b 104->106 107 287fd1c-287fd22 104->107 111 287fd5d-287fd60 106->111 112 287fd68 106->112 107->106 111->112 113 287fd69 112->113 113->113
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0287FD0A
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: d8ad5d0a0076962cddef5d1c4d27e8ad47dc9d1005c2b204d9890820b4c4d81a
              • Instruction ID: 2b1520a62d536e04d9a8d18e88e75a60f32a935bfcf5e8f921048010d04e1576
              • Opcode Fuzzy Hash: d8ad5d0a0076962cddef5d1c4d27e8ad47dc9d1005c2b204d9890820b4c4d81a
              • Instruction Fuzzy Hash: 4E51CEB5D003199FDF14CF9AC884ADEBBB5BF58314F24812AE919AB210D774A845CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287FE03 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 114 287fe03-287fe17 115 287fe1d-287fe1f 114->115 116 287fe19-287fe1b 114->116 117 287fe25 115->117 118 287fe21-287fe23 call 287da3c 115->118 116->115 124 287fe27 call 287fe03 117->124 125 287fe27 call 287fe10 117->125 126 287fe27 call 287da3c 117->126 118->117 120 287fe28-287feaa SetWindowLongW 121 287feb3-287fec7 120->121 122 287feac-287feb2 120->122 122->121 124->120 125->120 126->120
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0287FE28,?,?,?,?), ref: 0287FE9D
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: df70ec6319b414a13942399b0e14caca332b50434e534d54895cbd0373e366b4
              • Instruction ID: 2caff76b5fc18df369d0af31378e400e6fb68ce0d7bc8b159af7604ba2c8db5a
              • Opcode Fuzzy Hash: df70ec6319b414a13942399b0e14caca332b50434e534d54895cbd0373e366b4
              • Instruction Fuzzy Hash: 86219AB9800248DFCB11CF99E484BCABBF4FF59318F14844AE948AB212D735A904CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287BCF9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 127 287bcf9-287bcfe 128 287bd04-287bd94 DuplicateHandle 127->128 129 287bd00-287bd03 127->129 130 287bd96-287bd9c 128->130 131 287bd9d-287bdba 128->131 129->128 130->131
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0287BCC6,?,?,?,?,?), ref: 0287BD87
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 1073f7ce893e4a189740e62e2627b812873478bd52a93e05759cb8118d0d2339
              • Instruction ID: 96f86a09719d9ee79e8bf4ba1f55de63f7d53d6b3f2696dacfa4f18641030a47
              • Opcode Fuzzy Hash: 1073f7ce893e4a189740e62e2627b812873478bd52a93e05759cb8118d0d2339
              • Instruction Fuzzy Hash: 1621E6B59002089FDF10CF9AD484ADEBFF5EB48324F14841AE958A3310D774A954CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287A14C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 134 287a14c-287bd94 DuplicateHandle 137 287bd96-287bd9c 134->137 138 287bd9d-287bdba 134->138 137->138
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0287BCC6,?,?,?,?,?), ref: 0287BD87
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 6c2c12ea527e703b9642c1852efc189ea7ba7264f1d0f276fd4f38a01aa5b986
              • Instruction ID: f50a8819a16f1be0b9b0ba1fdce49bb298cb37aee7c6ba37e886e16e8e02cfcb
              • Opcode Fuzzy Hash: 6c2c12ea527e703b9642c1852efc189ea7ba7264f1d0f276fd4f38a01aa5b986
              • Instruction Fuzzy Hash: AD21E4B5900248AFDB10CF9AD884ADEBFF9EB48324F14841AE958B3310D374A954CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02879849 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 141 2879849-287984e 142 2879854-2879890 141->142 143 2879850-2879853 141->143 144 2879892-2879895 142->144 145 2879898-28798c7 LoadLibraryExW 142->145 143->142 144->145 146 28798d0-28798ed 145->146 147 28798c9-28798cf 145->147 147->146
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028796A9,00000800,00000000,00000000), ref: 028798BA
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 8e26f796a64fd294b3f52dbd0111e2812211eb15522f1cae5bbaefd545bdf427
              • Instruction ID: d88dffbfce6b45a428a5ee2bdf2ad9627033d44051d4ba812bc31b2ff83bbaf8
              • Opcode Fuzzy Hash: 8e26f796a64fd294b3f52dbd0111e2812211eb15522f1cae5bbaefd545bdf427
              • Instruction Fuzzy Hash: 0911D3BA9002499FDB10CF9AD444ADEFBF4EB48328F14842EE959A7600C774A549CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02878768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 150 2878768-2879890 153 2879892-2879895 150->153 154 2879898-28798c7 LoadLibraryExW 150->154 153->154 155 28798d0-28798ed 154->155 156 28798c9-28798cf 154->156 156->155
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028796A9,00000800,00000000,00000000), ref: 028798BA
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 2d1fd4253aaaf447ba1c8f5a4bae7516e97e16d3a4ede7ce5e7be65977e09043
              • Instruction ID: b9e50694a882fda9fec73ecc85fc759e7026bfec27934dd073cfcb60d85bf549
              • Opcode Fuzzy Hash: 2d1fd4253aaaf447ba1c8f5a4bae7516e97e16d3a4ede7ce5e7be65977e09043
              • Instruction Fuzzy Hash: 4A1103BA9002098FDB10CF9AC444ADEFBF8EB48324F14842EE919B7600C374A945CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028795C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 159 28795c8-2879608 160 2879610-287963b GetModuleHandleW 159->160 161 287960a-287960d 159->161 162 2879644-2879658 160->162 163 287963d-2879643 160->163 161->160 163->162
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0287962E
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 871ea62b07d0f885815de86b052f4743c7569f58da4f14db0c9e816441afcd2d
              • Instruction ID: 736ab945dbdd59f1662e6d26f40ae90875bcc1ba31b94820569c365983b2ea31
              • Opcode Fuzzy Hash: 871ea62b07d0f885815de86b052f4743c7569f58da4f14db0c9e816441afcd2d
              • Instruction Fuzzy Hash: BA11E0B9D006498FDB20CF9AD444BDEFBF4AB88228F14852AD959A7600D374A549CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0287DA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 165 287da3c-287feaa SetWindowLongW 167 287feb3-287fec7 165->167 168 287feac-287feb2 165->168 168->167
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0287FE28,?,?,?,?), ref: 0287FE9D
              Memory Dump Source
              • Source File: 0000000C.00000002.419302510.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_2870000_RegAsm.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 891c0c2075801c5ca605818ffa3b0348863926936dbfe2e7c1ab381880e3953c
              • Instruction ID: 8dd6baa903c0aeb6a0088b7edfd6b4067c159f2e80a76e296c03f9db6b81e901
              • Opcode Fuzzy Hash: 891c0c2075801c5ca605818ffa3b0348863926936dbfe2e7c1ab381880e3953c
              • Instruction Fuzzy Hash: 321136B59002488FDB10CF8AD484BDFBBF8EB58324F20841AEA19B7700C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:16.5%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:93
              Total number of Limit Nodes:4
              execution_graph 5847 1733270 DuplicateHandle 5848 1733306 5847->5848 5849 1730590 5856 17305d0 5849->5856 5861 17305c0 5849->5861 5850 17305b6 5855 173059a 5866 1734a12 5855->5866 5874 1734a28 5855->5874 5857 17305e1 5856->5857 5858 17305fb 5857->5858 5882 1730628 5857->5882 5887 1730618 5857->5887 5858->5855 5862 17305e1 5861->5862 5863 17305fb 5862->5863 5864 1730628 SetProcessWorkingSetSize 5862->5864 5865 1730618 SetProcessWorkingSetSize 5862->5865 5863->5855 5864->5863 5865->5863 5867 1734a23 5866->5867 5904 17376e8 5867->5904 5908 17376d8 5867->5908 5868 1734adf 5872 17376e8 12 API calls 5868->5872 5873 17376d8 12 API calls 5868->5873 5869 1734aef 5869->5850 5872->5869 5873->5869 5875 1734a3a 5874->5875 5878 17376e8 12 API calls 5875->5878 5879 17376d8 12 API calls 5875->5879 5876 1734adf 5880 17376e8 12 API calls 5876->5880 5881 17376d8 12 API calls 5876->5881 5877 1734aef 5877->5850 5878->5876 5879->5876 5880->5877 5881->5877 5883 1730641 5882->5883 5892 1734760 5883->5892 5896 1734750 5883->5896 5884 173067d 5884->5858 5888 1730641 5887->5888 5890 1734760 SetProcessWorkingSetSize 5888->5890 5891 1734750 SetProcessWorkingSetSize 5888->5891 5889 173067d 5889->5858 5890->5889 5891->5889 5894 173477d 5892->5894 5895 17347be 5894->5895 5900 1732eec 5894->5900 5895->5884 5898 1734753 5896->5898 5897 1732eec SetProcessWorkingSetSize 5897->5898 5898->5897 5899 17347be 5898->5899 5899->5884 5901 17347e8 SetProcessWorkingSetSize 5900->5901 5903 173485c 5901->5903 5903->5894 5905 17376f9 5904->5905 5906 17377d5 5905->5906 5912 1737eb8 5905->5912 5906->5868 5909 17376f9 5908->5909 5910 17377d5 5909->5910 5911 1737eb8 12 API calls 5909->5911 5910->5868 5911->5909 5913 1737ec5 5912->5913 5941 1738610 5913->5941 5945 1738604 5913->5945 5914 17381c7 5922 1738399 5914->5922 5931 1738990 SetThreadContext 5914->5931 5932 1738988 SetThreadContext 5914->5932 5915 1738232 5915->5922 5937 1738a50 ReadProcessMemory 5915->5937 5938 1738a4b ReadProcessMemory 5915->5938 5916 1738268 5925 1738b10 VirtualAllocEx 5916->5925 5926 1738b08 VirtualAllocEx 5916->5926 5917 1738531 5927 1738990 SetThreadContext 5917->5927 5928 1738988 SetThreadContext 5917->5928 5918 17382aa 5918->5922 5933 1738bb3 WriteProcessMemory 5918->5933 5934 1738bb8 WriteProcessMemory 5918->5934 5919 1738558 5935 1738c90 ResumeThread 5919->5935 5936 1738c88 ResumeThread 5919->5936 5920 1738569 5920->5905 5921 1738302 5921->5922 5929 1738bb3 WriteProcessMemory 5921->5929 5930 1738bb8 WriteProcessMemory 5921->5930 5922->5917 5939 1738bb3 WriteProcessMemory 5922->5939 5940 1738bb8 WriteProcessMemory 5922->5940 5925->5918 5926->5918 5927->5919 5928->5919 5929->5921 5930->5921 5931->5915 5932->5915 5933->5921 5934->5921 5935->5920 5936->5920 5937->5916 5938->5916 5939->5922 5940->5922 5942 1738615 CreateProcessAsUserA 5941->5942 5944 1738861 5942->5944 5946 1738608 CreateProcessAsUserA 5945->5946 5948 1738861 5946->5948 5949 1733048 GetCurrentProcess 5950 17330c2 GetCurrentThread 5949->5950 5951 17330bb 5949->5951 5952 17330f8 5950->5952 5953 17330ff GetCurrentProcess 5950->5953 5951->5950 5952->5953 5954 1733135 5953->5954 5955 173315d GetCurrentThreadId 5954->5955 5956 173318e 5955->5956

              Executed Functions

              Function 01733018 Relevance: 6.1, APIs: 4, Instructions: 149threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 017330A8
              • GetCurrentThread.KERNEL32 ref: 017330E5
              • GetCurrentProcess.KERNEL32 ref: 01733122
              • GetCurrentThreadId.KERNEL32 ref: 0173317B
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: fe6489e1092355bfeb35b5135eedae07eec47344b263cd8bfc7548446d357c0e
              • Instruction ID: 1ccda66fd2b6fdd7af327fb6766315cbe8a7b9789d9161c1d7554d6e4f43ffb2
              • Opcode Fuzzy Hash: fe6489e1092355bfeb35b5135eedae07eec47344b263cd8bfc7548446d357c0e
              • Instruction Fuzzy Hash: ED61CFB09053888FDB15CFA9C9487CEFFF5BF4A318F14849AD049A7292D7745844CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01733048 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 017330A8
              • GetCurrentThread.KERNEL32 ref: 017330E5
              • GetCurrentProcess.KERNEL32 ref: 01733122
              • GetCurrentThreadId.KERNEL32 ref: 0173317B
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: aabcbd844ca61dd423f02a1d206656577ad54c15a83b2cadefa285098a536453
              • Instruction ID: 34eee9b2e7b67d7858706a32d1841d484a7abb66bde4e5ee313ac177f6cbbd95
              • Opcode Fuzzy Hash: aabcbd844ca61dd423f02a1d206656577ad54c15a83b2cadefa285098a536453
              • Instruction Fuzzy Hash: 305167B0A016498FDB24CFAAC548BDEFBF5BF88318F208469E049A7391D7749844CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738604 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 49 1738604-1738606 50 1738608-173860b 49->50 51 173860d-173860e 49->51 50->51 53 1738610-1738614 51->53 54 1738615-17386ac 51->54 53->54 56 17386e5-1738705 54->56 57 17386ae-17386b8 54->57 62 1738707-1738711 56->62 63 173873e-173876d 56->63 57->56 58 17386ba-17386bc 57->58 60 17386df-17386e2 58->60 61 17386be-17386c8 58->61 60->56 64 17386ca 61->64 65 17386cc-17386db 61->65 62->63 66 1738713-1738715 62->66 73 17387a6-173885f CreateProcessAsUserA 63->73 74 173876f-1738779 63->74 64->65 65->65 67 17386dd 65->67 68 1738717-1738721 66->68 69 1738738-173873b 66->69 67->60 71 1738723 68->71 72 1738725-1738734 68->72 69->63 71->72 72->72 75 1738736 72->75 84 1738861-1738867 73->84 85 1738868-17388dc 73->85 74->73 76 173877b-173877d 74->76 75->69 78 17387a0-17387a3 76->78 79 173877f-1738789 76->79 78->73 80 173878b 79->80 81 173878d-173879c 79->81 80->81 81->81 82 173879e 81->82 82->78 84->85 93 17388de-17388e2 85->93 94 17388ec-17388f0 85->94 93->94 95 17388e4 93->95 96 17388f2-17388f6 94->96 97 1738900-1738904 94->97 95->94 96->97 98 17388f8 96->98 99 1738906-173890a 97->99 100 1738914-1738918 97->100 98->97 99->100 103 173890c 99->103 101 173892a-1738931 100->101 102 173891a-1738920 100->102 104 1738933-1738942 101->104 105 1738948 101->105 102->101 103->100 104->105 107 1738949 105->107 107->107
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0173884C
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 2ee74b61998c4624aaea5c07064f355f40ea9706bcb7ed1ff4e138a076ab69e4
              • Instruction ID: 587328ce52765fc07f66022fef7a15291bcc8ef04d9276ee552d2db25fdc99a5
              • Opcode Fuzzy Hash: 2ee74b61998c4624aaea5c07064f355f40ea9706bcb7ed1ff4e138a076ab69e4
              • Instruction Fuzzy Hash: 32A14B71D002198FDB11CFA9C8417DEFBB6BF88314F0486A9E858A7242DB759985CF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738610 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 108 1738610-17386ac 111 17386e5-1738705 108->111 112 17386ae-17386b8 108->112 117 1738707-1738711 111->117 118 173873e-173876d 111->118 112->111 113 17386ba-17386bc 112->113 115 17386df-17386e2 113->115 116 17386be-17386c8 113->116 115->111 119 17386ca 116->119 120 17386cc-17386db 116->120 117->118 121 1738713-1738715 117->121 128 17387a6-173885f CreateProcessAsUserA 118->128 129 173876f-1738779 118->129 119->120 120->120 122 17386dd 120->122 123 1738717-1738721 121->123 124 1738738-173873b 121->124 122->115 126 1738723 123->126 127 1738725-1738734 123->127 124->118 126->127 127->127 130 1738736 127->130 139 1738861-1738867 128->139 140 1738868-17388dc 128->140 129->128 131 173877b-173877d 129->131 130->124 133 17387a0-17387a3 131->133 134 173877f-1738789 131->134 133->128 135 173878b 134->135 136 173878d-173879c 134->136 135->136 136->136 137 173879e 136->137 137->133 139->140 148 17388de-17388e2 140->148 149 17388ec-17388f0 140->149 148->149 150 17388e4 148->150 151 17388f2-17388f6 149->151 152 1738900-1738904 149->152 150->149 151->152 153 17388f8 151->153 154 1738906-173890a 152->154 155 1738914-1738918 152->155 153->152 154->155 158 173890c 154->158 156 173892a-1738931 155->156 157 173891a-1738920 155->157 159 1738933-1738942 156->159 160 1738948 156->160 157->156 158->155 159->160 162 1738949 160->162 162->162
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0173884C
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: cd064495331ce06d36cbff694bdfb955ae61f8f8613b7593e33231457da591f4
              • Instruction ID: 1da22fa15d53d6aeea5ba8b42231bf0205d86647a75471ce2fdc8f7907e5dc21
              • Opcode Fuzzy Hash: cd064495331ce06d36cbff694bdfb955ae61f8f8613b7593e33231457da591f4
              • Instruction Fuzzy Hash: F3915C71D002198FDB11CFA9C841BDEFBB6FF88314F0482A9E858A7251DB759985CF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01733268 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 296 1733268-1733304 DuplicateHandle 297 1733306-173330c 296->297 298 173330d-173332a 296->298 297->298
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017332F7
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: aac1b033f4b6fe2e4b3009379f00e0f707468ef37294f444d9ba12d5ecd859e3
              • Instruction ID: 02448b87320415f83ebf314ddfe627eb6f605ae1580ea6e306199d4320a8dc28
              • Opcode Fuzzy Hash: aac1b033f4b6fe2e4b3009379f00e0f707468ef37294f444d9ba12d5ecd859e3
              • Instruction Fuzzy Hash: EF21D2B59012089FDB10CFAAD984AEEBBF4FB48324F14841AE955A7310D378A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738BB3 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 301 1738bb3-1738c09 304 1738c0b-1738c17 301->304 305 1738c19-1738c52 WriteProcessMemory 301->305 304->305 306 1738c54-1738c5a 305->306 307 1738c5b-1738c7c 305->307 306->307
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01738C45
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: a1cb93aa4d1056aed41be8d7955c15ab27eccf954b3d5ec130522c65281b5e19
              • Instruction ID: a776bcc3c54ce756c03e93ad5e31b0f03791447a6178e17e7746d9c5ec06a1d2
              • Opcode Fuzzy Hash: a1cb93aa4d1056aed41be8d7955c15ab27eccf954b3d5ec130522c65281b5e19
              • Instruction Fuzzy Hash: DD2100B19013499FDB10CF9AC885BDEFBF4FB48324F54852AE918A3240D778A954CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738BB8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 309 1738bb8-1738c09 311 1738c0b-1738c17 309->311 312 1738c19-1738c52 WriteProcessMemory 309->312 311->312 313 1738c54-1738c5a 312->313 314 1738c5b-1738c7c 312->314 313->314
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01738C45
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 4dd1b8862231d915e84e50e63de0b34496fbbe2e1557727990cf53fc4b56d342
              • Instruction ID: 7aa861b865fd066236b87269f9b296fd2f29f5f01812cf41f697e022d4b637c5
              • Opcode Fuzzy Hash: 4dd1b8862231d915e84e50e63de0b34496fbbe2e1557727990cf53fc4b56d342
              • Instruction Fuzzy Hash: 672112B19013499FDB10CF9AC884BDEFBF4FB48324F10852AE918A3240D778A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738988 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 316 1738988-173898a 317 1738991-1738994 316->317 318 173898c-173898e 316->318 320 1738995-17389dc 317->320 319 1738990 318->319 318->320 319->317 322 17389e8-1738a14 SetThreadContext 320->322 323 17389de-17389e6 320->323 324 1738a16-1738a1c 322->324 325 1738a1d-1738a3e 322->325 323->322 324->325
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 01738A07
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: 52abdf2288286878d4841e061990721e6a784ea693e4901abae9692afb2b3d18
              • Instruction ID: d18074b4eefc59a913ddc4ccdc30aadeeff49bf0876dec5a0e1ca324300d8821
              • Opcode Fuzzy Hash: 52abdf2288286878d4841e061990721e6a784ea693e4901abae9692afb2b3d18
              • Instruction Fuzzy Hash: 7B213BB1D002199FDB10CF9AC5857DEFBF8BB49224F54812AE518B3341D778A945CFA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01733270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 327 1733270-1733304 DuplicateHandle 328 1733306-173330c 327->328 329 173330d-173332a 327->329 328->329
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017332F7
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 9b5e0fd157f883ae97051c2003ebf48063ca230718c0971692cdcd68fff798a9
              • Instruction ID: 982dbec70dc3a57082e8dcedfb74fd02a06ef8104d865f607d4151fa4ee58991
              • Opcode Fuzzy Hash: 9b5e0fd157f883ae97051c2003ebf48063ca230718c0971692cdcd68fff798a9
              • Instruction Fuzzy Hash: 7321F3B59012089FDB10CFAAD984ADEFFF8FB48324F14841AE954A3310C378A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738990 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 332 1738990-17389dc 336 17389e8-1738a14 SetThreadContext 332->336 337 17389de-17389e6 332->337 338 1738a16-1738a1c 336->338 339 1738a1d-1738a3e 336->339 337->336 338->339
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 01738A07
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: b9d63cf601c53e80e81c43614f427e624348cc20aada42586078555ab7f71eb2
              • Instruction ID: 138abcb8554505d095d90ddec925be4c18efdf61cffba521a9d6baa7814f782e
              • Opcode Fuzzy Hash: b9d63cf601c53e80e81c43614f427e624348cc20aada42586078555ab7f71eb2
              • Instruction Fuzzy Hash: 062117B1D006199FDB10CF9AC985BDEFBF4BB48624F54812AE418B3341D778A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738A4B Relevance: 1.6, APIs: 1, Instructions: 57COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 341 1738a4b-1738ad3 ReadProcessMemory 344 1738ad5-1738adb 341->344 345 1738adc-1738afd 341->345 344->345
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01738AC6
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 84fbf214785430267bf6d7991024a1d4137409002db163b9ec4b9b9749ee3523
              • Instruction ID: f699dae14eda165d00b7205d94638bb59243d299aca5b04a1d90918ded68eb41
              • Opcode Fuzzy Hash: 84fbf214785430267bf6d7991024a1d4137409002db163b9ec4b9b9749ee3523
              • Instruction Fuzzy Hash: E421F4B29002499FCB10CF9AC884BDEFBF4FB48324F54842AE558A3251D378A645CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738A50 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 347 1738a50-1738ad3 ReadProcessMemory 349 1738ad5-1738adb 347->349 350 1738adc-1738afd 347->350 349->350
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01738AC6
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: e9e7cce2c124565b592c5e21171373cb986ace2791c7486b2bbb8a2abb3220c5
              • Instruction ID: 01138790fd7f71669f0412244ade5de108688a42a4cf3c5b09e1fd8265f87f59
              • Opcode Fuzzy Hash: e9e7cce2c124565b592c5e21171373cb986ace2791c7486b2bbb8a2abb3220c5
              • Instruction Fuzzy Hash: C32106B19002499FCB10CF9AC884BDEFBF4FB48324F14842AE558A3250D378A645CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738B08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 352 1738b08-1738b0a 353 1738b11-1738b14 352->353 354 1738b0c-1738b0e 352->354 355 1738b15-1738b88 VirtualAllocEx 353->355 354->355 356 1738b10 354->356 358 1738b91-1738ba5 355->358 359 1738b8a-1738b90 355->359 356->353 359->358
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01738B7B
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 0296666c19b532d4ad2c7b1bc5f631dc868eec599e851906d86c50e394920b97
              • Instruction ID: f2e4e7c3aa2c2564a83232058682c36105fef47b89a4b3da09c0a74fffcac0ab
              • Opcode Fuzzy Hash: 0296666c19b532d4ad2c7b1bc5f631dc868eec599e851906d86c50e394920b97
              • Instruction Fuzzy Hash: 091104B59002499FCB24CF9AC984BDEFFF8FB88324F148419E568A7250C375A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738C88 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 361 1738c88-1738cfc ResumeThread 365 1738d05-1738d19 361->365 366 1738cfe-1738d04 361->366 366->365
              APIs
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 7ca734f304f7596c87e6c4759d671f612c98417eeac1b3a074f4cbc50a42cb1b
              • Instruction ID: c6c4f994e357d22a874566aea459c5cb74d3620cdeac3d6a82eb3c756ea26b14
              • Opcode Fuzzy Hash: 7ca734f304f7596c87e6c4759d671f612c98417eeac1b3a074f4cbc50a42cb1b
              • Instruction Fuzzy Hash: 901155B19043488FCB10CF99C888BCEFFF4AB49324F14845AE568A3241D774A944CFA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01732EEC Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 0173484D
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 953da3a266b42c1ec629e6b76af1db347872cb9ed85f7469607da67002a11067
              • Instruction ID: a883eccc66254e64dc000655d1a7cb69111412907fcbf40414b1b8bb7d1125b1
              • Opcode Fuzzy Hash: 953da3a266b42c1ec629e6b76af1db347872cb9ed85f7469607da67002a11067
              • Instruction Fuzzy Hash: 2511E3B59006499FDB10DF9AD884BDEFBF4EB88324F10842AE659A7241C374A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738B10 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01738B7B
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 2c1b11bf1f110be1ff5f44c8e2001448dd40c540b1f2d861b40f6a414902df39
              • Instruction ID: 22cc8a4e0e5d0ee6a24d8f3e12a220c0b477c222454ea17e566019843fc84b2f
              • Opcode Fuzzy Hash: 2c1b11bf1f110be1ff5f44c8e2001448dd40c540b1f2d861b40f6a414902df39
              • Instruction Fuzzy Hash: DC11E0B59003499FDB10CF9AC884BDEBFF8FB88324F14841AE569A7250C375A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 017347E3 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(00000000,?,?), ref: 0173484D
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 365e95c5e5998ab6657aca570b1a4597d1633eb8adc5570fd2b567398c51bd50
              • Instruction ID: ff0ae4870d5e1dc32d87823b723e1b5979886d41e42e0f9524608d40175e9e58
              • Opcode Fuzzy Hash: 365e95c5e5998ab6657aca570b1a4597d1633eb8adc5570fd2b567398c51bd50
              • Instruction Fuzzy Hash: 7E11E3B59002499FDB20DF9AD884BDEBBF4FB88324F148529D559A7344C374A944CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01738C90 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001C.00000002.523708407.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_1730000_jsdudg.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: e575b22187c6d8f54da6cbaefcd17ca4a760c489f1817644662af1522c5cedea
              • Instruction ID: cd4416f4de91e68c21c60ff19c930e7263678cf09eb28e39b1e83c7a5c285d92
              • Opcode Fuzzy Hash: e575b22187c6d8f54da6cbaefcd17ca4a760c489f1817644662af1522c5cedea
              • Instruction Fuzzy Hash: D41115B19002498FDB10CF9AC488BDEFBF4EB48324F10841AE559A3240C774A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%