Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice# 77-84993-84929.exe

Overview

General Information

Sample Name:Invoice# 77-84993-84929.exe
Analysis ID:339358
MD5:3beaa725263104d4638eb877a7d0b37d
SHA1:da267ad7c11acb864db25a561fea1e2cc3663fd0
SHA256:eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1aa7d:$x1: NanoCore.ClientPluginHost
  • 0x1aa6a:$x2: IClientNetworkHost
  • 0x19142:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x19983:$x1: NanoCore Client.exe
  • 0x1aa7d:$x2: NanoCore.ClientPluginHost
  • 0x19120:$s1: PluginCommand
  • 0x19108:$s2: FileCommand
  • 0x1a88b:$s3: PipeExists
  • 0x190d8:$s4: PipeCreated
  • 0x1aa57:$s5: IClientLoggingHost
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x19536:$a: NanoCore
    • 0x19983:$a: NanoCore
    • 0x19e84:$a: NanoCore
    • 0x1a974:$a: NanoCore
    • 0x1aa7d:$a: NanoCore
    • 0x19e8d:$b: ClientPlugin
    • 0x1aa86:$b: ClientPlugin
    • 0x18f48:$c: ProjectData
    • 0x332cd:$c: ProjectData
    • 0x1a295:$d: DESCrypto
    • 0x1991a:$e: KeepAlive
    • 0x1927a:$g: LogClientMessage
    • 0x190e4:$i: get_Connected
    • 0xfc25:$j: #=q
    • 0xfc76:$j: #=q
    • 0xfcba:$j: #=q
    • 0xfdd5:$j: #=q
    • 0xfe3a:$j: #=q
    • 0xfe9f:$j: #=q
    • 0xfeef:$j: #=q
    • 0xff33:$j: #=q
    00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1a82d:$x1: NanoCore.ClientPluginHost
    • 0x1a81a:$x2: IClientNetworkHost
    • 0x18ef2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 52 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1980d:$x1: NanoCore.ClientPluginHost
    • 0x197fa:$x2: IClientNetworkHost
    • 0x17ed2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x18713:$x1: NanoCore Client.exe
    • 0x1980d:$x2: NanoCore.ClientPluginHost
    • 0x17eb0:$s1: PluginCommand
    • 0x17e98:$s2: FileCommand
    • 0x1961b:$s3: PipeExists
    • 0x17e68:$s4: PipeCreated
    • 0x197e7:$s5: IClientLoggingHost
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x182c6:$a: NanoCore
      • 0x18713:$a: NanoCore
      • 0x18c14:$a: NanoCore
      • 0x19704:$a: NanoCore
      • 0x1980d:$a: NanoCore
      • 0x18c1d:$b: ClientPlugin
      • 0x19816:$b: ClientPlugin
      • 0x17cd8:$c: ProjectData
      • 0x3205d:$c: ProjectData
      • 0x3487d:$c: ProjectData
      • 0x36ce0:$c: ProjectData
      • 0x391a5:$c: ProjectData
      • 0x3bb38:$c: ProjectData
      • 0x3e599:$c: ProjectData
      • 0x19025:$d: DESCrypto
      • 0x186aa:$e: KeepAlive
      • 0x1800a:$g: LogClientMessage
      • 0x17e74:$i: get_Connected
      • 0xe9b5:$j: #=q
      • 0xea06:$j: #=q
      • 0xea4a:$j: #=q
      1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x18ecd:$x1: NanoCore.ClientPluginHost
      • 0x18eba:$x2: IClientNetworkHost
      • 0x17592:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 83 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Invoice# 77-84993-84929.exeReversingLabs: Detection: 28%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: Invoice# 77-84993-84929.exeJoe Sandbox ML: detected
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Invoice# 77-84993-84929.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05849690
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392107723.00000000015BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Invoice# 77-84993-84929.exe
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BCAE40_2_019BCAE4
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEB00_2_019BEEB0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEA30_2_019BEEA3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058488480_2_05848848
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AE00_2_05840AE0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058496900_2_05849690
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A5380_2_0584A538
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A5480_2_0584A548
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A7E80_2_0584A7E8
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584886D0_2_0584886D
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AD30_2_05840AD3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058496800_2_05849680
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F95281_2_019F9528
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F9C901_2_019F9C90
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F3E181_2_019F3E18
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_01A832B01_2_01A832B0
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.400929477.0000000005860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.395473314.0000000004704000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedcad daf.exe2 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename>T vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamel vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilenamebB.exeR vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Invoice# 77-84993-84929.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@0/1
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-84993-84929.exe.logJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{00000000-0000-0000-0000-000000000000}
      Source: Invoice# 77-84993-84929.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Invoice# 77-84993-84929.exeReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe 'C:\Users\user\Desktop\Invoice# 77-84993-84929.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Invoice# 77-84993-84929.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Invoice# 77-84993-84929.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: Invoice# 77-84993-84929.exeStatic file information: File size 1082880 > 1048576
      Source: Invoice# 77-84993-84929.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x107c00
      Source: Invoice# 77-84993-84929.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Invoice# 77-84993-84929.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xE7183342 [Mon Nov 10 02:34:42 2092 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.95337627624

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile opened: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 6104, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeWindow / User API: threadDelayed 2354Jump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeWindow / User API: threadDelayed 6146Jump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5800Thread sleep time: -31500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5936Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5244Thread sleep time: -1400000s >= -30000sJump to behavior
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}Jump to behavior
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Invoice# 77-84993-84929.exe28%ReversingLabsWin32.PUA.Wacapew
      Invoice# 77-84993-84929.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:339358
      Start date:13.01.2021
      Start time:21:36:32
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 19s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Invoice# 77-84993-84929.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@3/2@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.3% (good quality ratio 0.2%)
      • Quality average: 79.9%
      • Quality standard deviation: 31.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 81
      • Number of non-executed functions: 6
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      21:37:27API Interceptor1124x Sleep call for process: Invoice# 77-84993-84929.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-84993-84929.exe.log
      Process:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.355304211458859
      Encrypted:false
      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
      MD5:FED34146BF2F2FA59DCF8702FCC8232E
      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
      Malicious:true
      Reputation:high, very likely benign file
      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Process:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:2/l:ql
      MD5:904C75C757951861A0708BE11E7058FB
      SHA1:8835D363C38767D84A5A3E2483CD1B94EE7FF0CD
      SHA-256:86B9242C9DB4D22310489A0E372733E9E029A08A05E219ACC1BDE7CC02E6809E
      SHA-512:EBAC3B8031EF52CFBDF971D28B4C8CEEB2B12F64CE0193F3DA3E989DF946D290EC9F90097B6CC75CB582C441E4D65F8CA73A517EE03EC3C14200F6A60DF2080F
      Malicious:true
      Reputation:low
      Preview: .O?.N..H

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.949599343543474
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:Invoice# 77-84993-84929.exe
      File size:1082880
      MD5:3beaa725263104d4638eb877a7d0b37d
      SHA1:da267ad7c11acb864db25a561fea1e2cc3663fd0
      SHA256:eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
      SHA512:efa1dfea9a15b9cb8c15bed2d510d0c8f879ba2ccf377e0c134d0f0c9047feabc2c17f20bfcf089f33c237391258bf020bb9041308d573a63ca63415e2f459e7
      SSDEEP:24576:pVTN1bAVAo+sZ5Ox7NJEAebUfl0u/r3qEO5CLTvaskuDKUZ:HNG6o+Py+25C/asxJZ
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B3................0..|............... ........@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x509b8e
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0xE7183342 [Mon Nov 10 02:34:42 2092 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v4.0.30319
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x109b3c0x4f.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x5d4.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x109b200x1c.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x107b940x107c00False0.952498333827data7.95337627624IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x10a0000x5d40x600False0.427083333333data4.14249009427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x10c0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0x10a0900x344data
      RT_MANIFEST0x10a3e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Version Infos

      DescriptionData
      Translation0x0000 0x04b0
      LegalCopyrightCopyright 2019
      Assembly Version1.0.0.0
      InternalNamebB.exe
      FileVersion1.0.0.0
      CompanyName
      LegalTrademarks
      Comments
      ProductNameMultiUserParentalControl
      ProductVersion1.0.0.0
      FileDescriptionMultiUserParentalControl
      OriginalFilenamebB.exe

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: Invoice# 77-84993-84929.exe PID: 6104 Parent PID: 5864

      General

      Start time:21:37:26
      Start date:13/01/2021
      Path:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\Invoice# 77-84993-84929.exe'
      Imagebase:0xeb0000
      File size:1082880 bytes
      MD5 hash:3BEAA725263104D4638EB877A7D0B37D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:low

      Chronological Activities

      Analysis Process: Invoice# 77-84993-84929.exe PID: 5732 Parent PID: 6104

      General

      Start time:21:37:52
      Start date:13/01/2021
      Path:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      Wow64 process (32bit):true
      Commandline:{path}
      Imagebase:0xf90000
      File size:1082880 bytes
      MD5 hash:3BEAA725263104D4638EB877A7D0B37D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: Invoice# 77-84993-84929.exe PID: 6104 Parent PID: 5864 Invoice# 77-84993-84929.exeCOMMON

        Executed Functions

        Function 05848848, Relevance: .8, Instructions: 813COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fe291d483b00c1828868e12cf409cf96dc17b6d1191cc0196886ac8415f4279e
        • Instruction ID: 20bc2578922f51c1a70a749d93a5f1e11dcf288418d8e5b6f6991ea5ec187d67
        • Opcode Fuzzy Hash: fe291d483b00c1828868e12cf409cf96dc17b6d1191cc0196886ac8415f4279e
        • Instruction Fuzzy Hash: 3B72E671D0926DCFEB24DFA9C9083EDBAB5BB58305F1480B9D819E6291D3794AC5DF00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0584886D, Relevance: .4, Instructions: 429COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 742bf9bb6e8b1e2403ff01bb26da8a81a07431343b7af80755765d0bba87f22a
        • Instruction ID: 2324c58a6f631b79444793d21a567a7dbc0ebc4b0fc1d50f4f4a324f714f8cc9
        • Opcode Fuzzy Hash: 742bf9bb6e8b1e2403ff01bb26da8a81a07431343b7af80755765d0bba87f22a
        • Instruction Fuzzy Hash: 1912FA75D0926CCEEB64DF66C8483EDBAB5BB58349F1480A9D809A7291D7784EC8CF00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05840AE0, Relevance: .2, Instructions: 229COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7595e36e255a90b03b9ccd868b7bce56b31ed13ed47c305c6d85fe9d92a2e6a
        • Instruction ID: 92ae8e894ea70b64778c8f7d234e0663e2b7dbe01907e0dd65852d14cff47fa0
        • Opcode Fuzzy Hash: e7595e36e255a90b03b9ccd868b7bce56b31ed13ed47c305c6d85fe9d92a2e6a
        • Instruction Fuzzy Hash: 6A917F35E10319CFCB04DBA4D8549EEBBBAFF89314F158215E905AF364EB30A949DB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05840AD3, Relevance: .2, Instructions: 195COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9072d916a12f474fc215400398c69bd9d3e40c140886fd46bc2cef61dfb6a0f2
        • Instruction ID: 678a5aee48986b2762904c6d21a2b2cd7b96dae34d4cf8729287899b92ba4dc9
        • Opcode Fuzzy Hash: 9072d916a12f474fc215400398c69bd9d3e40c140886fd46bc2cef61dfb6a0f2
        • Instruction Fuzzy Hash: 8C817035E103198FCB04DFE4D8549EEBBBAFF89314F158215E905AF2A4EB30A949DB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05849690, Relevance: .2, Instructions: 160COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4174ece7fd807563e56ed52a1461454e1093596f8b1ad69e9c5da1ed65b59d77
        • Instruction ID: 77746a485b665252cc6e2880fb8c02f1d2bf77880e149df1b4941b7d8b39e016
        • Opcode Fuzzy Hash: 4174ece7fd807563e56ed52a1461454e1093596f8b1ad69e9c5da1ed65b59d77
        • Instruction Fuzzy Hash: 3651AE74E052188FDB14CFAAD444BDEBBF2BF89304F20912AD809AB354DB745945CF54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05849680, Relevance: .1, Instructions: 144COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f91a021080b842866b86964ad620655568932770b2ad6a9eb955a7dcc01afa60
        • Instruction ID: 6589572e7fc684f331a30d620ba060fbf42f449a8766c86561b65836d9e5a2cc
        • Opcode Fuzzy Hash: f91a021080b842866b86964ad620655568932770b2ad6a9eb955a7dcc01afa60
        • Instruction Fuzzy Hash: 7851C074E012188FDB14CFAAC5447DEBBF2BF89304F24912AD809AB394EB345945CF50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 058406F0, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5d0e0f99b741c1dfe47ccdfe6081b47e505625ce565d4649241e06a5661354b8
        • Instruction ID: 40d097c17669ed9ee55236289939adfb1eacbc6f76b8107d2edcd686e2486c60
        • Opcode Fuzzy Hash: 5d0e0f99b741c1dfe47ccdfe6081b47e505625ce565d4649241e06a5661354b8
        • Instruction Fuzzy Hash: B6715971C08388DFCB02CFA4C848ADEBFB1BF59310F19819AE908AB262D7759845CF51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019B9CD0, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 019B9F16
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 56260c7e88a76326c34ebb49248fece3ff74687344b95daf639fd3891d76c4ff
        • Instruction ID: 22089fb64ea0b688525f1cb7614ffef5a5eaf9fba894948cd14c1dc0da3fe7b8
        • Opcode Fuzzy Hash: 56260c7e88a76326c34ebb49248fece3ff74687344b95daf639fd3891d76c4ff
        • Instruction Fuzzy Hash: B87148B0A10B058FD724DF2AD58479ABBF5FF88218F00892DE64AD7A50DB74E805CF91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 058407D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058408E2
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: 2bf6f20b245379ba910b6c7bb9077d71c85df56085d8fb625dd27dad53204385
        • Instruction ID: 7d8707ef368685f10b09fb0c6d9a10299d4e1c1ba65d1ce02c57f2931135478d
        • Opcode Fuzzy Hash: 2bf6f20b245379ba910b6c7bb9077d71c85df56085d8fb625dd27dad53204385
        • Instruction Fuzzy Hash: 7941B0B1D00309DFDB14DFA9C984ADEFBB5BF88314F24852AE919AB210D7749845CF90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019B5364, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
        Download Yara Rule
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 019B5421
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: eb64e8cafce8afb8dab646d4458f029305ed5b60010cbc20a5c47abc47dc3fb9
        • Instruction ID: a6837a05c0bba35d0f9b4393efcaf8d49ce0ced9c7eb0fde48b6a3044a76953c
        • Opcode Fuzzy Hash: eb64e8cafce8afb8dab646d4458f029305ed5b60010cbc20a5c47abc47dc3fb9
        • Instruction Fuzzy Hash: F141E371D00718CAEB24DFA9C984BCDBBB5BF48308F218169D508AB251DB756946CFA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019B3E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
        Download Yara Rule
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 019B5421
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: dfc021101042fca73639c11e7287bb866820b770a283f8b1f467c2b26ac9ea5d
        • Instruction ID: 990b57ad560571961699a7831c5c65d2ad9eac599ca58397265e8c069e2f42e8
        • Opcode Fuzzy Hash: dfc021101042fca73639c11e7287bb866820b770a283f8b1f467c2b26ac9ea5d
        • Instruction Fuzzy Hash: F741F3B0D00718CBDB24DFA9C984BCDBBB6BF48308F218169D508AB250DB755945CFA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05842D80, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
        Download Yara Rule
        APIs
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05842E41
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID: CallProcWindow
        • String ID:
        • API String ID: 2714655100-0
        • Opcode ID: 038ca2948c37dbab055f7139f1fa576d614180de054b7c44f1fe60d2c2f5c488
        • Instruction ID: d72b6aab4e255cd6330ed4c619d79026b914d7b23b4256a9ab7e12e499312363
        • Opcode Fuzzy Hash: 038ca2948c37dbab055f7139f1fa576d614180de054b7c44f1fe60d2c2f5c488
        • Instruction Fuzzy Hash: 59413BB8900209CFCB14CF99C448BAABBF5FF88314F15C458E959A7311D374A841CFA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019BC1E8, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019BC1B6,?,?,?,?,?), ref: 019BC277
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: f26e3382954a2e6f356d1e88af4e9d9b3e7948901adeb7790bc7030c46f14051
        • Instruction ID: ddf209384ed88c98533c6cd4e09ef3f7b4292c3ed9cd714d26d2a5200ea97f1c
        • Opcode Fuzzy Hash: f26e3382954a2e6f356d1e88af4e9d9b3e7948901adeb7790bc7030c46f14051
        • Instruction Fuzzy Hash: B92105B5900248EFDB10CFAAD984ADEFFF8EB48320F14841AE919A3310C374A944CF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019BB3FC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019BC1B6,?,?,?,?,?), ref: 019BC277
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: f729733ea6c34e470bc980ffef3e29eac02e960b64c4d1ecd72fcce558e084fd
        • Instruction ID: 54220e2ec674e90f8c58c83b68ae2c47157e204566942545eaa81811e451d879
        • Opcode Fuzzy Hash: f729733ea6c34e470bc980ffef3e29eac02e960b64c4d1ecd72fcce558e084fd
        • Instruction Fuzzy Hash: 6C21E5B5900209AFDB10DFA9D984ADEFBF8EB48320F14841AE919B3310D374A944CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019B9230, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019B9F91,00000800,00000000,00000000), ref: 019BA1A2
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: dfede2dad575357939636c39356d8f78506cfec89a043c90a6146ec01b09cee7
        • Instruction ID: ea0cf370e51a8db7315788cea5c99903446f13100534c7cb0244bcd231b171c5
        • Opcode Fuzzy Hash: dfede2dad575357939636c39356d8f78506cfec89a043c90a6146ec01b09cee7
        • Instruction Fuzzy Hash: B11117B2D002099FDB10DF9AD984ADEFBF9FB98360F14842AE519A7200C374A545CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019BA130, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019B9F91,00000800,00000000,00000000), ref: 019BA1A2
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: c40d357b2c54f99cba5e79f0f595f0c08e72df2ec171600a69406d92535383d9
        • Instruction ID: be899f97f2fb607820a7236444e70cc7bad145259999a20746c061c9b882c1cb
        • Opcode Fuzzy Hash: c40d357b2c54f99cba5e79f0f595f0c08e72df2ec171600a69406d92535383d9
        • Instruction Fuzzy Hash: F31117B6C002099FDB10CF9AD584BDEFBF4AB48320F14841AD919A7600C3759545CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019B9EB0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 019B9F16
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 8722ff3bf3c793102962ea4931f76d1ead48bb62f106ce44ae85da3812d4c070
        • Instruction ID: 059b0e3947b09b08242865c6adec997e1eb970cd0041c0fba116e272943cdfb7
        • Opcode Fuzzy Hash: 8722ff3bf3c793102962ea4931f76d1ead48bb62f106ce44ae85da3812d4c070
        • Instruction Fuzzy Hash: FB1113B2C006498FDB20DF9AD584BDEFBF8EF88224F14846AD529B7600C374A545CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05840A10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • SetWindowLongW.USER32(?,?,?), ref: 05840A75
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID: LongWindow
        • String ID:
        • API String ID: 1378638983-0
        • Opcode ID: bea142f6b6bb7cf6af2862655653e7c382bab3d607c78aa61f5b3649b2e1a30e
        • Instruction ID: 3ecd0f551ca5c60f33ccc70c53af05b9ce3d6326b1c9f56f3bb987e27fc3569e
        • Opcode Fuzzy Hash: bea142f6b6bb7cf6af2862655653e7c382bab3d607c78aa61f5b3649b2e1a30e
        • Instruction Fuzzy Hash: 5C1106B5900209DFDB10DF99D488BDFBBF8EB48324F14855AE925A7740D374A944CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05840AB0, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 25a177bc88f7b4cadc9e6d1f04813fed32d56f0df1d03c762038a2872fd67824
        • Instruction ID: 968e6846118bf84ab22497de89560524091c9ad459aff9ba6294f9dd86e2381c
        • Opcode Fuzzy Hash: 25a177bc88f7b4cadc9e6d1f04813fed32d56f0df1d03c762038a2872fd67824
        • Instruction Fuzzy Hash: C101F1B2609208CEDB02DB94D84CBDAFBF8EB45300F168049DA08EB152C375A844CF61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05840A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • SetWindowLongW.USER32(?,?,?), ref: 05840A75
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID: LongWindow
        • String ID:
        • API String ID: 1378638983-0
        • Opcode ID: 6559b2723a7f7578077dbb0b69d45d9b281152d1f0423d907bd6d384c02a33c2
        • Instruction ID: 56a0a02ef02dccf00e7c2f2b3d20407dcef19c283dd1e6abeffcda4b0531f71a
        • Opcode Fuzzy Hash: 6559b2723a7f7578077dbb0b69d45d9b281152d1f0423d907bd6d384c02a33c2
        • Instruction Fuzzy Hash: DB11D3B5900649DFDB20DF99D488BDEBBF8EB48324F14855AE915A7700C374A944CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 019BEEB0, Relevance: .3, Instructions: 315COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6d3af3af1526f808e9aeb38b07104d1c9d5b5661b405d8c0475e1459ddb7ab86
        • Instruction ID: e5c7fe76be1b5f8b7636e4dbb32ecc1ff71f9383ffa6a1c04075d2c5c6df4661
        • Opcode Fuzzy Hash: 6d3af3af1526f808e9aeb38b07104d1c9d5b5661b405d8c0475e1459ddb7ab86
        • Instruction Fuzzy Hash: 2A12B9F14917468AD310EF55F69C1893B61F7E6328FB0C289D2611BAD9DFB8114ACF84
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019BCAE4, Relevance: .3, Instructions: 265COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b0a9c18702ef41947a3546bab97d60f9b0aa30fd57dde8ac66c58dd7f872839c
        • Instruction ID: 876e1e12b6a5a4a9ff95c3707ce8985289707c236bbac023522cea83758eb985
        • Opcode Fuzzy Hash: b0a9c18702ef41947a3546bab97d60f9b0aa30fd57dde8ac66c58dd7f872839c
        • Instruction Fuzzy Hash: E5A18032E0021A8FCF05DFB5C9845DEBBB6FF84301B15856AE909BB265DB71A945CB40
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0584A7E8, Relevance: .2, Instructions: 241COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bfc9384d9d3f270fe08e0b014657d644483969fa4571a9d358a640ab85e7f785
        • Instruction ID: 433f6c3233a8f0a220771cec7400909dd594f151d0b40b85f24c7d1fcfd407c6
        • Opcode Fuzzy Hash: bfc9384d9d3f270fe08e0b014657d644483969fa4571a9d358a640ab85e7f785
        • Instruction Fuzzy Hash: 83C17475E006188FDB58DF6AC944AD9BBF2BF88305F14C1E9D809AB364DB309E858F50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019BEEA3, Relevance: .2, Instructions: 235COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.392325553.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9363e8896f028eaa5c6f4051e065d32d76024e1457633b7d94d6507fae8a451a
        • Instruction ID: b82010192cf35388bced23c0365719aa8a176845a2fec603a6469ff4af1ebcb5
        • Opcode Fuzzy Hash: 9363e8896f028eaa5c6f4051e065d32d76024e1457633b7d94d6507fae8a451a
        • Instruction Fuzzy Hash: 11C14BB14517458AD710EF64FA8C1897BB1FBE6328F70C298D2612B6D8DFB4114ACF84
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0584A538, Relevance: .2, Instructions: 166COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 872f82f700d7036cc45371888dd1d9a14152a3dbd42316a2d55f899405081d49
        • Instruction ID: 5e9dd8dede4504b3aad2c6fc0a82ffccabd381e1971aa24aa792e2f883442a9e
        • Opcode Fuzzy Hash: 872f82f700d7036cc45371888dd1d9a14152a3dbd42316a2d55f899405081d49
        • Instruction Fuzzy Hash: 4D71FB70E142098FD744EFA6E84269E7BF6FBC9304F04C86AE5099F264DF7468059F91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0584A548, Relevance: .2, Instructions: 164COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.400889972.0000000005840000.00000040.00000001.sdmp, Offset: 05840000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 79ccc0ba761a78fa4d252900203ebe64c49840911cc886289666d248f6d123c2
        • Instruction ID: e0ac628fac2bc2a7e21350dc42a89054228795e1c3f3aa742a7720eedd67de97
        • Opcode Fuzzy Hash: 79ccc0ba761a78fa4d252900203ebe64c49840911cc886289666d248f6d123c2
        • Instruction Fuzzy Hash: 7E610C70E142098FD744EFA6E84269E7BFAFBC8304F04C869E5099F264DF7468058F90
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: Invoice# 77-84993-84929.exe PID: 5732 Parent PID: 6104 Invoice# 77-84993-84929.exeCOMMON

        Executed Functions

        Function 019F3E18, Relevance: .7, Instructions: 725COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 58e9aef3f9f4d63a721afc9321086c9cc697b4b5bb305d29265add627a133eda
        • Instruction ID: f2f98eac1795fc7f6a308b52414b7e3d600d97fac42ef6346f7c1dd8c40cce1b
        • Opcode Fuzzy Hash: 58e9aef3f9f4d63a721afc9321086c9cc697b4b5bb305d29265add627a133eda
        • Instruction Fuzzy Hash: 0B527F34B00115EFDB15DF68C884AAEBBB6BF88715F158169EA1ADB361DB31DC01CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F9528, Relevance: .6, Instructions: 558COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 930eeba794ec041fadc945b086c80410c6cc0670e86d310bd0ed405d9e84d37c
        • Instruction ID: eac8097ce22cc0462ecab22574a4cded121b29aff79cf315269291b6888abfa6
        • Opcode Fuzzy Hash: 930eeba794ec041fadc945b086c80410c6cc0670e86d310bd0ed405d9e84d37c
        • Instruction Fuzzy Hash: FA229270A002099FDB25DF68C854BAE7BB6BF88309F15846DE60ADB391DB34DC41CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F9C90, Relevance: .4, Instructions: 382COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a8e175d399d5c53741c3e6a5ac841ca85a332846bf4171c2fd0c0bcdae780f0f
        • Instruction ID: cc3f2eb6ba683d09ee4c7f872cc2fba5182b8f4f9e4f6be550f8083e0f99f8c5
        • Opcode Fuzzy Hash: a8e175d399d5c53741c3e6a5ac841ca85a332846bf4171c2fd0c0bcdae780f0f
        • Instruction Fuzzy Hash: 89F13A30A00105EFDB55CFA9D884AADBBF6BF89315F198069F609AB3A1D731EC41CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F0EF0, Relevance: 5.3, Strings: 4, Instructions: 257COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID: #$$;w$#$8l^
        • API String ID: 0-2254474369
        • Opcode ID: 06c0c64e713f24e4a19d6fc51755220e4553862ee09dfa1d13251e895de8cfff
        • Instruction ID: be3203f4c0f1f7425ae7afdc85e1c4aebce966d376c6a645f2e20a76b772de8a
        • Opcode Fuzzy Hash: 06c0c64e713f24e4a19d6fc51755220e4553862ee09dfa1d13251e895de8cfff
        • Instruction Fuzzy Hash: F7C176341261519FC360BFA4FD0D26D3B66FB86706B12A625E902CA63CCF345C61CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8D080, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 01A8D2D6
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: d57967edffa2ac4ee7c5d06b48b7b41fd22929fc8ca56bf453f2ffc947e5aa07
        • Instruction ID: 87d46bb5c328fa237707c53e8263ef35fe145f8e7207e6c51b95d853a52a36b2
        • Opcode Fuzzy Hash: d57967edffa2ac4ee7c5d06b48b7b41fd22929fc8ca56bf453f2ffc947e5aa07
        • Instruction Fuzzy Hash: F6814770A00B058FDB64EF6AD4407AABBF1BF88214F00892ED54AD7B90D774E906CF91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8F5B1, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A8F63F
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 0d23b21a64aa7667a70bb19fdf70b09024d0231d0c28bfa035268a8b5b550eab
        • Instruction ID: ca9b1f1eb803b7006d1dd70f734fd51bf43463371979c35de06655b315a8a08b
        • Opcode Fuzzy Hash: 0d23b21a64aa7667a70bb19fdf70b09024d0231d0c28bfa035268a8b5b550eab
        • Instruction Fuzzy Hash: A1413A76900259AFCB11DF99D844AEEBFF9FB88320F14806AF915A7361C3359914DFA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8F5B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A8F63F
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: fadbabb8093ffea59faaed5fda298805446da9d38fe689acd39796608b4db5c3
        • Instruction ID: edfa195cc21b13f66ad8b951ac3185bea4ef550e7526db5e7081cc0406e01381
        • Opcode Fuzzy Hash: fadbabb8093ffea59faaed5fda298805446da9d38fe689acd39796608b4db5c3
        • Instruction Fuzzy Hash: 4E21D5B5D00249AFDB10DFA9D884ADEFBF8FB48324F14841AE915A3350D374A954CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8D4F0, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01A8D351,00000800,00000000,00000000), ref: 01A8D562
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: c25735c2f8180b4e911a2f339c892d04df0742887ef0a021e0ad4903bb9012e9
        • Instruction ID: 81a3955211ddecf5a3532fe40ade3dcf1d49f470c2202f7dd2d05c52a917782c
        • Opcode Fuzzy Hash: c25735c2f8180b4e911a2f339c892d04df0742887ef0a021e0ad4903bb9012e9
        • Instruction Fuzzy Hash: 1F1147B2C003489FDB14DFAAD844ADEFBF4AB88324F10841AE519A7200C374A549CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8BB88, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
        Download Yara Rule
        APIs
        • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 01A8BBFD
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: CallbackDispatcherUser
        • String ID:
        • API String ID: 2492992576-0
        • Opcode ID: 75ee406a23b49b07b0579e99e5ab59263a28532ab07619d36789b40e92f66762
        • Instruction ID: 12d031114c7a581f4a4e3f54e773439d010349c5299f89a7279f0bb11efcee4e
        • Opcode Fuzzy Hash: 75ee406a23b49b07b0579e99e5ab59263a28532ab07619d36789b40e92f66762
        • Instruction Fuzzy Hash: 3A2102B58043848FDB21DF65D8043EABFF4AF09314F14405ED485A7282C3785A05CBB1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8CB48, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01A8D351,00000800,00000000,00000000), ref: 01A8D562
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 64b4e9321e0d1a15dadd9abd62ba74a5e3e627e9ef6b1c611e1abbcd8fb89a2c
        • Instruction ID: cc0fe52c382670e1f5e3f5a0688ad584913e8ffcf64329336cfc756dfa97c77a
        • Opcode Fuzzy Hash: 64b4e9321e0d1a15dadd9abd62ba74a5e3e627e9ef6b1c611e1abbcd8fb89a2c
        • Instruction Fuzzy Hash: 261114B6D002499FDB14DFAAD444BDEFBF4EB88324F14842AE519A7240C374A945CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8BB98, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 01A8BBFD
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: CallbackDispatcherUser
        • String ID:
        • API String ID: 2492992576-0
        • Opcode ID: da5a8948f6436d5f6de1295270999903cecece4ddd93de72f6a05fc10143ffc7
        • Instruction ID: b741a25e658c64d4701773415d0ede786f2a47dfc7b4e3ecb6c3ae52a826d5cd
        • Opcode Fuzzy Hash: da5a8948f6436d5f6de1295270999903cecece4ddd93de72f6a05fc10143ffc7
        • Instruction Fuzzy Hash: C111C1B58003898FDB20DFA9D8043EEBFF4EB08324F148059D595A7381C7785A45CBB5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 01A8D270, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 01A8D2D6
        Memory Dump Source
        • Source File: 00000001.00000002.693034274.0000000001A80000.00000040.00000001.sdmp, Offset: 01A80000, based on PE: false
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 1245710b49d39e6ee53e5a59a9df18710e3dd95865f5c6492c991d89567799ac
        • Instruction ID: 0cd5c1baf3404b6d6a77159a373f0fbd58031993f14963de5e12a7ee06039f2f
        • Opcode Fuzzy Hash: 1245710b49d39e6ee53e5a59a9df18710e3dd95865f5c6492c991d89567799ac
        • Instruction Fuzzy Hash: 0A1110B6C006498FDB20DF9AD844BDEFBF8AF88324F14852AD429B7240D374A545CFA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FFE5F, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID: `8l^
        • API String ID: 0-1571508792
        • Opcode ID: eeed71b54eb323a0851d205f973ab5a4e538577444c6f33a3ae2e8753b6735a0
        • Instruction ID: 2bbc5065b895977c32d44b29e5b7e9fae03be2554340617b08561aa25454f41f
        • Opcode Fuzzy Hash: eeed71b54eb323a0851d205f973ab5a4e538577444c6f33a3ae2e8753b6735a0
        • Instruction Fuzzy Hash: 5C210E38120601DBC362BFA4FD0E58C3B61FF442A6310A825F50BD6928DB709A47CF64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FFE60, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID: `8l^
        • API String ID: 0-1571508792
        • Opcode ID: 3bf6fd213b9d69729a3107110723634590aecdaf9a3fba763b0725c307a4c68b
        • Instruction ID: 8dcd80a5f46b1e0dd358556332a9ab777b03f731359df43a4bf7ac60129d6c38
        • Opcode Fuzzy Hash: 3bf6fd213b9d69729a3107110723634590aecdaf9a3fba763b0725c307a4c68b
        • Instruction Fuzzy Hash: 3421EE38124605CBC362BFA4FD0E58C7B65FF442A6310A861F60BD6928DF709A47CB65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FBDC0, Relevance: .7, Instructions: 698COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f677ae853a4fe8187d4697f8b356b9999eeb32862a236e9fcc061b0c9b296922
        • Instruction ID: 55d2c46c91174722b16b122348898b19066bbbb8c5fd623cd765ae60937ed1e1
        • Opcode Fuzzy Hash: f677ae853a4fe8187d4697f8b356b9999eeb32862a236e9fcc061b0c9b296922
        • Instruction Fuzzy Hash: 24524C34A0410D8FEB259BA0D860BAEB7B6FB84344F11C0ADD60A6B795DF319D41DF62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FF870, Relevance: .6, Instructions: 641COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4a97c5e849790f35a132ee6fb52ba5bf1ecedc7790c57543bd5c648e8ac4141b
        • Instruction ID: 00fc6ce34f0891d47844598d3253992b35402b217a15f4cb27701de0ec4ba85c
        • Opcode Fuzzy Hash: 4a97c5e849790f35a132ee6fb52ba5bf1ecedc7790c57543bd5c648e8ac4141b
        • Instruction Fuzzy Hash: 6EF16F2654E7C5AFD3538B708C215957FF0AE43324B0A40EFC585CB9A3E69D8C4AC7A2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FF031, Relevance: .6, Instructions: 593COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4ffc7b7c593ed459de015b1baed038dfdf5421a58619192bd1dd21586833b961
        • Instruction ID: 797fc2005291d28aab56731764702f66f69280e09a70c6ba710120959398ddba
        • Opcode Fuzzy Hash: 4ffc7b7c593ed459de015b1baed038dfdf5421a58619192bd1dd21586833b961
        • Instruction Fuzzy Hash: 78E1182068F7C18FD3538B7588665967FF1AE0762070A81EBC485CFAB3E1684C4BC762
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FA195, Relevance: .5, Instructions: 542COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0b95ea2bb9d31b2a0ff77ebd733f6ff232f5ad4398a2f39841a78a1e22b200cf
        • Instruction ID: 4b8f3390f1a9fe9a4ad69a9a15e8c1e3f494f884f6fff6ff72d5e8fb6d9f90b9
        • Opcode Fuzzy Hash: 0b95ea2bb9d31b2a0ff77ebd733f6ff232f5ad4398a2f39841a78a1e22b200cf
        • Instruction Fuzzy Hash: D6224934A00209EFDB25DF68D884A9EBBF5BF88315F158559EA1EDB2A1D730EC41CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F23F1, Relevance: .5, Instructions: 491COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6fa079a820cb71ea410bff7b8accd738f6802b2c11a68d481c53e1650a1132ce
        • Instruction ID: a8008d65019d3809010f29e99fe2171b163ab0a3e48e06e1967bfb3073298313
        • Opcode Fuzzy Hash: 6fa079a820cb71ea410bff7b8accd738f6802b2c11a68d481c53e1650a1132ce
        • Instruction Fuzzy Hash: FDC1E92164D3E10FD753C3786C68B5A3FA15B47124F0956EBC4E4CB2E7EB28890AC792
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FDA00, Relevance: .5, Instructions: 462COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fe7f7518406f5f7f6c3fbe1c5fab5e2cef8e8319396ec6cd81028087c80ecbe6
        • Instruction ID: 60767842d39180afd9fb83a115100e59de47320f9a72935410de865f64368874
        • Opcode Fuzzy Hash: fe7f7518406f5f7f6c3fbe1c5fab5e2cef8e8319396ec6cd81028087c80ecbe6
        • Instruction Fuzzy Hash: A612B571A00209DFCB15CFA8C844AADBBF5FF89310F11859AE619DB361D731E955CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FA770, Relevance: .5, Instructions: 454COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bd5d8fe7785a8011e64db47e9e21d846d85fe20c9eb672ccce1e864b1671ef09
        • Instruction ID: 0c20bcec0289a5f05baf9cfb19743345e3af4fc711438146f2180f56d55904ae
        • Opcode Fuzzy Hash: bd5d8fe7785a8011e64db47e9e21d846d85fe20c9eb672ccce1e864b1671ef09
        • Instruction Fuzzy Hash: 78124F30604106EFDB15CF68C984AAABBF6BF48315F158958E60EDB3A5D730EC41CB55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F8B60, Relevance: .4, Instructions: 428COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bcd4347267d54bffb079cb7a7a582ee7e1bdc057dd0ea6fc434896c614fba1b8
        • Instruction ID: 2fe9a746a35bccfd513fdb8b292b2a5f515503b101c5743cfc754f8a35203ec2
        • Opcode Fuzzy Hash: bcd4347267d54bffb079cb7a7a582ee7e1bdc057dd0ea6fc434896c614fba1b8
        • Instruction Fuzzy Hash: 26E1B030700214AFDB65AF68CC54B7E7BA6AB8835AF15842CEA0ADB395CF74DC41C791
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F37F0, Relevance: .4, Instructions: 354COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e10d64f73872640956037ef21c05cb495259c29f48bb06465ddd90d1c2e4ce2b
        • Instruction ID: 9c3a5ff9fc6384f03ff5d2cdb84acc5210897b273570dbfc950aeedf7cab51f2
        • Opcode Fuzzy Hash: e10d64f73872640956037ef21c05cb495259c29f48bb06465ddd90d1c2e4ce2b
        • Instruction Fuzzy Hash: FAD1B031B00215EFCB15DF69C844AAE7BB6BF88215F15846DEA09DB3A1DB34DD40CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F2C38, Relevance: .3, Instructions: 267COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 32b039bdb6244f24240707f0b0157213f2ef0672d2cef07bb2998aa0b557f4ab
        • Instruction ID: fd3d85d51c627cb902f6f1c3d5bb1211e3c7ae55d6f261e37b29b628998b53f0
        • Opcode Fuzzy Hash: 32b039bdb6244f24240707f0b0157213f2ef0672d2cef07bb2998aa0b557f4ab
        • Instruction Fuzzy Hash: 7BB17834B00209DFCB55EFA4C894BAE7BB6FB8C304F118599D609673A5DB359D02CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F9250, Relevance: .3, Instructions: 263COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bf92d4ff76d300fab19dc7ee3f92113bf94e96f1008915afdd691a498bc19ef8
        • Instruction ID: 8b1e11ba31801abd38e821b8d3f8b42830daf78724918481bcc85042e19ae992
        • Opcode Fuzzy Hash: bf92d4ff76d300fab19dc7ee3f92113bf94e96f1008915afdd691a498bc19ef8
        • Instruction Fuzzy Hash: CEA1B234A00115AFCB14CF6CC884BAABBB5FF89619B15856DE70ADB3A1D731EC01CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FBA08, Relevance: .2, Instructions: 201COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f78b254bbec2e2fb760990a88555155ec442043ce76406ea605dcaf91175f798
        • Instruction ID: dc63c226196ab3903a6fb5b038f8bafc2ce2e3e96b83b4e752484bdd1c9c5557
        • Opcode Fuzzy Hash: f78b254bbec2e2fb760990a88555155ec442043ce76406ea605dcaf91175f798
        • Instruction Fuzzy Hash: C3714A34704209DFDB25DF2DC884A6E7BEAAF49252F1500A9EA0ACB375DB74DC51CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FED80, Relevance: .1, Instructions: 129COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2f122cdc09a35e4baef9519160053f4d2a2414d508a6b475e7365bc6193eec62
        • Instruction ID: eef0179437433c4972adfb052e989d65987cf36c481643c20fadf4ec30945663
        • Opcode Fuzzy Hash: 2f122cdc09a35e4baef9519160053f4d2a2414d508a6b475e7365bc6193eec62
        • Instruction Fuzzy Hash: 2941E331204255AFDB11DF68D804AAE7BF6FF89205F06846CEA0ADB3A1CB74EC01C791
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FADC8, Relevance: .1, Instructions: 126COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 457f0249368fb6220b7917d6b3ed6e596c9aa3fe5842833272508e2e5180b896
        • Instruction ID: 2f73902b5e8a96b73cbcabf8e673ea89ff0d31dc65ba97ea9c8cfe1cd0095522
        • Opcode Fuzzy Hash: 457f0249368fb6220b7917d6b3ed6e596c9aa3fe5842833272508e2e5180b896
        • Instruction Fuzzy Hash: 9441B1317042049FDB259B68DC54AAE7BE6AFC9615F15406DEA0ADB3E4CF30EC12C7A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FDC7B, Relevance: .1, Instructions: 126COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 685c3c9b0279c8796750bd9d5d734ab39eed7a2f20e6eef69192433bdcb03ad9
        • Instruction ID: cb642beccd0530f7604b61979b4ec3ad6c1bbb3c14737e52fee00672c217de53
        • Opcode Fuzzy Hash: 685c3c9b0279c8796750bd9d5d734ab39eed7a2f20e6eef69192433bdcb03ad9
        • Instruction Fuzzy Hash: D4517F31A04209EFCF12CFE8C844AAEBFF5EF89311F048559EA199B295D371E951CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F27E0, Relevance: .1, Instructions: 124COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d1272627d604ee6fac5379dc2dc3dfdff1bde8a663ba48ced8ff43031f78daca
        • Instruction ID: f436bae2deafd0e3ffa16973fefd8843240eee6fb2f585204aa4a9d851d805db
        • Opcode Fuzzy Hash: d1272627d604ee6fac5379dc2dc3dfdff1bde8a663ba48ced8ff43031f78daca
        • Instruction Fuzzy Hash: AE412A35B002109FCB54EBB9DC5867E76E6EBCD750B159439D919C7354EE38DC028B90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F3F66, Relevance: .1, Instructions: 117COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 06218291ac3fa4bc24d4d9d00393cbfe8b566e8a17ec7ee22118c51da5b7f0c7
        • Instruction ID: d23ec813b11598724da66780740a9559122f592de8590cdabf7af727845ccce5
        • Opcode Fuzzy Hash: 06218291ac3fa4bc24d4d9d00393cbfe8b566e8a17ec7ee22118c51da5b7f0c7
        • Instruction Fuzzy Hash: 03415A31700119AFCB25AF64DC549AE7BA7FF88255F048429F906973A4CB31DC66CBE1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F2968, Relevance: .1, Instructions: 105COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 183d35a777fe896b85031b8ea942c6a5ff7c2b27aa7288536305b9e1f5caad8e
        • Instruction ID: f268503bc02e879b85e60dbb20a0f2a9e30432c01f7f9411a07f285ea315714a
        • Opcode Fuzzy Hash: 183d35a777fe896b85031b8ea942c6a5ff7c2b27aa7288536305b9e1f5caad8e
        • Instruction Fuzzy Hash: DC41F1306042219FC720DB68E880BB9B7A9EB88300F11C55BDA59D7391D738EC45CFD1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F2AD0, Relevance: .1, Instructions: 105COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6e6350ebb2946bf1df7323258aa38b9b8c78b3fe67c8e53d2c7a5326122dfa59
        • Instruction ID: b313dbc9ef58408eb32681c0a1a06a99af35b2515bbb4d8255c1a691bf20d93a
        • Opcode Fuzzy Hash: 6e6350ebb2946bf1df7323258aa38b9b8c78b3fe67c8e53d2c7a5326122dfa59
        • Instruction Fuzzy Hash: B631A130B041195B8B69EFBC982176F35A7ABC925AF15852CDA1ACB394DF34CC0293D2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FF4A0, Relevance: .1, Instructions: 103COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c6303525068bf49887fcf45e0b870c3d4b93f57e376968fa746e34e9592085d5
        • Instruction ID: e0204b5da2e9e2bcb589e9c2942db2244df8878d94fe56b64bc2dc3ae945efbc
        • Opcode Fuzzy Hash: c6303525068bf49887fcf45e0b870c3d4b93f57e376968fa746e34e9592085d5
        • Instruction Fuzzy Hash: 4131CE32B001145FDB54AB788850B7A36EBABC8754F058478E60ACF3A2DE74DC0687E0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FFCE0, Relevance: .1, Instructions: 103COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a4ac312d8b5a6bde16f229b0080d34b8e98a3dd0024635abaa497a738469112e
        • Instruction ID: f266643f007309dcba381e7467f51edabc5459819a36f412378f893dac187c93
        • Opcode Fuzzy Hash: a4ac312d8b5a6bde16f229b0080d34b8e98a3dd0024635abaa497a738469112e
        • Instruction Fuzzy Hash: 5C31D2367002049FD754AB788C51B6F36E7ABC9750F018479E609CF791DE70DC0287A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FBCB0, Relevance: .1, Instructions: 87COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 47ca92e5a92bc7001eada652225cd8372b5feeb9fabf53d2c71a0df1986877fa
        • Instruction ID: a46dadd53e42b789a2473966c4a94035b3e9686ac777b498c9e01978dbe6dbf0
        • Opcode Fuzzy Hash: 47ca92e5a92bc7001eada652225cd8372b5feeb9fabf53d2c71a0df1986877fa
        • Instruction Fuzzy Hash: 9421F570304214ABDB251E29C850B7A229F9FC065AF14803DD70BCBBEAEF69CC419793
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FBCA0, Relevance: .1, Instructions: 87COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: db81f5a208a66cf8f6afead0d9d54a97eeb8ccaaa0b06c3a5650e667c21d275d
        • Instruction ID: b2ef75c7a722e19af8db94216a034b928422f2e1700696ba7c05ef445f8e171f
        • Opcode Fuzzy Hash: db81f5a208a66cf8f6afead0d9d54a97eeb8ccaaa0b06c3a5650e667c21d275d
        • Instruction Fuzzy Hash: 7521D671304214ABDB265F39C850A7E269F9FC156A718403DDA0BCBBE6EE29C8019753
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F7E08, Relevance: .1, Instructions: 86COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0d29881428eccd1cc291aa8a8dbd574367be1b866967efcdd19d72864999d41d
        • Instruction ID: f69aa71baa06e6257137215eb847d92509cdd7cec96beef83f74fdd89aa9f1f8
        • Opcode Fuzzy Hash: 0d29881428eccd1cc291aa8a8dbd574367be1b866967efcdd19d72864999d41d
        • Instruction Fuzzy Hash: 6721BE343042047BE7286F695C55F3B369BABC4795F258429F60AEB2D4CE74AC029395
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FEBE8, Relevance: .1, Instructions: 85COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 90e5ab7a2f53da244bea0cf832dba9f2491c6f9fe7756a36f5ba720c1e16b8b1
        • Instruction ID: bef3c89ddacc58161bb66a7a43e86432d8240f558f2b1f7ccca0bd4ff4822a03
        • Opcode Fuzzy Hash: 90e5ab7a2f53da244bea0cf832dba9f2491c6f9fe7756a36f5ba720c1e16b8b1
        • Instruction Fuzzy Hash: 66318C31A0010AAFCF169F59D984BAE7BAAFB98311F05402DFF0997260CB35CD61DB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F3030, Relevance: .1, Instructions: 82COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 42b7348be65b05ef690374376ca1d4d38d1c303ab4b66aed382c331d98a17a61
        • Instruction ID: 93c68e87175f1cabaaf70127f330e929b6c9fa7c9cd5fd896a5764e1c51b7ba5
        • Opcode Fuzzy Hash: 42b7348be65b05ef690374376ca1d4d38d1c303ab4b66aed382c331d98a17a61
        • Instruction Fuzzy Hash: 33217330B10108DBDB24DBB8E854AEEB7BAFF88325F14452DD606A7394CB389D05CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F2958, Relevance: .1, Instructions: 80COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8551e4bc94a7f911076650527ad4ddc5a95d833dc5e315afce41ecb024c3064f
        • Instruction ID: 08480d0eefbbc150eb6b6e70392da4c92c8c7ab00a2541411d30f6ccc6603dfa
        • Opcode Fuzzy Hash: 8551e4bc94a7f911076650527ad4ddc5a95d833dc5e315afce41ecb024c3064f
        • Instruction Fuzzy Hash: 3E31C131A001219FC720DB68E880BB9B7A9FB88310F11C51ADA19EB3A1D734ED058FD1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F7DF8, Relevance: .1, Instructions: 77COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e10374beadfe87af75036932bc0ea4d3ac447f4844028d48ef72aae8d89910a9
        • Instruction ID: 8761bc44e52e54d479fa949bb2040af519919a6a5d7f0a275973f256852e5c9e
        • Opcode Fuzzy Hash: e10374beadfe87af75036932bc0ea4d3ac447f4844028d48ef72aae8d89910a9
        • Instruction Fuzzy Hash: 371103347041006BE7286BB96C65B7F369BABC82A4F254028E60ADB3D4CE64AC024395
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F90B8, Relevance: .1, Instructions: 74COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 451fe573ddab192f7487007f5a783e30f45ac60f02bfd153d9809a6cbc4b9714
        • Instruction ID: 4eebd39ea6bfe6de16817563f95c49acf565041b9300bd93565fa12a2b85d73c
        • Opcode Fuzzy Hash: 451fe573ddab192f7487007f5a783e30f45ac60f02bfd153d9809a6cbc4b9714
        • Instruction Fuzzy Hash: D421C3353015119BC7299B69DC58A2AB796FF8975AB15847CEA0ADB358CF34DC0187C0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F7F08, Relevance: .1, Instructions: 66COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 47bae87534eef6bd4f9a5267fd444646a884e20931e679349f51905f70e200ed
        • Instruction ID: ad58971bf6c30886a7d1bd83711e842065b4a302922da5fda4943f091d906e38
        • Opcode Fuzzy Hash: 47bae87534eef6bd4f9a5267fd444646a884e20931e679349f51905f70e200ed
        • Instruction Fuzzy Hash: 8021E431604205AFDB059F68EC44B6B3BAAFB88755F00802DFA198B394DB38CC11CBD0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F9188, Relevance: .1, Instructions: 64COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6c46f0df1815fc3f8202348eb465218d308372614e5808cf22c54ab365f44dd7
        • Instruction ID: 23d4b979954d4c44bfb41f1e4bd16399b25eb1972648206a39f7d0798160a9fe
        • Opcode Fuzzy Hash: 6c46f0df1815fc3f8202348eb465218d308372614e5808cf22c54ab365f44dd7
        • Instruction Fuzzy Hash: A61106367012109BC7115AAEEC5476BB78AFB807ADF05407DE709DB344DB21DC0283D1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F90A8, Relevance: .1, Instructions: 63COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 57c15981a369720e926b31d7da65a506b071bbcbbe3453fdaa5e3490703f2024
        • Instruction ID: ae9743d68c67a28b6cd1eb4c225d9409cf12fd7fdc7c324527f5d7f3b952f0e0
        • Opcode Fuzzy Hash: 57c15981a369720e926b31d7da65a506b071bbcbbe3453fdaa5e3490703f2024
        • Instruction Fuzzy Hash: 9411C1313016119FC7299B6DDC58A2A7BA6FF8565A719807DFA0ADB3A5CF20CC118780
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F37E3, Relevance: .1, Instructions: 62COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 62814706c84364f908955395047c9f13d604a357cc468fdd95f64fb80b6d5234
        • Instruction ID: 3294b20bc67926abadb8c3f1e6cf2ae129b02e0d56311b2b2e0219280a634bfe
        • Opcode Fuzzy Hash: 62814706c84364f908955395047c9f13d604a357cc468fdd95f64fb80b6d5234
        • Instruction Fuzzy Hash: 1C213931A00208EFCF14DFA8D854AEDBBB1FB48325F145469EA05B7360D7359E54CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F7F18, Relevance: .1, Instructions: 62COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2ea73aa84007f51f1bea2491501f2bc209c5d5195bbf529f34280755ea0f1c49
        • Instruction ID: 840a0b22082cc8f089755d929d72158d123d021680411ec8f22af94863b607c1
        • Opcode Fuzzy Hash: 2ea73aa84007f51f1bea2491501f2bc209c5d5195bbf529f34280755ea0f1c49
        • Instruction Fuzzy Hash: FD116331605119AFDB159F69EC54B6B3BAAFB88755F00802DFA098B354DB38DC11CBD0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FEBD8, Relevance: .1, Instructions: 61COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ff7fe5e6224e6f55c7633cc34147dfaf92795eb95b33ed81d067046d202fd209
        • Instruction ID: 368eb9d2e506cfeaab5b5699ba8ef6db0efdd958f0a61fe0140bf7f734ce25ab
        • Opcode Fuzzy Hash: ff7fe5e6224e6f55c7633cc34147dfaf92795eb95b33ed81d067046d202fd209
        • Instruction Fuzzy Hash: D1116331A01319AFCB169F68D844BAA7BA5FB89311F06446EFE09CB361D734CD51CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FADB8, Relevance: .1, Instructions: 61COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f6149fe90124d634e5b2d7040141bc4279f91b433ed332557ef273098252d59f
        • Instruction ID: 4c3bd110e6ac0a9ed64dd74cbd6a3ae5cd07a198f494a561df311c10ad1acec3
        • Opcode Fuzzy Hash: f6149fe90124d634e5b2d7040141bc4279f91b433ed332557ef273098252d59f
        • Instruction Fuzzy Hash: 49119635700204AFDB20CFA9DC54B9DBBB5FB8C311F149129E916A7394CB31AC21CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F8B50, Relevance: .1, Instructions: 59COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 98dc7624580ebdc1581b1d45a7f148403d255ba3abd3e00cd58890eea5fdc212
        • Instruction ID: fd0256c3b931e7b28bdeeae82af3bcd8b0d9ea26736592c1bb389a3184dc505c
        • Opcode Fuzzy Hash: 98dc7624580ebdc1581b1d45a7f148403d255ba3abd3e00cd58890eea5fdc212
        • Instruction Fuzzy Hash: 7B11C431B00219AFD750DF18D848B6DBB66BF84323F15856DDA0D973A5D7309C51CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FDD60, Relevance: .1, Instructions: 59COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 84153df4cbeef64de6e95f9d43023afd66fb7f2f30903318eca6242020769072
        • Instruction ID: 10b87d03ac7718506efd892985b0b9bd5f7cf6ef4486400cdb42095488d4ed63
        • Opcode Fuzzy Hash: 84153df4cbeef64de6e95f9d43023afd66fb7f2f30903318eca6242020769072
        • Instruction Fuzzy Hash: 96119332A00206ABDB11CF9CC880B5EBFE6AF85354F058659D71C9B692D371F8118795
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F2C29, Relevance: .1, Instructions: 55COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f3170afc6e70f7f972512205175667b2af16544f4f91c27afa463dac948d19c3
        • Instruction ID: 6d6561aeb1081bad1e2bcd589a460b9eb38dbdca4dfcb2c615a6e3cf39ecec36
        • Opcode Fuzzy Hash: f3170afc6e70f7f972512205175667b2af16544f4f91c27afa463dac948d19c3
        • Instruction Fuzzy Hash: 5B11C170A00209AFCB55DFA8C854B9EBBF5EF88304F1080AED508A7351D7349805CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FECF0, Relevance: .0, Instructions: 46COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 75c1966408596f69d9fd86ac4ab85607a45e1231703d66eae2ac3dbbb6b8dcba
        • Instruction ID: 2e8ebfc692f9569b3993c5db51ed4dc3d4f413e83b35fc48cbf4fdc8df5939da
        • Opcode Fuzzy Hash: 75c1966408596f69d9fd86ac4ab85607a45e1231703d66eae2ac3dbbb6b8dcba
        • Instruction Fuzzy Hash: 0D01F932B001197B9B159E9D9C00AAF3BAFEBC8790F19802DF609E7294DA71CC11D7E4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FECE0, Relevance: .0, Instructions: 46COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d79fcbe8dc0d27dd1e7254906f755d2b5355bb2a9e117d343e49ab8a3aca6c29
        • Instruction ID: 2f9214b211107bb9a341ed079e748bbb71a8f8365e2c899f971c23738c539e03
        • Opcode Fuzzy Hash: d79fcbe8dc0d27dd1e7254906f755d2b5355bb2a9e117d343e49ab8a3aca6c29
        • Instruction Fuzzy Hash: 2B01F731A042057FDB12CE98DC00AEF3BBAEBC5350B15806EFA08DB1A0C6358812DBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F3C09, Relevance: .0, Instructions: 26COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ca3680a566f600fbe20204d7e5531e125f4d67ee37b7f8403ed19e65994cf193
        • Instruction ID: 89732cc76c3e310fdd7fea64f41eade5dde5e420c491c29bb9fe6dedcb2a46f7
        • Opcode Fuzzy Hash: ca3680a566f600fbe20204d7e5531e125f4d67ee37b7f8403ed19e65994cf193
        • Instruction Fuzzy Hash: C1E02272E04244AFCB215BB6AC09A9B7F78FB62211F00407EEE05C2042E3398018CB20
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019F3C18, Relevance: .0, Instructions: 23COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: aeeaeee5e4459bebdb80d990e373f053b3ff3b17db5fd0f01f6dd74f3086a916
        • Instruction ID: e501c905382ef4aab6f436461757942ba24243f611c753115db7551f44b1b98f
        • Opcode Fuzzy Hash: aeeaeee5e4459bebdb80d990e373f053b3ff3b17db5fd0f01f6dd74f3086a916
        • Instruction Fuzzy Hash: 51E08635A00209BBCF205AA6EC49A5A7F6CFB45261F004435FF0581101D7758114C770
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FC828, Relevance: .0, Instructions: 18COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
        • Instruction ID: a01647f745fe4038595958c4d30657069f5e8b49a4e0a0493e83bf6edc8d2c29
        • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
        • Instruction Fuzzy Hash: A4C0123360C1283AA229104EBC40EA3AA8CD2C12B5A21413BFA6C8320098429C8002A9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FAE75, Relevance: .0, Instructions: 16COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9edfbee0c44cc132718295057c6afdba09ad39ac26cf94cfee05a9791635222d
        • Instruction ID: fad94137b83274d21260034a5282a9a672a5eff3ae47878e666e1503822c34fb
        • Opcode Fuzzy Hash: 9edfbee0c44cc132718295057c6afdba09ad39ac26cf94cfee05a9791635222d
        • Instruction Fuzzy Hash: 04D0673AB00108DF8B149F98EC408DDB776FB98225B148116EA25E3264C6319931DB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FB781, Relevance: .0, Instructions: 15COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4e53344e7ed9dfcd2e2f91156167cd08531ed4acb36d600c4df97a03cc51d6ed
        • Instruction ID: 2b3ea16b48e6d1d4d48f60750b497e78ca879552ed1a609783dd9c8fd12441be
        • Opcode Fuzzy Hash: 4e53344e7ed9dfcd2e2f91156167cd08531ed4acb36d600c4df97a03cc51d6ed
        • Instruction Fuzzy Hash: 63E0C2304183055BCBE0FF70E8455DD3336FF81314F01C85AD8050A030DB7058008B85
        Uniqueness

        Uniqueness Score: -1.00%

        Function 019FB790, Relevance: .0, Instructions: 12COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.692861217.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d9e97245584a478d026c0031dacba3889ac02b05cc0469fd4692dfdd3d4f8cdc
        • Instruction ID: 11d81466758ab04b973b5395c90fdb8a07dfb37195d9f0490f63322717540a81
        • Opcode Fuzzy Hash: d9e97245584a478d026c0031dacba3889ac02b05cc0469fd4692dfdd3d4f8cdc
        • Instruction Fuzzy Hash: 38C01230014306468394BFB1FC45569332FFBC0609741DC61DA044A134DF74B81457D5
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions