Edit tour

Windows Analysis Report
confirm order.exe

Overview

General Information

Sample Name:	confirm order.exe
Analysis ID:	712188
MD5:	e5e6a926238dfecd931967194ff92bf4
SHA1:	b233228269367904bb0ee23b0b47fabf50ba5df2
SHA256:	219eeb73337cb0cb6b1e4af6093af3c0f4bef72af443be61adf1b2dc7eaf9063
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

confirm order.exe (PID: 5552 cmdline: "C:\Users\user\Desktop\confirm order.exe" MD5: E5E6A926238DFECD931967194FF92BF4)

powershell.exe (PID: 1756 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

confirm order.exe (PID: 1020 cmdline: C:\Users\user\Desktop\confirm order.exe MD5: E5E6A926238DFECD931967194FF92BF4)

Ugtphvhf.exe (PID: 5292 cmdline: "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe" MD5: E5E6A926238DFECD931967194FF92BF4)

powershell.exe (PID: 5344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Ugtphvhf.exe (PID: 6072 cmdline: "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe" MD5: E5E6A926238DFECD931967194FF92BF4)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a8dc68c-2ae6-4a66-b5dc-80cfa679", "Group": "jop", "Domain1": "146.70.76.43", "Domain2": "", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 9, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3c9d9:$x1: NanoCore.ClientPluginHost 0x3ca16:$x2: IClientNetworkHost 0x40549:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c741:$a: NanoCore 0x3c751:$a: NanoCore 0x3c985:$a: NanoCore 0x3c999:$a: NanoCore 0x3c9d9:$a: NanoCore 0x3c7a0:$b: ClientPlugin 0x3c9a2:$b: ClientPlugin 0x3c9e2:$b: ClientPlugin 0x3c8c7:$c: ProjectData 0x3d2ce:$d: DESCrypto 0x3ee83:$i: get_Connected 0x3d604:$j: #=q 0x3d634:$j: #=q 0x3d650:$j: #=q 0x3d680:$j: #=q 0x3d69c:$j: #=q 0x3d6b8:$j: #=q 0x3d6e8:$j: #=q 0x3d704:$j: #=q 0x3d748:$j: #=q 0x3d764:$j: #=q
00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3c9d9:$a1: NanoCore.ClientPluginHost 0x3c999:$a2: NanoCore.ClientPlugin 0x3e8f2:$b1: get_BuilderSettings 0x3c7f5:$b2: ClientLoaderForm.resources 0x3e012:$b3: PluginCommand 0x3c9ca:$b4: IClientAppHost 0x3ef4a:$b6: AddHostEntry 0x3eeb7:$b8: PipeExists 0x3ca03:$b9: IClientLoggingHost
00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x106ad:$x1: NanoCore.ClientPluginHost 0x42ecd:$x1: NanoCore.ClientPluginHost 0x106ea:$x2: IClientNetworkHost 0x42f0a:$x2: IClientNetworkHost 0x1421d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46a3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10415:$a: NanoCore 0x10425:$a: NanoCore 0x10659:$a: NanoCore 0x1066d:$a: NanoCore 0x106ad:$a: NanoCore 0x42c35:$a: NanoCore 0x42c45:$a: NanoCore 0x42e79:$a: NanoCore 0x42e8d:$a: NanoCore 0x42ecd:$a: NanoCore 0x10474:$b: ClientPlugin 0x10676:$b: ClientPlugin 0x106b6:$b: ClientPlugin 0x42c94:$b: ClientPlugin 0x42e96:$b: ClientPlugin 0x42ed6:$b: ClientPlugin 0x1059b:$c: ProjectData 0x42dbb:$c: ProjectData 0x10fa2:$d: DESCrypto 0x437c2:$d: DESCrypto 0x1896e:$e: KeepAlive
00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x106ad:$a1: NanoCore.ClientPluginHost 0x42ecd:$a1: NanoCore.ClientPluginHost 0x1066d:$a2: NanoCore.ClientPlugin 0x42e8d:$a2: NanoCore.ClientPlugin 0x125c6:$b1: get_BuilderSettings 0x44de6:$b1: get_BuilderSettings 0x104c9:$b2: ClientLoaderForm.resources 0x42ce9:$b2: ClientLoaderForm.resources 0x11ce6:$b3: PluginCommand 0x44506:$b3: PluginCommand 0x1069e:$b4: IClientAppHost 0x42ebe:$b4: IClientAppHost 0x1ab1e:$b5: GetBlockHash 0x4d33e:$b5: GetBlockHash 0x12c1e:$b6: AddHostEntry 0x4543e:$b6: AddHostEntry 0x16911:$b7: LogClientException 0x49131:$b7: LogClientException 0x12b8b:$b8: PipeExists 0x453ab:$b8: PipeExists 0x106d7:$b9: IClientLoggingHost
0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.454858923.0000000005650000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.262094119.0000000004475000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69357:$a: NanoCore 0x693b0:$a: NanoCore 0x693ed:$a: NanoCore 0x69466:$a: NanoCore 0x693b9:$b: ClientPlugin 0x693f6:$b: ClientPlugin 0x69cf4:$b: ClientPlugin 0x69d01:$b: ClientPlugin 0x860e8:$b: ClientPlugin 0x5ef9a:$e: KeepAlive 0x69841:$g: LogClientMessage 0x697c1:$i: get_Connected 0x5978d:$j: #=q 0x597bd:$j: #=q 0x597f9:$j: #=q 0x59821:$j: #=q 0x59851:$j: #=q 0x59881:$j: #=q 0x598b1:$j: #=q 0x598e1:$j: #=q 0x598fd:$j: #=q
0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x693ed:$a1: NanoCore.ClientPluginHost 0x693b0:$a2: NanoCore.ClientPlugin 0x5acc7:$b1: get_BuilderSettings 0x69784:$b1: get_BuilderSettings 0x6943b:$b4: IClientAppHost 0x697f5:$b6: AddHostEntry 0x5ac36:$b7: LogClientException 0x69864:$b7: LogClientException 0x697d9:$b8: PipeExists 0x69428:$b9: IClientLoggingHost
00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3766d:$x1: NanoCore.ClientPluginHost 0x5f68d:$x1: NanoCore.ClientPluginHost 0x376aa:$x2: IClientNetworkHost 0x5f6ca:$x2: IClientNetworkHost 0x3b1dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x631fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x373d5:$a: NanoCore 0x373e5:$a: NanoCore 0x37619:$a: NanoCore 0x3762d:$a: NanoCore 0x3766d:$a: NanoCore 0x5f3f5:$a: NanoCore 0x5f405:$a: NanoCore 0x5f639:$a: NanoCore 0x5f64d:$a: NanoCore 0x5f68d:$a: NanoCore 0x37434:$b: ClientPlugin 0x37636:$b: ClientPlugin 0x37676:$b: ClientPlugin 0x5f454:$b: ClientPlugin 0x5f656:$b: ClientPlugin 0x5f696:$b: ClientPlugin 0x3755b:$c: ProjectData 0x5f57b:$c: ProjectData 0x37f62:$d: DESCrypto 0x5ff82:$d: DESCrypto 0x3f92e:$e: KeepAlive
00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3766d:$a1: NanoCore.ClientPluginHost 0x5f68d:$a1: NanoCore.ClientPluginHost 0x3762d:$a2: NanoCore.ClientPlugin 0x5f64d:$a2: NanoCore.ClientPlugin 0x39586:$b1: get_BuilderSettings 0x615a6:$b1: get_BuilderSettings 0x37489:$b2: ClientLoaderForm.resources 0x5f4a9:$b2: ClientLoaderForm.resources 0x38ca6:$b3: PluginCommand 0x60cc6:$b3: PluginCommand 0x3765e:$b4: IClientAppHost 0x5f67e:$b4: IClientAppHost 0x41ade:$b5: GetBlockHash 0x69afe:$b5: GetBlockHash 0x39bde:$b6: AddHostEntry 0x61bfe:$b6: AddHostEntry 0x3d8d1:$b7: LogClientException 0x658f1:$b7: LogClientException 0x39b4b:$b8: PipeExists 0x61b6b:$b8: PipeExists 0x37697:$b9: IClientLoggingHost
0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19ee5:$a: NanoCore 0x19f3e:$a: NanoCore 0x19f7b:$a: NanoCore 0x19ff4:$a: NanoCore 0x2d69f:$a: NanoCore 0x2d6b4:$a: NanoCore 0x2d6e9:$a: NanoCore 0x46153:$a: NanoCore 0x46168:$a: NanoCore 0x4619d:$a: NanoCore 0x19f47:$b: ClientPlugin 0x19f84:$b: ClientPlugin 0x1a882:$b: ClientPlugin 0x1a88f:$b: ClientPlugin 0x2d45b:$b: ClientPlugin 0x2d476:$b: ClientPlugin 0x2d4a6:$b: ClientPlugin 0x2d6bd:$b: ClientPlugin 0x2d6f2:$b: ClientPlugin 0x45f0f:$b: ClientPlugin 0x45f2a:$b: ClientPlugin
0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x19f7b:$a1: NanoCore.ClientPluginHost 0x2d6e9:$a1: NanoCore.ClientPluginHost 0x4619d:$a1: NanoCore.ClientPluginHost 0x19f3e:$a2: NanoCore.ClientPlugin 0x2d6b4:$a2: NanoCore.ClientPlugin 0x46168:$a2: NanoCore.ClientPlugin 0x1a312:$b1: get_BuilderSettings 0x3262f:$b1: get_BuilderSettings 0x4b0e3:$b1: get_BuilderSettings 0x19fc9:$b4: IClientAppHost 0x1a383:$b6: AddHostEntry 0x1a3f2:$b7: LogClientException 0x3259e:$b7: LogClientException 0x4b052:$b7: LogClientException 0x1a367:$b8: PipeExists 0x19fb6:$b9: IClientLoggingHost 0x2d703:$b9: IClientLoggingHost 0x461b7:$b9: IClientLoggingHost
0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.260970859.00000000041F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: confirm order.exe PID: 5552	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb4fa:$x1: NanoCore.ClientPluginHost 0x32895:$x1: NanoCore.ClientPluginHost 0xa0d1f:$x1: NanoCore.ClientPluginHost 0xb537:$x2: IClientNetworkHost 0x328d2:$x2: IClientNetworkHost 0xa0d5c:$x2: IClientNetworkHost 0xf028:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a0ae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26082:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x363bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a198:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa484d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xaf8d3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbad1a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: confirm order.exe PID: 5552	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: confirm order.exe PID: 5552	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: confirm order.exe PID: 5552	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb1c7:$a: NanoCore 0xb1d7:$a: NanoCore 0xb296:$a: NanoCore 0xb2a5:$a: NanoCore 0xb4a6:$a: NanoCore 0xb4ba:$a: NanoCore 0xb4fa:$a: NanoCore 0x16718:$a: NanoCore 0x1672a:$a: NanoCore 0x16766:$a: NanoCore 0x226ec:$a: NanoCore 0x226fe:$a: NanoCore 0x2273a:$a: NanoCore 0x3256b:$a: NanoCore 0x3257b:$a: NanoCore 0x32631:$a: NanoCore 0x32640:$a: NanoCore 0x32841:$a: NanoCore 0x32855:$a: NanoCore 0x32895:$a: NanoCore 0x36802:$a: NanoCore
Process Memory Space: confirm order.exe PID: 5552	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb4fa:$a1: NanoCore.ClientPluginHost 0x32895:$a1: NanoCore.ClientPluginHost 0xa0d1f:$a1: NanoCore.ClientPluginHost 0xb4ba:$a2: NanoCore.ClientPlugin 0x32855:$a2: NanoCore.ClientPlugin 0xa0cdf:$a2: NanoCore.ClientPlugin 0xd3d1:$b1: get_BuilderSettings 0x34766:$b1: get_BuilderSettings 0xa2bf6:$b1: get_BuilderSettings 0xb27b:$b2: ClientLoaderForm.resources 0x32616:$b2: ClientLoaderForm.resources 0xa0aa0:$b2: ClientLoaderForm.resources 0xcaf1:$b3: PluginCommand 0x33e8c:$b3: PluginCommand 0xa2316:$b3: PluginCommand 0xb4eb:$b4: IClientAppHost 0x32886:$b4: IClientAppHost 0xa0d10:$b4: IClientAppHost 0x15924:$b5: GetBlockHash 0xab149:$b5: GetBlockHash 0xda29:$b6: AddHostEntry
Process Memory Space: confirm order.exe PID: 1020	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x961b:$x1: NanoCore.ClientPluginHost 0x724c7:$x1: NanoCore.ClientPluginHost 0x7c03e:$x1: NanoCore.ClientPluginHost 0x8b84c:$x1: NanoCore.ClientPluginHost 0x9658:$x2: IClientNetworkHost 0x724e1:$x2: IClientNetworkHost 0x7c06b:$x2: IClientNetworkHost 0x8b866:$x2: IClientNetworkHost 0xd149:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x181cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: confirm order.exe PID: 1020	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: confirm order.exe PID: 1020	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x575:$a: NanoCore 0x92e8:$a: NanoCore 0x92f8:$a: NanoCore 0x93b7:$a: NanoCore 0x93c6:$a: NanoCore 0x95c7:$a: NanoCore 0x95db:$a: NanoCore 0x961b:$a: NanoCore 0x14839:$a: NanoCore 0x1484b:$a: NanoCore 0x14887:$a: NanoCore 0x4a511:$a: NanoCore 0x4a56c:$a: NanoCore 0x4a5ec:$a: NanoCore 0x72431:$a: NanoCore 0x7248a:$a: NanoCore 0x724c7:$a: NanoCore 0x72540:$a: NanoCore 0x72cc7:$a: NanoCore 0x72d1a:$a: NanoCore 0x72d53:$a: NanoCore
Process Memory Space: confirm order.exe PID: 1020	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x961b:$a1: NanoCore.ClientPluginHost 0x724c7:$a1: NanoCore.ClientPluginHost 0x7c03e:$a1: NanoCore.ClientPluginHost 0x8b84c:$a1: NanoCore.ClientPluginHost 0x95db:$a2: NanoCore.ClientPlugin 0x7248a:$a2: NanoCore.ClientPlugin 0x7c009:$a2: NanoCore.ClientPlugin 0x8b80f:$a2: NanoCore.ClientPlugin 0xb4f2:$b1: get_BuilderSettings 0x6b6fc:$b1: get_BuilderSettings 0x80e10:$b1: get_BuilderSettings 0x8bbc6:$b1: get_BuilderSettings 0x939c:$b2: ClientLoaderForm.resources 0xac12:$b3: PluginCommand 0x960c:$b4: IClientAppHost 0x72515:$b4: IClientAppHost 0x8b89a:$b4: IClientAppHost 0x13a45:$b5: GetBlockHash 0xbb4a:$b6: AddHostEntry 0x16c69:$b6: AddHostEntry 0x72821:$b6: AddHostEntry
Process Memory Space: Ugtphvhf.exe PID: 5292	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Ugtphvhf.exe PID: 6072	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.confirm order.exe.6010000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
14.2.confirm order.exe.6010000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.confirm order.exe.6010000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.6010000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
14.2.confirm order.exe.6010000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
14.2.confirm order.exe.3f8ff3c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28261:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2828e:$x2: IClientNetworkHost
14.2.confirm order.exe.3f8ff3c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28261:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2933c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2827b:$s5: IClientLoggingHost
14.2.confirm order.exe.3f8ff3c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.3f8ff3c.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2822c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28261:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28220:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28242:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28251:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2827b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x2828e:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282af:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282cb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.confirm order.exe.3f8ff3c.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28261:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2822c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1a7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d116:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x2827b:$b9: IClientLoggingHost
0.3.confirm order.exe.44757d0.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.confirm order.exe.5650000.5.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.confirm order.exe.3f94565.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c38:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c65:$x2: IClientNetworkHost
14.2.confirm order.exe.3f94565.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c38:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d13:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c52:$s5: IClientLoggingHost
14.2.confirm order.exe.3f94565.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.3f94565.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c03:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c38:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bf7:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c19:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c28:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c52:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c65:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c78:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c86:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23ca2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
14.2.confirm order.exe.3f94565.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c38:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c03:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b7e:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28aed:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c52:$b9: IClientLoggingHost
14.0.confirm order.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.confirm order.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.confirm order.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.confirm order.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.confirm order.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.confirm order.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.confirm order.exe.42d2500.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.42d2500.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.confirm order.exe.42d2500.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.42d2500.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.confirm order.exe.42d2500.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.confirm order.exe.42d2500.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
14.2.confirm order.exe.5830000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.confirm order.exe.5830000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.confirm order.exe.5830000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.confirm order.exe.5830000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.confirm order.exe.42aa4e0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.42aa4e0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
0.2.confirm order.exe.42aa4e0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.42aa4e0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x37f15:$x1: NanoCore Client 0x37f25:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x3816d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x381ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x38162:$i1: IClientApp 0x10163:$i2: IClientData 0x38183:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x3818f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x3819e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x381c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x381d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.confirm order.exe.42aa4e0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.confirm order.exe.42aa4e0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x381ad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x3816d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x3a0c6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x37fc9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x397e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x3819e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4261e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x3a71e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x3e411:$b7: LogClientException 0x1266b:$b8: PipeExists 0x3a68b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.confirm order.exe.44757d0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.confirm order.exe.6014629.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
14.2.confirm order.exe.6014629.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
14.2.confirm order.exe.6014629.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.6014629.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
14.2.confirm order.exe.6014629.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
14.2.confirm order.exe.6010000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.confirm order.exe.6010000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.confirm order.exe.6010000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.6010000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.confirm order.exe.6010000.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.confirm order.exe.42d2500.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.42d2500.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.confirm order.exe.42d2500.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.42d2500.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.confirm order.exe.42d2500.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.confirm order.exe.42d2500.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
14.2.confirm order.exe.2fa9578.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.confirm order.exe.2fa9578.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.confirm order.exe.2fa9578.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x1db70:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.confirm order.exe.2fa9578.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.confirm order.exe.42aa4e0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.42aa4e0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.confirm order.exe.42aa4e0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.42aa4e0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.confirm order.exe.42aa4e0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.confirm order.exe.42aa4e0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.3.confirm order.exe.4295750.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.confirm order.exe.4322520.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.4322520.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.confirm order.exe.4322520.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.4322520.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.confirm order.exe.4322520.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.confirm order.exe.4322520.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.confirm order.exe.32e984c.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.32e984c.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
0.2.confirm order.exe.32e984c.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.confirm order.exe.32e984c.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
0.2.confirm order.exe.32e984c.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x108fe:$b6: AddHostEntry 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.confirm order.exe.32e984c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.32e984c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
0.2.confirm order.exe.32e984c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.confirm order.exe.32e984c.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
0.2.confirm order.exe.32e984c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x126fe:$b6: AddHostEntry 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
14.2.confirm order.exe.3f8b106.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d097:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0c4:$x2: IClientNetworkHost
14.2.confirm order.exe.3f8b106.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d097:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e172:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b1:$s5: IClientLoggingHost
14.2.confirm order.exe.3f8b106.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.3f8b106.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d062:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d097:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d056:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d078:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d087:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0b1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
14.2.confirm order.exe.3f8b106.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d04d:$a: NanoCore 0x2d062:$a: NanoCore 0x2d097:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce09:$b: ClientPlugin 0x2ce24:$b: ClientPlugin
14.2.confirm order.exe.3f8b106.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d097:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d062:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fdd:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f4c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0b1:$b9: IClientLoggingHost
14.2.confirm order.exe.3f8ff3c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.confirm order.exe.3f8ff3c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.confirm order.exe.3f8ff3c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.confirm order.exe.3f8ff3c.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.confirm order.exe.3f8ff3c.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.confirm order.exe.5650000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.confirm order.exe.4322520.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.confirm order.exe.4322520.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.3.confirm order.exe.42f5790.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.confirm order.exe.4322520.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.confirm order.exe.4322520.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42715:$x1: NanoCore Client 0x42725:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4296d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x429ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42962:$i1: IClientApp 0x10163:$i2: IClientData 0x42983:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4298f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4299e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x429c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x429d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.confirm order.exe.4322520.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.confirm order.exe.4322520.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x429ad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x4296d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x448c6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x427c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x43fe6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x4299e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4ce1e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x44f1e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48c11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x44e8b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.3.confirm order.exe.42b5770.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 98 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\confirm order.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\confirm order.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\confirm order.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\confirm order.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: confirm order.exe	ReversingLabs: Detection: 40%
Source: confirm order.exe	Virustotal: Detection: 48%			Perma Link

Antivirus detection for URL or domain

Source: 146.70.76.43

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 146.70.76.43

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Virustotal: Detection: 48%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR

Machine Learning detection for sample

Source: confirm order.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe

Joe Sandbox ML: detected

Source: 14.0.confirm order.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.confirm order.exe.6010000.6.unpack	Avira: Label: TR/NanoCore.fadte

Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6a8dc68c-2ae6-4a66-b5dc-80cfa679", "Group": "jop", "Domain1": "146.70.76.43", "Domain2": "", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 9, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: confirm order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: confirm order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 146.70.76.43

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Source: Joe Sandbox View

IP Address: 146.70.76.43 146.70.76.43

Source: global traffic

TCP traffic: 192.168.2.3:49704 -> 146.70.76.43:56281

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.76.43

Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563075696.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561315549.00000000040DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: confirm order.exe, 00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.561450504.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: confirm order.exe

.NET source code contains very large array initializations

Source: confirm order.exe, WindowsFormsApp92/Tester.cs	Large array initialization: GetBuffer: array initializer size 786944
Source: Ugtphvhf.exe.0.dr, WindowsFormsApp92/Tester.cs	Large array initialization: GetBuffer: array initializer size 786944
Source: 0.0.confirm order.exe.dd0000.0.unpack, WindowsFormsApp92/Tester.cs	Large array initialization: GetBuffer: array initializer size 786944

Source: confirm order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.5830000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.2fa9578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.32e984c.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.32e984c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\confirm order.exe	Code function: 0_2_016E0C6F	0_2_016E0C6F
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 0_2_0572AE99	0_2_0572AE99
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 0_2_05722C00	0_2_05722C00
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 0_2_016E5A98	0_2_016E5A98
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 14_2_02D7E480	14_2_02D7E480
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 14_2_02D7E471	14_2_02D7E471
Source: C:\Users\user\Desktop\confirm order.exe	Code function: 14_2_02D7BBD4	14_2_02D7BBD4
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_00F23001	15_2_00F23001
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_00F25AA8	15_2_00F25AA8
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_00F25A98	15_2_00F25A98
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_010130C0	15_2_010130C0
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_01012C00	15_2_01012C00
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_0101AE9B	15_2_0101AE9B

Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs confirm order.exe
Source: confirm order.exe, 00000000.00000003.427323783.0000000001741000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSzmwlcrt.exe" vs confirm order.exe
Source: confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs confirm order.exe
Source: confirm order.exe, 00000000.00000002.454858923.0000000005650000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAkozwmfugbadgyfrkgna.dll" vs confirm order.exe
Source: confirm order.exe, 00000000.00000003.262094119.0000000004475000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAkozwmfugbadgyfrkgna.dll" vs confirm order.exe
Source: confirm order.exe, 00000000.00000000.252951632.0000000000E94000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSzmwlcrt.exe" vs confirm order.exe
Source: confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs confirm order.exe
Source: confirm order.exe, 00000000.00000003.260970859.00000000041F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAkozwmfugbadgyfrkgna.dll" vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.550388497.0000000006000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.535640943.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs confirm order.exe
Source: confirm order.exe, 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs confirm order.exe
Source: confirm order.exe	Binary or memory string: OriginalFilenameSzmwlcrt.exe" vs confirm order.exe

Source: confirm order.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ugtphvhf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: confirm order.exe	ReversingLabs: Detection: 40%
Source: confirm order.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\confirm order.exe

File read: C:\Users\user\Desktop\confirm order.exe

Jump to behavior

Source: confirm order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\confirm order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\confirm order.exe "C:\Users\user\Desktop\confirm order.exe"
Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Users\user\Desktop\confirm order.exe C:\Users\user\Desktop\confirm order.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Users\user\Desktop\confirm order.exe C:\Users\user\Desktop\confirm order.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==	Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe

File created: C:\Users\user\AppData\Roaming\Prqhnsx

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zzuybal.sto.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/10@0/2

Source: C:\Users\user\Desktop\confirm order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: confirm order.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\confirm order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_01
Source: C:\Users\user\Desktop\confirm order.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6a8dc68c-2ae6-4a66-b5dc-80cfa679c766}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_01

Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\confirm order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: confirm order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: confirm order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: confirm order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.3.confirm order.exe.44757d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.5650000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.confirm order.exe.44757d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.confirm order.exe.4295750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.5650000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.confirm order.exe.42f5790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.confirm order.exe.42b5770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454858923.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.262094119.0000000004475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260970859.00000000041F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ugtphvhf.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ugtphvhf.exe PID: 6072, type: MEMORYSTR

.NET source code contains potential unpacker

Source: confirm order.exe, WindowsFormsApp92/Range.cs	.Net Code: Internet System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Ugtphvhf.exe.0.dr, WindowsFormsApp92/Range.cs	.Net Code: Internet System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.confirm order.exe.dd0000.0.unpack, WindowsFormsApp92/Range.cs	.Net Code: Internet System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\confirm order.exe	Code function: 14_2_02D7D413 push 0000005Dh; retn 0004h		14_2_02D7D485
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Code function: 15_2_04F376D7 push 5D5F5E5Bh; ret		15_2_04F376C9

Source: confirm order.exe

Static PE information: 0xDA13C204 [Sun Dec 9 09:19:00 2085 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.847324790581247
Source: initial sample	Static PE information: section name: .text entropy: 7.847324790581247

Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.0.confirm order.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\confirm order.exe

File created: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\confirm order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ugtphvhf			Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ugtphvhf			Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: confirm order.exe, 00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\confirm order.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 404	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe TID: 1916	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\confirm order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9346	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Window / User API: threadDelayed 9564	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9089	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Ugtphvhf.exe, 00000010.00000002.528869500.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Ugtphvhf.exe, 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Ugtphvhf.exe, 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen"select * from Win32_ComputerSystem
Source: Ugtphvhf.exe, 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: confirm order.exe, 0000000E.00000002.528917807.00000000010D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\confirm order.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\confirm order.exe	Process created: Base64 decoded Start-Sleep -Seconds 60
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process created: Base64 decoded Start-Sleep -Seconds 60
Source: C:\Users\user\Desktop\confirm order.exe	Process created: Base64 decoded Start-Sleep -Seconds 60	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process created: Base64 decoded Start-Sleep -Seconds 60	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\confirm order.exe

Memory written: C:\Users\user\Desktop\confirm order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Process created: C:\Users\user\Desktop\confirm order.exe C:\Users\user\Desktop\confirm order.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==	Jump to behavior

Source: confirm order.exe, 0000000E.00000002.537125222.0000000003048000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 0000000E.00000002.545181455.0000000003288000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 0000000E.00000002.550096606.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: confirm order.exe, 0000000E.00000002.542026048.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHaSk
Source: confirm order.exe, 0000000E.00000002.537125222.0000000003048000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 0000000E.00000002.540941892.000000000315E000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 0000000E.00000002.542026048.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Users\user\Desktop\confirm order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Users\user\Desktop\confirm order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\confirm order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\confirm order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: confirm order.exe, 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: confirm order.exe, 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f94565.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.confirm order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6014629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.6010000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42d2500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.42aa4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8b106.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.confirm order.exe.3f8ff3c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.confirm order.exe.4322520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: confirm order.exe PID: 1020, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
confirm order.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
confirm order.exe	49%	Virustotal		Browse
confirm order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe	49%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.0.confirm order.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.confirm order.exe.6010000.6.unpack	100%	Avira	TR/NanoCore.fadte	Download File
0.2.confirm order.exe.32e984c.0.unpack	100%	Avira	HEUR/AGEN.1211686	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
146.70.76.43	7%	Virustotal		Browse
146.70.76.43	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
146.70.76.43	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.newtonsoft.com/json	confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.563157770.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563162662.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561455007.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	confirm order.exe, 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.455433787.00000000057E0000.00000004.08000000.00040000.00000000.sdmp, confirm order.exe, 00000000.00000002.452265867.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.549759132.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561422892.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	confirm order.exe, 00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, confirm order.exe, 00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	confirm order.exe, 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.563075696.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Ugtphvhf.exe, 00000010.00000002.561315549.00000000040DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	Ugtphvhf.exe, 00000010.00000002.549878196.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.76.43	unknown	United Kingdom		2018	TENET-1ZA	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	712188
Start date and time:	2022-09-29 01:14:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	confirm order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/10@0/2
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 420 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
Execution Graph export aborted for target Ugtphvhf.exe, PID 5292 because it is empty
Execution Graph export aborted for target confirm order.exe, PID 5552 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:15:48	API Interceptor	75x Sleep call for process: powershell.exe modified
01:16:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ugtphvhf "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"
01:17:01	API Interceptor	259x Sleep call for process: confirm order.exe modified
01:17:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ugtphvhf "C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
146.70.76.43	QUOTATION.exe	Get hash	malicious	Browse
	New Items for delivery and price target.xlsx	Get hash	malicious	Browse
	Deposit Invoice.xlsx	Get hash	malicious	Browse
	xHcqSleCzN.exe	Get hash	malicious	Browse
	vbc1.exe	Get hash	malicious	Browse
	Deposit Invoice.xlsx	Get hash	malicious	Browse
	Scan01.exe	Get hash	malicious	Browse
	PO - Drawings And Specifications Sheet_pdf.scr.exe	Get hash	malicious	Browse
	Document..exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse
	DHL Documents For Delivery.exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENET-1ZA	updx64.exe	Get hash	malicious	Browse	146.70.44.202
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse	146.70.79.5
	04350035-219978.png.exe	Get hash	malicious	Browse	146.70.79.13
	UDeAF2I4uY.elf	Get hash	malicious	Browse	143.128.154.67
	V5UFmf8KNR.elf	Get hash	malicious	Browse	146.70.34.134
	MziZlZn6L5.elf	Get hash	malicious	Browse	146.239.92.31
	chi.arm4.elf	Get hash	malicious	Browse	102.36.195.108
	5r53b4ErLL.elf	Get hash	malicious	Browse	146.239.92.90
	QQlbAyRysQ.elf	Get hash	malicious	Browse	163.200.213.238
	p4GiIKtK0z.exe	Get hash	malicious	Browse	146.70.101.95
	tLXBiZMcFJ.elf	Get hash	malicious	Browse	146.239.92.25
	i486-20220921-0518.elf	Get hash	malicious	Browse	155.238.0.66
	WZNMjssb6P.dll	Get hash	malicious	Browse	146.236.123.206
	Open Invoices20220919.js	Get hash	malicious	Browse	146.70.115.139
	LnmjLw9OzN.elf	Get hash	malicious	Browse	143.128.110.31
	nI6KZJwloM.elf	Get hash	malicious	Browse	143.128.110.22
	OA3GSLgaBx.exe	Get hash	malicious	Browse	146.70.79.5
	3FYya5d6I7.elf	Get hash	malicious	Browse	155.232.3.109
	62mQjXYYKG.elf	Get hash	malicious	Browse	146.239.195.202
	RV1ohxohke.exe	Get hash	malicious	Browse	146.70.101.97

Process:	C:\Users\user\Desktop\confirm order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1039
Entropy (8bit):	5.3436815157474165
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhyE4KdE4KBLWE4K5AE4Kzr7a:MxHKXwYHKhQnoyHKdHKBqHK5AHKzva
MD5:	6C24176D343957C767AA6536571797FA
SHA1:	64512F67A49AF75E9A67474DF54FCCD3472905B2
SHA-256:	63AB82B5B458425DB1E0831E1BB8CA642C602D9BCB0762A1E47C7836CACF3350
SHA-512:	D0DFB30B723CC1F0ADB8D9448220AC67A1A21243499B7EB31402CAA0CE9F6A892073E10C52D132E59BF2321F05DBB0973B7E1026023992FC33DE5AB74A6979A4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16496
Entropy (8bit):	5.551918786062227
Encrypted:	false
SSDEEP:	384:cte/cX0w99dEtxT8wnwSBx2u9FiJ9giSJ3uzp1UYv:cEvTZw4cu9picudv
MD5:	88C6EE654500840B8E087B519FBE988D
SHA1:	E28F65A25C048A90228F9EDF8C4A2DE4F35F2A6C
SHA-256:	63C122DE2BA73E9F2CE94D48F4D9F1459BC1638C964B491504E9814FA1A3319E
SHA-512:	FCD7A9867AB7EA689B84F73D4D61F2B1C6216458AB3A62BE712FA8B629FD6C793B50BB0D90D366469F29C62A2CFD50DC25096E5883F90B000200EBB2D7E258C3
Malicious:	false
Preview:	@...e...............................:.c..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zzuybal.sto.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dygobxst.ufu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2arnmm1.jms.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxgpca1x.l0u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\confirm order.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:R:R
MD5:	AB8F38A645A923E8D95756E195EEACD1
SHA1:	6BFB7C2285D899A581993B3BAC912375BD55E71D
SHA-256:	0DC4B51B1A57A5DACD962B5FC7C7F52468E5C6861D9D9FD510272723AF26F567
SHA-512:	D266ADB99DFB589F5D13F3E6822EF8395DB557B5DF9B8B990DC957AF07253DAC32EA15147879E11E8FDBA32E536A0EF26D769F6C642D79427C6BCF6C3072EA51
Malicious:	true
Preview:	.q...H

C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe

Download File

Process:	C:\Users\user\Desktop\confirm order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	983552
Entropy (8bit):	7.692774803542058
Encrypted:	false
SSDEEP:	24576:7iqtFNQVaIo1AMOJ2ySwNvxrRoi+EGbI5eOR:7iqvyYKMdyS6vxj+Ern
MD5:	E5E6A926238DFECD931967194FF92BF4
SHA1:	B233228269367904BB0EE23B0B47FABF50BA5DF2
SHA-256:	219EEB73337CB0CB6B1E4AF6093AF3C0F4BEF72AF443BE61ADF1B2DC7EAF9063
SHA-512:	A08A5E0A58981A77108AED095F5CCA7B37565EA470079DC6E7F4D462633D080421387159E885E20001F7AD9B28E73E62FC6021A450B543EC61FD19D63F160C79
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40% Antivirus: Virustotal, Detection: 49%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ...@....@.. .......................`............@..................................-..O....@.......................@.......-............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......@......................@..B.................-......H........!...............................................................(....~s....s....s....(....(....(......(......0..+....... .........%.....(....(....%-.&...-.s....z...0..0........(....o....o....s...... .Zb.o........,..o...............$........(.....0..:.......s.......+..(.....(.....i]....a.o......X....i2..o....%-.&.B(....r...po....B(....(....o......(....Fs....%(....}.....s....%.{....t....r...po ...ri..po!...}......(....R.{....t".....o"...&..(....*.BSJB....

C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\confirm order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.692774803542058
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	confirm order.exe
File size:	983552
MD5:	e5e6a926238dfecd931967194ff92bf4
SHA1:	b233228269367904bb0ee23b0b47fabf50ba5df2
SHA256:	219eeb73337cb0cb6b1e4af6093af3c0f4bef72af443be61adf1b2dc7eaf9063
SHA512:	a08a5e0a58981a77108aed095f5cca7b37565ea470079dc6e7f4d462633d080421387159e885e20001f7ad9b28e73e62fc6021a450b543ec61fd19d63f160c79
SSDEEP:	24576:7iqtFNQVaIo1AMOJ2ySwNvxrRoi+EGbI5eOR:7iqvyYKMdyS6vxj+Ern
TLSH:	6C25E1643D0C075AEACD0EB69E0057DE4EEE5D9F2E384F44BBC09EFE66425D621C0A49
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ...@....@.. .......................`............@................................

File Icon


Icon Hash:	f8d8d0f0c0d0c0c0

Static PE Info

General

Entrypoint:	0x402e0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDA13C204 [Sun Dec 9 09:19:00 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
sbb al, 2Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2dbc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2ebdc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2da0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc1014	0xc1200	False	0.8617579389158576	SysEx File -	7.847324790581247	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x2ebdc	0x2ec00	False	0.34225643382352944	data	5.865926020313647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc4200	0x6c1c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xcae2c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584
RT_ICON	0xdb664	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016
RT_ICON	0xe4b1c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600
RT_ICON	0xe9fb4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0xee1ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0xf07a4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0xf185c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0xf21f4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0xf266c	0x84	data
RT_VERSION	0xf2700	0x2dc	data
RT_MANIFEST	0xf29ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2022 01:17:04.084417105 CEST	49704	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:07.096297979 CEST	49704	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:13.112474918 CEST	49704	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:24.277153015 CEST	49705	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:27.426295042 CEST	49705	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:33.426664114 CEST	49705	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:44.852468014 CEST	49706	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:47.912234068 CEST	49706	56281	192.168.2.3	146.70.76.43
Sep 29, 2022 01:17:53.912755966 CEST	49706	56281	192.168.2.3	146.70.76.43

Target ID:	0
Start time:	01:15:28
Start date:	29/09/2022
Path:	C:\Users\user\Desktop\confirm order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\confirm order.exe"
Imagebase:	0xdd0000
File size:	983552 bytes
MD5 hash:	E5E6A926238DFECD931967194FF92BF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.447081649.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.447887037.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.454452204.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.454858923.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.262094119.0000000004475000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.453904454.0000000004283000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.260970859.00000000041F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.448397158.0000000003358000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	01:15:41
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==
Imagebase:	0x10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	01:15:41
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	01:16:58
Start date:	29/09/2022
Path:	C:\Users\user\Desktop\confirm order.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\confirm order.exe
Imagebase:	0x9b0000
File size:	983552 bytes
MD5 hash:	E5E6A926238DFECD931967194FF92BF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000000.444492363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.549837955.0000000005830000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.550441938.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.532820383.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.545716802.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	01:17:03
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"
Imagebase:	0x510000
File size:	983552 bytes
MD5 hash:	E5E6A926238DFECD931967194FF92BF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.532813764.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.532893471.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.532109090.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.537794657.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Target ID:	16
Start time:	01:17:12
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe"
Imagebase:	0xb30000
File size:	983552 bytes
MD5 hash:	E5E6A926238DFECD931967194FF92BF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.532222883.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.537850084.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.532914557.000000000301C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.532978281.0000000003025000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	17
Start time:	01:17:24
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==
Imagebase:	0x10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	01:17:24
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Function 0572AE99 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58177e0770b0cb2c0b266eea1541d51d1efe6a7f060f2c4a1beab3ef74644caa
Instruction ID: 005ed3cfe7f923db0ce0ac3ad5bf3faedc960fe627e875df2837c0575836c2ce
Opcode Fuzzy Hash: 58177e0770b0cb2c0b266eea1541d51d1efe6a7f060f2c4a1beab3ef74644caa
Instruction Fuzzy Hash: 06D179B4B042218FCB28DF79C49492DF3E2FF8921471589AAD50ACB762CBB4DC46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 016E42E0 Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

g$l, xrefs: 016E432B
hC$l, xrefs: 016E43D3

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID: hC$l$g$l
API String ID: 0-4116688963
Opcode ID: d29934a3bc841ba5cf10ee66f33edb50ff27804548d7028f86af9f72250cc937
Instruction ID: a18481c5a3c36a091002d59a1367ec85846288afe0902a7052ea5200522a93b3
Opcode Fuzzy Hash: d29934a3bc841ba5cf10ee66f33edb50ff27804548d7028f86af9f72250cc937
Instruction Fuzzy Hash: 05A1C27470A205CFEB65AA7D8C5852E7AD2EFC5514712426AC613CFBA9EF30CD038762

Uniqueness

Uniqueness Score: -1.00%

Function 05724FAF Relevance: 1.9, Strings: 1, Instructions: 687COMMON

Download Yara Rule

Strings

hC$l, xrefs: 05725829

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID: hC$l
API String ID: 0-417791932
Opcode ID: cac7570482ce5cb4f9167b8bbd0adcbfd54097687d4205cbf3387c385776c36c
Instruction ID: 2d35e66eb1d2228dd422ab026669046362bf0a6687398903287527600f37f73d
Opcode Fuzzy Hash: cac7570482ce5cb4f9167b8bbd0adcbfd54097687d4205cbf3387c385776c36c
Instruction Fuzzy Hash: A1528970A042188FCB04DFA9C484AADB7F2FF88314F158569E506AF3A5DB30ED46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 016EEA50 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

d, xrefs: 016EEC58

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a4e9ea7e3cf6ea972afdcd6749595d450a3ab2a7fcba2c4d4574b22ed0427204
Instruction ID: dd23f57b1ab65955e52e20d7a5161f685e106dde4fb1331704e88cdf59a6be3a
Opcode Fuzzy Hash: a4e9ea7e3cf6ea972afdcd6749595d450a3ab2a7fcba2c4d4574b22ed0427204
Instruction Fuzzy Hash: 52B11574A0021ACFCF14CF98C9849AAB7F2FF88314B158695D915AB356D735EC52CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016E05B0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

`#l, xrefs: 016E05BA

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID: `#l
API String ID: 0-1636341610
Opcode ID: 79e4070908c97747a4bb92f6f4d27cb43b08f6438687d85e65a4f64942cf359a
Instruction ID: dd15bb14bfc094b07bff39efdca03b5c2f15012d88906ddd1188e0ab9c58b204
Opcode Fuzzy Hash: 79e4070908c97747a4bb92f6f4d27cb43b08f6438687d85e65a4f64942cf359a
Instruction Fuzzy Hash: F83126703062208FC705DF79DD58A2A7BF6EFC921471586AAE009CB7A2DB70DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016E0539 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

`#l, xrefs: 016E05BA

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID: `#l
API String ID: 0-1636341610
Opcode ID: 0c386cd64af11e94e1bda3cfc68bf1570e38a2a4e4d4d9a5440d5553cf7aa9fe
Instruction ID: d328f7c3db343d14799d129b5a982cbe1615748c801980aecbb31010cd1bdd26
Opcode Fuzzy Hash: 0c386cd64af11e94e1bda3cfc68bf1570e38a2a4e4d4d9a5440d5553cf7aa9fe
Instruction Fuzzy Hash: E831D1707012218FC70A9B79DD58AAE7BE3EFC92047198179E409CB792DB74DC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05726A88 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

2, xrefs: 05726B20

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: e3a848ccc6f0e409070df3218bd1671707ac69883f6f1a86120d0b3f51217a87
Instruction ID: 6beaa23f0eafc7d124b776f1483523c9622b9e301fd997848536fb87c032dc54
Opcode Fuzzy Hash: e3a848ccc6f0e409070df3218bd1671707ac69883f6f1a86120d0b3f51217a87
Instruction Fuzzy Hash: 17316B75A01218EFCF05DFA8E8509EEBBB6FF48310F10812AE815E7350DB31AA15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0572B950 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915e6adc2a1cd3910e1a0b3a6da703fac0c7db7f81e94021f4d5cb31fdfa0b2b
Instruction ID: 0a67cfbd4f362e46b1bd9328b07b8690dc589dd62d873496923a0109ad3313fe
Opcode Fuzzy Hash: 915e6adc2a1cd3910e1a0b3a6da703fac0c7db7f81e94021f4d5cb31fdfa0b2b
Instruction Fuzzy Hash: 73F1CE74B042218FCB28DF69C494A7DB7F2FF88210B1585AAE50ADB3A1CB34DC46DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0572B393 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaed0c7ba982c2d4a2afc5160ae322390ee07092d8687f0d001d8fb6d8d288f7
Instruction ID: c2a61ec3ffd6b5e4c25ee6d31277d745ef1ef37d8ff124b000c0c7c13a222d79
Opcode Fuzzy Hash: aaed0c7ba982c2d4a2afc5160ae322390ee07092d8687f0d001d8fb6d8d288f7
Instruction Fuzzy Hash: CAF1AE74B042258FCB28DF68C494A7DB7F2FF88314B1584AAE50ADB761CB34DC469B51

Uniqueness

Uniqueness Score: -1.00%

Function 05728630 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c6fbf22f6f1f954c6bae25f99e8baa57de92a7c837ad3c6aa8c922a3dd57cb
Instruction ID: 2bb63efd80450ffd2d155b80935005c859f6e5f0f0ea10c864d08e67105056ea
Opcode Fuzzy Hash: 54c6fbf22f6f1f954c6bae25f99e8baa57de92a7c837ad3c6aa8c922a3dd57cb
Instruction Fuzzy Hash: DDE11A75B002289FCB14DFA8D994AADBBF2BF48300F158069E906EB364DB31DD41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05724348 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602c0ecaed889ca64b4f16ebe6eba069db91bfb4a864624debaec0bd7e4301cc
Instruction ID: 8810e59aa2b64b2bb00e4563f924cd6906aeff85755b5823de93d81d4ed8853a
Opcode Fuzzy Hash: 602c0ecaed889ca64b4f16ebe6eba069db91bfb4a864624debaec0bd7e4301cc
Instruction Fuzzy Hash: 3CD1BB30B042199FCF18DF69C854AAEB7F3FF88254F218569E905AB354DB31AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05729B50 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b41f21438752065e0209b7ffbeca9c77dcf7361a3f27bda25a34b661dd7e53
Instruction ID: b74255fd5bb27e68e3344e30636fc302ea529ea2f12b5a5bfb3227bcfd2e38c2
Opcode Fuzzy Hash: 44b41f21438752065e0209b7ffbeca9c77dcf7361a3f27bda25a34b661dd7e53
Instruction Fuzzy Hash: 7BC1BE75B042218FCB28DF69C490579F7E2FF88214F298569D60ACB391CB74DC86DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0572DF38 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b74b08f5befb7d222825b1f61d253550f526be01ead44bf4a102d8987ec5ab
Instruction ID: 4ca83a80a48851236f012f8e4c4e5ddb6faaec252d31e3f7199d0be815708e35
Opcode Fuzzy Hash: 47b74b08f5befb7d222825b1f61d253550f526be01ead44bf4a102d8987ec5ab
Instruction Fuzzy Hash: 93A1F77570C2718FC729D72DC814A3AB7E7EF85220B1984BAD90ACF352DA31DC429756

Uniqueness

Uniqueness Score: -1.00%

Function 05720F38 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9065589b7864cd132a020e270e7d46066ac7cb0695936bb042688438f8e29e8a
Instruction ID: 8ca77fc75efce617609f932cf4e53f73a90b97676b4cfb961cd45f122ed03a5c
Opcode Fuzzy Hash: 9065589b7864cd132a020e270e7d46066ac7cb0695936bb042688438f8e29e8a
Instruction Fuzzy Hash: A3B15875A04645CFCB14CF69C9849AAFBF2FF88314B25869AE409DB366D730ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 057265F7 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7ee5a4d83913044687d0a27c69de4476c967b61a65e872ff78d9070c813b67
Instruction ID: c6d1e9a55191dc9a0dc6e596332ded657150b5185bea18e5cb5acc08f4576a34
Opcode Fuzzy Hash: ae7ee5a4d83913044687d0a27c69de4476c967b61a65e872ff78d9070c813b67
Instruction Fuzzy Hash: 18B17C70A002189FDB15DFA4C554BADBBF2FF48304F25815AD902AB3A4CF75AD85DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05720A18 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cb338d6fbe38b2ba1d3448bd04c28ac28bffe645533f91af152fc010a2ef26
Instruction ID: 867c96578ef03ca74dc5c27129c1e6eb83a003b958cc6a24f22ea10badc72f30
Opcode Fuzzy Hash: b8cb338d6fbe38b2ba1d3448bd04c28ac28bffe645533f91af152fc010a2ef26
Instruction Fuzzy Hash: 0491AC717042149FCB24DFA8C858AAEBBF6BF88314B158569E50ADB750DB34EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 057259A1 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b2ac2c94562e44e6af05fa3061d3ee95abe0a115f7238121858c2c23553cb7
Instruction ID: c97c3769048f58985ee6b218a06d563df8b2e9cf85809f15b96128e152b7dc20
Opcode Fuzzy Hash: 65b2ac2c94562e44e6af05fa3061d3ee95abe0a115f7238121858c2c23553cb7
Instruction Fuzzy Hash: 50A14E31A042659FCB14DFA8D884EAEBBF2FF49214F168169E505EB365DB30EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05723D30 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448439e152454b04f0f20eacc5b2ba79991a51c4bc1916c147ef9ee4b776afaa
Instruction ID: cfcb4851522c0f1f34acd1a58505ab76fd036e0947a354fc300686d53a74b9ee
Opcode Fuzzy Hash: 448439e152454b04f0f20eacc5b2ba79991a51c4bc1916c147ef9ee4b776afaa
Instruction Fuzzy Hash: 35811531B046258FCB25DF68D8506BEB7B2FFC9210F14896ED1569B391CB389C0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05725FC0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8935bd50a71fbae23b8105a168c2f9f43065c40e46fc8ecefd018859b0680793
Instruction ID: e4d87c7687b93e0698e6ae09830ff9c9e50ebcc61e80a21f4dac36c2a714ad95
Opcode Fuzzy Hash: 8935bd50a71fbae23b8105a168c2f9f43065c40e46fc8ecefd018859b0680793
Instruction Fuzzy Hash: 41A1CF30A04226CFCB25DFA9C54496EBBF2FF85314B1185AEC056AB352CB35EC09DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0572861F Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4292b22d55593aca10efaf94aeaa8a33d3b9f363668929e0bd3c3755871bf51f
Instruction ID: edf85db10e7e806de7992091e259b7f09be6d5a35da09cdd050f38271f16386f
Opcode Fuzzy Hash: 4292b22d55593aca10efaf94aeaa8a33d3b9f363668929e0bd3c3755871bf51f
Instruction Fuzzy Hash: EFA10B75A00224DFCB18DFA8D994AADB7F6BF88300F158169E806EB365DB31DC42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0572A9C8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0101b116bfaeeb1a1d1c5cdb5fd9ee127910471a8c68aaa425125d07d389b9f7
Instruction ID: e8e6ad4dc9eb986a213f0eaf8abe0ff2c217efbafb770926c7b54af8be41e591
Opcode Fuzzy Hash: 0101b116bfaeeb1a1d1c5cdb5fd9ee127910471a8c68aaa425125d07d389b9f7
Instruction Fuzzy Hash: 227135317086718FCB2ADB68C91056EBBF2BF81214B09C5AEC40ADB352CB719D49DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 05722158 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b62c9f57b9a0b84da83ccac17f93a47ad7ed38a45d9a4c9680b1e59dcb6bf51
Instruction ID: 5cbc095dbf17dc3f6003ea5f6d67dd667eec8e8951a8d4dc5c17e88df90cd546
Opcode Fuzzy Hash: 9b62c9f57b9a0b84da83ccac17f93a47ad7ed38a45d9a4c9680b1e59dcb6bf51
Instruction Fuzzy Hash: DA81D435E04225AFCB25CFA8D8849ADFBB2FF89320B15816AE915E7352C735DC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05727498 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60e7177c8973b1ffe1527a6be5576bc5f71170ccae1fabc678baaf2368561d8
Instruction ID: 8c23290e62331c57a4188c7e2a8be4ea416d89dfa2f80fe32a38933f95be2b8c
Opcode Fuzzy Hash: d60e7177c8973b1ffe1527a6be5576bc5f71170ccae1fabc678baaf2368561d8
Instruction Fuzzy Hash: 4781E4346081369FCB19DB60CA44BACB6E3FB94340F15456CC507AF3A0EB755C45E766

Uniqueness

Uniqueness Score: -1.00%

Function 0572746F Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed40838b24c96af5aee9b2fed1c6396a21c083bc220e569e599f6806d8b9d9e8
Instruction ID: e569da5be46cc7187cbc1b788c6d93f53fffc80e49d971214c96ff2fa03ded59
Opcode Fuzzy Hash: ed40838b24c96af5aee9b2fed1c6396a21c083bc220e569e599f6806d8b9d9e8
Instruction Fuzzy Hash: 207123349081369FCB19EB70CA84AACB6E3FB54390F15456CC506AF361EBB15C05E7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0572A490 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893e798adc97d9d377a7a9c07a9728248e972da36abaaae56a3dfd7f183e46bc
Instruction ID: b3725dc7df2e030434af1678164e8c513cfad22ade297953e9d104f4d0366ec1
Opcode Fuzzy Hash: 893e798adc97d9d377a7a9c07a9728248e972da36abaaae56a3dfd7f183e46bc
Instruction Fuzzy Hash: 065128317082218FCB28DB2ED45492AB7E2EF85229715C4BED10ECB766DBB2DC078745

Uniqueness

Uniqueness Score: -1.00%

Function 057215A0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9649b0b85f99b21f93b8f4e5bc6cb0668ce14c20193b84c9f11db84401ee7f
Instruction ID: 20283fb9e7b093b6a57ad64f8e3fa6dc36823185ebf57bf3164bcd343e379ee4
Opcode Fuzzy Hash: ea9649b0b85f99b21f93b8f4e5bc6cb0668ce14c20193b84c9f11db84401ee7f
Instruction Fuzzy Hash: A151C1316086649FCB25DFA8C884AAFBBF2BF85304F44895DE5429B740CB31F945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05720500 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf6a1ea61a38343c59e59a3d1b7f172507856966056f4e69783e931b6179273
Instruction ID: e7f5d43226b634b86cb92eeec75da9a75631d9abd46fee8f1f0728a7e1c946df
Opcode Fuzzy Hash: abf6a1ea61a38343c59e59a3d1b7f172507856966056f4e69783e931b6179273
Instruction Fuzzy Hash: C35128316086619FC705DB6AC85897DBBF1FF8A21471981EEE409CB362C721AC01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05725EA0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b304c346a39d26dc57cd6450b8623fa252daded9ab56bfeb23bf64fd438425
Instruction ID: 5739089110a76720a4600959699e073a4f615ecb3becdb642616e2db4e607b9b
Opcode Fuzzy Hash: 43b304c346a39d26dc57cd6450b8623fa252daded9ab56bfeb23bf64fd438425
Instruction Fuzzy Hash: D65125716086719FC726CB24C4409B8FBB2EF82314729C6AAD5599F642C732EC47DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0572ACEF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5d7a54c2a25ccf312895ae102483fe5321b6728a7c7f6eb1a1907978ef3bf1
Instruction ID: bfa44e6889720b31bc7e641240306d80a2c59a9db6bf5155d7031faf9e1fc284
Opcode Fuzzy Hash: 9b5d7a54c2a25ccf312895ae102483fe5321b6728a7c7f6eb1a1907978ef3bf1
Instruction Fuzzy Hash: E9411F397042308FCB199B79D41457CB3E2EFC962172588BED10ACB761DEB5CC4A9790

Uniqueness

Uniqueness Score: -1.00%

Function 05724230 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a203680385a499e472639b4df07703cbf795b777a8d4f8164c35ec36a8a88b3
Instruction ID: 71e179416580a5523cd0afbe51d620ea204305bdcacb861c2fa77f1e3481b9d8
Opcode Fuzzy Hash: 6a203680385a499e472639b4df07703cbf795b777a8d4f8164c35ec36a8a88b3
Instruction Fuzzy Hash: CC41C035A093559FCB15CF69C850DAAFBF6FF86260B15C0AEE448DB252D730E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05724090 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be5f7b5b08a9a54fe3698892de5ab7d3b2a2fff024603fc4b74cdea096dd670
Instruction ID: f28c95337a7220b742bff04843f0a86845b7886c7f9a13bfdc5ee95b885c777d
Opcode Fuzzy Hash: 7be5f7b5b08a9a54fe3698892de5ab7d3b2a2fff024603fc4b74cdea096dd670
Instruction Fuzzy Hash: F53125313093705FCB2AA73998244AE7BA3AFE355470641AEC906DF342CF169C0693E6

Uniqueness

Uniqueness Score: -1.00%

Function 057245D0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61e0db5b2116c2bae1dd10c58359354ae2ccef3ae8e00919a5b77e2c117e2ed
Instruction ID: fe6ab6fdd07ceb310a63e72eb136953a635442b0e89ca9afedf2fa10cc464797
Opcode Fuzzy Hash: f61e0db5b2116c2bae1dd10c58359354ae2ccef3ae8e00919a5b77e2c117e2ed
Instruction Fuzzy Hash: 8D51F934A002099FCB14DF69C984A9DBBF2FF8C304F2586A9D405AB365DB71AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05726340 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a911e4ce81cb9b5416b660e6eda5966f518748fc7dbcf281170a9929837c6a
Instruction ID: b035e93c6cd8b146a098b03a3d0a030d66ec7c765dc9a2ca5ab98b52281d92a5
Opcode Fuzzy Hash: a2a911e4ce81cb9b5416b660e6eda5966f518748fc7dbcf281170a9929837c6a
Instruction Fuzzy Hash: 76416F75E10319DFCB14CFA5C944AADBBB2FF88310F11826AD406AB355EF70A846DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05721868 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1a61ea606e28ea6f9f818615c8b1ed30d9522930567f4fcb89065ca134c12f
Instruction ID: db064c29f0b43da3ce18186856cf722957dcc9ac0ab630a12abb75eb3ffdefbd
Opcode Fuzzy Hash: eb1a61ea606e28ea6f9f818615c8b1ed30d9522930567f4fcb89065ca134c12f
Instruction Fuzzy Hash: 9B412936A04258AFCB11CFA5C8049AEBFF2FF49310F1580A6E945D7361C7369D12EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05724048 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4ef15892f72eccdf9566cd361f771805639a9d038499b0a006740270abebd8
Instruction ID: 70092eb10976613747d3d72dab6b3decec6dbe26fe174a697d147d47fab94578
Opcode Fuzzy Hash: 9b4ef15892f72eccdf9566cd361f771805639a9d038499b0a006740270abebd8
Instruction Fuzzy Hash: F83137713093A05FCB165A2AA86487E7FB7EFD716470540FFD405CB352CA258C06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 057292A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda4467c79c6b46560735bd65668dd2c5ac544e6557896e4e2662ae1f709bd7a
Instruction ID: 2fbad1a62634a4b07e55e4b499ae6137794132bddb65b18fb0e4b64b797f5ce2
Opcode Fuzzy Hash: cda4467c79c6b46560735bd65668dd2c5ac544e6557896e4e2662ae1f709bd7a
Instruction Fuzzy Hash: 4C31F371B092148FCB10DFA8D84896D7BF5FF8A610F1980AAD616CB3A2D731DC82DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05725CF7 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730ac725febaed177ac85744fad939e94616b37ad5f76a28619b4055bd216f63
Instruction ID: a43a36ba19e769950681d7c30478fedec6ebd7813e6a6a4a22b842c727257f61
Opcode Fuzzy Hash: 730ac725febaed177ac85744fad939e94616b37ad5f76a28619b4055bd216f63
Instruction Fuzzy Hash: F7318171A046299FDB15CF68C584AAEFBF2FF49310F248959D086AB711D330AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016EFD54 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d157ec7f22c2d6e0711b5cce5bd59cb35a2da65409057907a5d56b624b05cc6
Instruction ID: c39feb0116942f47ae7279618f504d1d6efc811ab0f581c57af6520057dc0fd0
Opcode Fuzzy Hash: 6d157ec7f22c2d6e0711b5cce5bd59cb35a2da65409057907a5d56b624b05cc6
Instruction Fuzzy Hash: C0418034A002059FCB54DF64C858ADEBBF2BF8C314F2586A9D505AB365CB71AE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05722078 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f03fe55bb33bdaa36321dbf8e3b14145909f50b3c1ab8be218696789250819
Instruction ID: c87f43d5de1d2a36b115994462509c5218dea24a7abb383dd08d569133bbe1b0
Opcode Fuzzy Hash: d8f03fe55bb33bdaa36321dbf8e3b14145909f50b3c1ab8be218696789250819
Instruction Fuzzy Hash: 9731C37A7092148FCB24CB5AF444E69BBF6FB85220F1480A6E60CC7612DB36EC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0572D7A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94aac3c152f136b3443583953af9fb46adc2e407d3feebd28121a4c360a7e0b0
Instruction ID: f777c7dbcc8e8081d17daed441bddee38e47965ae12c6c58b2c3ff399fdcf483
Opcode Fuzzy Hash: 94aac3c152f136b3443583953af9fb46adc2e407d3feebd28121a4c360a7e0b0
Instruction Fuzzy Hash: A6310574B042189FDB14DF99C880EAA77E6FB8C314F2080A8E509DB761D731ED12DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05729EC0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c932146a0e20fbc92c9fbfb2a8cade4c6dd434d15e6be7ebf3ffeb1ebc781a
Instruction ID: 06d61b8fc37fc1b19823ea66339f5cffd2d88bc32011033168c2c3918089b0e4
Opcode Fuzzy Hash: 65c932146a0e20fbc92c9fbfb2a8cade4c6dd434d15e6be7ebf3ffeb1ebc781a
Instruction Fuzzy Hash: A431A175E04215CFCB14DF69C990AAEB7B6FF88314F158069E601AB3A1D730EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016EEA40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f825c8c21ae332c3f3584e1f24de603f822573fe97ecb5b21268b08cc1cc299
Instruction ID: 7d87d809c03984dfc6db7967e40427e00928fcf6a3ba9e33cf7d8928243f2d88
Opcode Fuzzy Hash: 4f825c8c21ae332c3f3584e1f24de603f822573fe97ecb5b21268b08cc1cc299
Instruction Fuzzy Hash: 2C315A75A00219CFCF11CF58CC848AEFBF6BF89314B498696E915AB356D734E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016EFD60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2a3152c1039c619157cf006c01f9cd6845eb56bd71cee5a70af58cadf17bec
Instruction ID: 083f3865e7a2f4873d733487ee47b3860bffbcfffe4fdf74f96f6b9d29732fff
Opcode Fuzzy Hash: 8b2a3152c1039c619157cf006c01f9cd6845eb56bd71cee5a70af58cadf17bec
Instruction Fuzzy Hash: 31317E34A002099FCB54DF65C858ADEBBF2FF8C214F1186A9D505AB365CBB1AE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016EFEDD Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1878a2986cc12966c4d1a13d253c6c66304f480ea639e70d9545c1f219e6a1
Instruction ID: 9c69a095b93d08b5b3f8e6060a0a48415a7f61f9929655c8030ed0c5da487df3
Opcode Fuzzy Hash: 1a1878a2986cc12966c4d1a13d253c6c66304f480ea639e70d9545c1f219e6a1
Instruction Fuzzy Hash: 39219D30304A008FD754DF3EC85495AF7E2AF85214B15CAAAD14ACB7B5DB70EC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 016E420C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a2d00858edd9e942caf25f34c52f2f8818b599f196cef087875baced1ff4a6
Instruction ID: 00c3b21eda775d0c5d4882462c03a3f3aa770801100e807b5c6600db2a0c66b5
Opcode Fuzzy Hash: 42a2d00858edd9e942caf25f34c52f2f8818b599f196cef087875baced1ff4a6
Instruction Fuzzy Hash: EC2134306096404FC715DB389C989593BE2AB85218B2486ADC158CF2A6DB2198068B50

Uniqueness

Uniqueness Score: -1.00%

Function 057217A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a31c4727ff8c35fef4c9db013ac7d3fa0d9d69036fcd4a36d3a1d11f717753f
Instruction ID: ffa61f01b06077bb00643a0735b710edcc98b4a8d4b7d75153c6107e67b10987
Opcode Fuzzy Hash: 1a31c4727ff8c35fef4c9db013ac7d3fa0d9d69036fcd4a36d3a1d11f717753f
Instruction Fuzzy Hash: 4621E2323047405FC722CE69D884E5ABBF6FFC9620B558569F54AC7A51D632E802DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05729ED0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6842047c4d0519fd1383104b68729bacc994b9092024c0a886c8d83e124dbe5a
Instruction ID: 55da3f7c4821dceb62d69dadd333f5a21e8ad03a2e5c92e81b81e1741cbb03e6
Opcode Fuzzy Hash: 6842047c4d0519fd1383104b68729bacc994b9092024c0a886c8d83e124dbe5a
Instruction Fuzzy Hash: 1E314BB5E00215CFDB14DF59C984AAEB7B2FF88714F158069D606AB3A1DB30AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05724AB0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e17cdef5e740e21b7e27b1569ccf7a561677276546cc8b2a9ac684758b6aa4
Instruction ID: 3ff09eb1b79aeee9fa07e2bdf3050578dc78244b737a6a33d96c3022a651701c
Opcode Fuzzy Hash: c2e17cdef5e740e21b7e27b1569ccf7a561677276546cc8b2a9ac684758b6aa4
Instruction Fuzzy Hash: 9A214970A046659FCB05DB38C418AA9BBE3BF49300F5584ADD446DBB61CBB5EC11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05724978 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f07f1b50682455b1e0916bef9c31584f2f031f363fbf63df70e000d66f8ea33
Instruction ID: e2107f51de3b93c23e454ab18ff3418cf766f9a4b7033868143bbb73439b9a19
Opcode Fuzzy Hash: 2f07f1b50682455b1e0916bef9c31584f2f031f363fbf63df70e000d66f8ea33
Instruction Fuzzy Hash: C5216BB0A042289FDF10CBA5C854BEEBBF6BF4C300F104069D852B7280DB799E41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05723F90 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742632d1a23c093d6532b8e427218e64e0ea133da47d78a5310cc99d2e99eb2d
Instruction ID: 364dd95254ce4181563b505cc50456b567c4b70b2452d4330700416b890671b8
Opcode Fuzzy Hash: 742632d1a23c093d6532b8e427218e64e0ea133da47d78a5310cc99d2e99eb2d
Instruction Fuzzy Hash: BF115C3370C2705F87299AE86C9457FABEBEBC5024709447EE549CB741CE254C0653D1

Uniqueness

Uniqueness Score: -1.00%

Function 0572E100 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612489954f6ef919693a2d3173be337ae2358869f1c442876c7d852e092ec2f6
Instruction ID: b6afdb2d0b5fd29a2364c84b0118d3884c42f8c879ca8df56877d90583fe06fa
Opcode Fuzzy Hash: 612489954f6ef919693a2d3173be337ae2358869f1c442876c7d852e092ec2f6
Instruction Fuzzy Hash: 532190357246318BCB19D72AC904A39B3EBEFD5320B19C479C80A8F365DA31D982A781

Uniqueness

Uniqueness Score: -1.00%

Function 05726F57 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6e24a5814d5710f339562c1efe332271f682ffb27e82f81f650354ab938768
Instruction ID: 040515c6ce01ea73799194832c43b838d063d401b6ac9a4807ca35341448cbeb
Opcode Fuzzy Hash: de6e24a5814d5710f339562c1efe332271f682ffb27e82f81f650354ab938768
Instruction Fuzzy Hash: 5C2190B57042209FCB14CF68C854AAABBF4FF89760B0200AAE505DB361DB31DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0572DE20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd26598ec1e507ea90dc5bf2a5fb56169af8da1307a3a4ea9dc535f5c67a3a7a
Instruction ID: 9de7f5deebe92cb0150aac8d15fafbb3b3e580e4bf520ec1d0ac59ef71771172
Opcode Fuzzy Hash: dd26598ec1e507ea90dc5bf2a5fb56169af8da1307a3a4ea9dc535f5c67a3a7a
Instruction Fuzzy Hash: 23115C327042309BC7256B349C017ADB7D69B85A28F388AADD1299F7C1CA72E843D794

Uniqueness

Uniqueness Score: -1.00%

Function 016E0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374a8dfa5a4d58fd263afcfd5adff480482f6d542628b783da32c5a219e46505
Instruction ID: 7271d1b176e33f25cf00646fe4949a932652812c0529d815841d85e2c644ee52
Opcode Fuzzy Hash: 374a8dfa5a4d58fd263afcfd5adff480482f6d542628b783da32c5a219e46505
Instruction Fuzzy Hash: 701101B2701214AFC3206B74EC58B9E37A3EBC9650F150266E606EB394DBB15C028795

Uniqueness

Uniqueness Score: -1.00%

Function 05726B68 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943c1249c3fbfa553b7e0aaf0d1a55a73051ccf5c2cafee84c555b0a28c1549f
Instruction ID: ad3a744a2060c053e3578b7446d65ab3178056c4b37cb5def1a1d5878c3fc44e
Opcode Fuzzy Hash: 943c1249c3fbfa553b7e0aaf0d1a55a73051ccf5c2cafee84c555b0a28c1549f
Instruction Fuzzy Hash: 9C21F375A11219EFDF10DFA5E985AADBBB2FF44311F200466E401EB2A0DB34EA44DF50

Uniqueness

Uniqueness Score: -1.00%

Function 016EE8B1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e4b99fb554642a39d0af21123ef6e989ad4b66099aa00b7dc29f207da7be85
Instruction ID: 52a68e3c1db2adbb0862ad2b072baf159c60c1360581df9f888cb167e3ac853e
Opcode Fuzzy Hash: e1e4b99fb554642a39d0af21123ef6e989ad4b66099aa00b7dc29f207da7be85
Instruction Fuzzy Hash: 9811CC712047504FC7228B389C0486EBBF3EFD9264746472DC582CB345DB72AC00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 016E3EB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ce3790b82020acc580ed79bb2fce2ee4759e1be2cc8f7cc1785c4bc51a66f9
Instruction ID: 7a298d9823f3630358e2106be06e851ae14cd9f343fcf8a7af63e7b84b5b2501
Opcode Fuzzy Hash: c4ce3790b82020acc580ed79bb2fce2ee4759e1be2cc8f7cc1785c4bc51a66f9
Instruction Fuzzy Hash: 0211BB31A062189BCF00DF58D908BAE7BF2FF88704F014198D801BB389CB74AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05725DE6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbdb13de0c77603093dca262a3479d3e1a5fed07adac3078f2a5878e5afa3a6
Instruction ID: 76fde757e8bc4f532fb708c677e9dee5e487c731176182ac2663dd25d5b836ef
Opcode Fuzzy Hash: 1fbdb13de0c77603093dca262a3479d3e1a5fed07adac3078f2a5878e5afa3a6
Instruction Fuzzy Hash: BF217F31A046549FD720CF68C584BAEBBF3FF88300F148599E0869B651DB70ED50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0572D036 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7334d59bdcebe4c62b00ac4d3fe14bb4cebf75f6e2b6486ff14ced301474ea87
Instruction ID: c7896ffb0d8b1cd1e541a65045bf2c3093126f6bf0634ced4702160d458082d7
Opcode Fuzzy Hash: 7334d59bdcebe4c62b00ac4d3fe14bb4cebf75f6e2b6486ff14ced301474ea87
Instruction Fuzzy Hash: A2016832B0C3246FEB3112305C49B6A7797AB92650F56016BE6019F3E2D9A19C0392AB

Uniqueness

Uniqueness Score: -1.00%

Function 05720080 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7c76f56d1ffc5ad6928333aa594f2693af0f3f9b30420d03730aac2d6d456c
Instruction ID: fcf042325bde15421045e42aff1d1c0351e9ee14963518c78db34ccf84bd93d1
Opcode Fuzzy Hash: 0c7c76f56d1ffc5ad6928333aa594f2693af0f3f9b30420d03730aac2d6d456c
Instruction Fuzzy Hash: A2119E313042605FD328EB69D85866AB7E6FFC9210B144A7ED11ACB790CE71AC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 05729FB1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8267967feb40b875178e0e17c7689cff3f60cc1aa000bc0de7221696083bb54
Instruction ID: 733c207e51b1f2448c9584e2d4e9507aa162f9da9a6b3755cf580616ebfe73c4
Opcode Fuzzy Hash: d8267967feb40b875178e0e17c7689cff3f60cc1aa000bc0de7221696083bb54
Instruction Fuzzy Hash: 270145323093206BEB2066305C15B2A2B87AB82654F15856EE205AF3C5ECA1DC06939A

Uniqueness

Uniqueness Score: -1.00%

Function 0572007E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f138189acad3c36392c62c998f4cb0c062c7a170d4c99bf33be51335efc45fd3
Instruction ID: 1bf80fbc9b0849dadb8bf539d4029c0e6059346e1ade10e414a6234e60ca0976
Opcode Fuzzy Hash: f138189acad3c36392c62c998f4cb0c062c7a170d4c99bf33be51335efc45fd3
Instruction Fuzzy Hash: D0119E353042605FD728EF69D85866AB6E6FFC9210B144A7ED01ACB790CE71AC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 016E4160 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd59fc29ae0bc55538092e58c50024360387357ed6fc048e846ec9c0fecb106
Instruction ID: 40ddf739d7ba196ce2b46fae15b222c67ae05209051deb5140d56f6dc8f60369
Opcode Fuzzy Hash: 0bd59fc29ae0bc55538092e58c50024360387357ed6fc048e846ec9c0fecb106
Instruction Fuzzy Hash: CE11C8302087208FC7258F748C4499EBBB2BF85259706472DC502CBB05DFB2D905C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 05722608 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3589d1d787934e95c92ac83fc49ffc5540dfb9e18ec8f9e70c34b939c46374b9
Instruction ID: bc43911c4f23d94d2893fb21709dd2d18a766960051fbb4546bd6ef0a5a34ed1
Opcode Fuzzy Hash: 3589d1d787934e95c92ac83fc49ffc5540dfb9e18ec8f9e70c34b939c46374b9
Instruction Fuzzy Hash: 6001A2363052105BC7249BA9B884B6AB7DBFBC8679F10813EE61DC7B41DA71EC468790

Uniqueness

Uniqueness Score: -1.00%

Function 0572DE90 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b821ae6e13bede58c29661b0f8858a67e03cc14a36b85802eb3de4271abf2a
Instruction ID: 9610777160e47474c457311ecc20aa259b374ad26d17df830868ce9483198088
Opcode Fuzzy Hash: 96b821ae6e13bede58c29661b0f8858a67e03cc14a36b85802eb3de4271abf2a
Instruction Fuzzy Hash: E50124327083202BD7312A385C55B4E76DB9BC5550F11857EE125EF3C4CEE1EC028399

Uniqueness

Uniqueness Score: -1.00%

Function 0572F8C8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea4708936c7beed14916bf3a2cfb6fb1ef4f46ddce9e12448e78878d0ca5808
Instruction ID: a92e0c11112460ace73a7c534898aa1b8d00118d9cc091e9e9a7b307213f018a
Opcode Fuzzy Hash: 9ea4708936c7beed14916bf3a2cfb6fb1ef4f46ddce9e12448e78878d0ca5808
Instruction Fuzzy Hash: 420168313083A15BDB1263345C09B5A7BE65F81118F19C4AEE885CF285E9E1D801D394

Uniqueness

Uniqueness Score: -1.00%

Function 05721FD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d73bddbdbc082b16c314e0fbb11cca11b5873da53727fc2caa6c79b0af7067a
Instruction ID: 602469b9ea61aecc7f79ea3e19cde74fcc9b7bce6a63470d262723856f1037e7
Opcode Fuzzy Hash: 2d73bddbdbc082b16c314e0fbb11cca11b5873da53727fc2caa6c79b0af7067a
Instruction Fuzzy Hash: 94018435205254EFC7269F64E80489ABBA7FF9A211314846DE90987322CB32DC53DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05720908 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fd72c4e98bd534daaf952215c3c15a000880e1810881a18008e880d9c4666c
Instruction ID: 210c47666f6d14370910fd230d95e1bba69b591bbe05b89861b2daf131171911
Opcode Fuzzy Hash: 83fd72c4e98bd534daaf952215c3c15a000880e1810881a18008e880d9c4666c
Instruction Fuzzy Hash: 7801C4317097404FCB369F35985852ABFB2BFCA221309897AD04ACB65ADB28490AD791

Uniqueness

Uniqueness Score: -1.00%

Function 05729FC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41721d017b3dbdced5507bc3c66ef68e098e04145db2c44e6931c3ced75b36e3
Instruction ID: 2febc97054b5bd58a69499423bbcfadeb0bd34008418efd5fe83921862f8e78f
Opcode Fuzzy Hash: 41721d017b3dbdced5507bc3c66ef68e098e04145db2c44e6931c3ced75b36e3
Instruction Fuzzy Hash: 3A0126327042105BEA3476755C15B2F23C7ABC1B50F11413DE219AF3C8DDE1EC02839A

Uniqueness

Uniqueness Score: -1.00%

Function 016E0440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6808e2a4ffd0588261bae32a6f669a787b9f7194989d409584c91f93853ca947
Instruction ID: 9b82ad0c9c388387b4b43bd626f543f308f99f4bca3d406279456061d8dd8a14
Opcode Fuzzy Hash: 6808e2a4ffd0588261bae32a6f669a787b9f7194989d409584c91f93853ca947
Instruction Fuzzy Hash: 0C014530349341AFC316DB348D1DB683FA2FF82200F1982DEF0059B2E2CE629804C755

Uniqueness

Uniqueness Score: -1.00%

Function 0572F918 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9026471920875be8590a24c737baebcad05129f84a552fdba47bde9b7fb52397
Instruction ID: 4bdfec1698b471c5ff33bbe93ff7dda218cd9202c505d6fd775beadd19608c63
Opcode Fuzzy Hash: 9026471920875be8590a24c737baebcad05129f84a552fdba47bde9b7fb52397
Instruction Fuzzy Hash: 9E01D63270431427EB2061791C09B2AA2DB6BC5550F118139E505DF384EDA19C0153AA

Uniqueness

Uniqueness Score: -1.00%

Function 057258E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dba57222e5419267b9fb8ad2554d2735b69720d6cae2d8d07e5697498d3f0d3
Instruction ID: a2dcd21a77da0e5a0a70963f8fcb48db7ef95cf4d133449436eb7555606a7d5d
Opcode Fuzzy Hash: 9dba57222e5419267b9fb8ad2554d2735b69720d6cae2d8d07e5697498d3f0d3
Instruction Fuzzy Hash: B301D231B042289FCB10DB64CC44BAEB7B3AFC4324F11816AE945AF284DAB05E019B85

Uniqueness

Uniqueness Score: -1.00%

Function 05726FC8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34aec17f54dbcc398d55e12a3500954d54d4c6195f326932bc6ae994964c2d74
Instruction ID: 65e1c281960bf6f868718780a76567c4b7d4dc446900e0cacd46ae558b68ef3e
Opcode Fuzzy Hash: 34aec17f54dbcc398d55e12a3500954d54d4c6195f326932bc6ae994964c2d74
Instruction Fuzzy Hash: 7F012975B00229AFCB14DFA9D801BDEBBB5EF88710F104066EA05EB3A0DA719911CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 016E3EA7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c75f9c4a37fd61815c721d8f6ad260476f1f3dce0e505d544a6b984952e164
Instruction ID: 471d70b1e12e32f379b8ea72bd404a82fd49e49b20e0f6776678af0c7865a261
Opcode Fuzzy Hash: 36c75f9c4a37fd61815c721d8f6ad260476f1f3dce0e505d544a6b984952e164
Instruction Fuzzy Hash: 5E11E071A0A3588BCB05CF18C9087AEBBF2BF44704F15459CD842BB342C776AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0572F90B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89352b5915b55d66bf827fde5045b5d490a5eae6feed59fd61bc7f99eef34ac8
Instruction ID: 9b139fc9245d186b12899d4e0231c5fad6576c386d1b884dac3c0a9a7244b4c3
Opcode Fuzzy Hash: 89352b5915b55d66bf827fde5045b5d490a5eae6feed59fd61bc7f99eef34ac8
Instruction Fuzzy Hash: C201493230431167EB2062381C09B2BAADB6FC5A10F15827DE555DF3C5DDE09C0193EA

Uniqueness

Uniqueness Score: -1.00%

Function 05726FB8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b7934f471a882b4bb9cda1f42c4a29792e717df89cd5eb328761329f3c713f
Instruction ID: 793fd73e160858cec4cca2b950ae7d09ed4de1a975fd2a233a07984279e44555
Opcode Fuzzy Hash: 83b7934f471a882b4bb9cda1f42c4a29792e717df89cd5eb328761329f3c713f
Instruction Fuzzy Hash: 05019E71A001259FCF288FB88914BEEBBF1EF89750F15447AD906EB351EA319902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057285B0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6367f2494e15cec67b271ec357c14a16d69182b91a8abc181fc8ddddef46801
Instruction ID: dcdf77f3631bb159230a62cc23aad2c74f11474319ca6d8ba77cdf58904b5b03
Opcode Fuzzy Hash: c6367f2494e15cec67b271ec357c14a16d69182b91a8abc181fc8ddddef46801
Instruction Fuzzy Hash: FB01223068E7E05FC7078B624C209347F71EF8322530984EBC483CB2A3D52A8C0A93A7

Uniqueness

Uniqueness Score: -1.00%

Function 05726C61 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e665423497544b684faf94a9463ddb1b0fbaf2df1d5f24845ad412985599d062
Instruction ID: ad2c74950451415fd881d7c8e706ece73eeee5dd2a602015a1d3ad7e6cfcc1da
Opcode Fuzzy Hash: e665423497544b684faf94a9463ddb1b0fbaf2df1d5f24845ad412985599d062
Instruction Fuzzy Hash: CC012835A082289BCB14EAB8E5062E97BE5E745324F0441AFC90DC7305DF25A9516796

Uniqueness

Uniqueness Score: -1.00%

Function 0572DEA0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb5dcd4f97d09cbe1e9292832a55c1040a48d2208bea969c7248fd2a9bfc59d
Instruction ID: 0b55db7dca935a6bbab99d9f5aee4c7915b1e84140c26c07a9d814d04eb4f898
Opcode Fuzzy Hash: 7fb5dcd4f97d09cbe1e9292832a55c1040a48d2208bea969c7248fd2a9bfc59d
Instruction Fuzzy Hash: D5F0D13270422067D7302A295C59B5F66CB9BC5A50F21867DA225AF384CDE1EC028399

Uniqueness

Uniqueness Score: -1.00%

Function 016E4170 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f19334cef5bf76b17aedb69d0585eed59b27059f053a563222a76b12ad7b38
Instruction ID: f75b909626f13969456b1303003e9c59b1ea147e785154388f5fe25b6ff18fba
Opcode Fuzzy Hash: 54f19334cef5bf76b17aedb69d0585eed59b27059f053a563222a76b12ad7b38
Instruction Fuzzy Hash: C401DF31300B255BC7289B78984499EB6A6FFD4269B058B3CD6068B704DFB1E9058BE8

Uniqueness

Uniqueness Score: -1.00%

Function 016EE8C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1622f58a3b93e5ed169ae2e33703f44d5dd28f2b919ef70515279d545840c5
Instruction ID: 95762b0606166cd5b87f49531ad77e5f6dcdd1f28d7ec7aa4acaa89b003d214f
Opcode Fuzzy Hash: 8e1622f58a3b93e5ed169ae2e33703f44d5dd28f2b919ef70515279d545840c5
Instruction Fuzzy Hash: 9A01F2713007204BC7249B68E84495EB3E7FFC8268B058B2CD6468B704DFB2AD018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 05722068 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7057bea5b70134b99882a5c3aaa113ac9ac21d884ac7978c64a29916378c7d3a
Instruction ID: 33a1b058094f9eeeda99cc6523753de11352696873f0086f4768e417cadce422
Opcode Fuzzy Hash: 7057bea5b70134b99882a5c3aaa113ac9ac21d884ac7978c64a29916378c7d3a
Instruction Fuzzy Hash: 4901D47A60C254AFC725CB29E404995BFB5EF8A32070580EBE509C7263D631DC01C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0572D050 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa7da3bc194af15f233195bf53525b48ef695e2cf3428f59923edf7cf0691ed
Instruction ID: 2f355aba246cb9c17ac03a94765ae159234768ddc44e246f96bd4e02f9f75c9a
Opcode Fuzzy Hash: baa7da3bc194af15f233195bf53525b48ef695e2cf3428f59923edf7cf0691ed
Instruction Fuzzy Hash: 67F02B32B0432457EB3025761C55B2F62CB9BC5A65F11413AE6059F3D4DEF1EC03529B

Uniqueness

Uniqueness Score: -1.00%

Function 05726CA1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f0bd96489342ebd3d3219eb94ff4a48bf3f07c9ed1366eaeb49b9fab004bae
Instruction ID: 2c8deeaa8fc06787e124186a05821e3af897d37218863d295694e6559cb518d1
Opcode Fuzzy Hash: 06f0bd96489342ebd3d3219eb94ff4a48bf3f07c9ed1366eaeb49b9fab004bae
Instruction Fuzzy Hash: 59018F75A001389FCB48EFB8D8056BA77A5FB84200F1044A6D519DB351EE309A51ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 0572C500 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6ede47f65a7a9d24705555645b0d1c66f581cb506deb2f885abb9452eaa27e
Instruction ID: 519cf9bdf723267824cccbb63f4082bf6848e8d50b2928b9bf5f5a82a70e01d9
Opcode Fuzzy Hash: ae6ede47f65a7a9d24705555645b0d1c66f581cb506deb2f885abb9452eaa27e
Instruction Fuzzy Hash: 33016D31B00224AF8B699A7E985967E77E9EF99250B20006DE419C7361EA31CD069791

Uniqueness

Uniqueness Score: -1.00%

Function 05721730 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4451e348d76d56755cd36a0725b423388f0a41840b66f66fa5207684a00737cc
Instruction ID: 0001c9d70604e11836a53fcbd6bbf169fb89e703393fd9d3db77568689f6f3b6
Opcode Fuzzy Hash: 4451e348d76d56755cd36a0725b423388f0a41840b66f66fa5207684a00737cc
Instruction Fuzzy Hash: 7D019E711087A05FD726D738C454B57BFF6AF86214F4505CEE086C7792C366B844C761

Uniqueness

Uniqueness Score: -1.00%

Function 0572C510 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51601487710e1990c4dc12ec01dec7eb13c92587545196a5d900f85aafeaa49
Instruction ID: c76fcbf6a645abc39c39f663bf89831aa8c9b1a5b740e1afa74ec3e9db112f9d
Opcode Fuzzy Hash: c51601487710e1990c4dc12ec01dec7eb13c92587545196a5d900f85aafeaa49
Instruction Fuzzy Hash: B7F0AF317001209F4B69AA7E882897E77EAEBC9210710007CE52ACB360EF31CD0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 05720918 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5ddb34e96c892d395ceed3aa832f6d5c7bcfdef5835f731e9c20082e3ed012
Instruction ID: eda92cdf01b3e147d4fc977fca3d65a9c758c987aa5f60427e0c4b61d2dd310d
Opcode Fuzzy Hash: 5d5ddb34e96c892d395ceed3aa832f6d5c7bcfdef5835f731e9c20082e3ed012
Instruction Fuzzy Hash: 3901AD317006018F8B35AF29E88802EBBA3FBC82613048A3DE00BC7718CF74990A8791

Uniqueness

Uniqueness Score: -1.00%

Function 05725E28 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4a185ca2f811abeaa36805156c601d4899310eeb7cfc1189391f2dffc5c473
Instruction ID: e1e5514f080c09557ebb7273644daed59acd212f135f1f664dd7863ab4c55f82
Opcode Fuzzy Hash: bd4a185ca2f811abeaa36805156c601d4899310eeb7cfc1189391f2dffc5c473
Instruction Fuzzy Hash: 40018F31A003149FC750DFB8D80449FBBF6FF89211B1444AED85AD3740DB35A906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05723F80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d1b3ac45e4cd7fe4ecb4c2476ce69f51090c7a4936bdcf2793d13b6f574a13
Instruction ID: b6d6a721998131f83ec064771e30b8b47351d9ad9153ad702195f7a3387d8e62
Opcode Fuzzy Hash: 00d1b3ac45e4cd7fe4ecb4c2476ce69f51090c7a4936bdcf2793d13b6f574a13
Instruction Fuzzy Hash: 6CF05C5370E2700FC70D59A85C9857AEB76A6C703070945BBE5C8DB652C40C5C0593A1

Uniqueness

Uniqueness Score: -1.00%

Function 05725E38 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f135f3df7cff1c589c4c57560b8d2e52bf474c0bddd6d4b3643036824032dc06
Instruction ID: c9f52974fccae3e859be5771abe7026b14d749bcb74830cd9328b50db8f20d2b
Opcode Fuzzy Hash: f135f3df7cff1c589c4c57560b8d2e52bf474c0bddd6d4b3643036824032dc06
Instruction Fuzzy Hash: A7011971A00224AFC754DBA9D8049AFB7FAFF89211B14456EE95AD3740DB35E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016E0BF3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c68ec381675178d0e721ecac61dda6e9df39cf5af8e623d056a7f0a1c7b6cd5
Instruction ID: 9a2330eff20f2334abd6e086ea07377901af0fda8dd14aeadc07475c28748064
Opcode Fuzzy Hash: 7c68ec381675178d0e721ecac61dda6e9df39cf5af8e623d056a7f0a1c7b6cd5
Instruction Fuzzy Hash: 6AF0F0703014148FC724AB68ED6859D3297FFC9685B04022AE60AE73A4CF711D0187E2

Uniqueness

Uniqueness Score: -1.00%

Function 05724170 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d11d08ec4337b6f131388dab4362d84810bcb15ed3a9a14c948fab5191147e
Instruction ID: 310dccbc058d77e09dd7a211b7c45d862a0bb2d1d302451f0cd1e05d90c4de3e
Opcode Fuzzy Hash: 67d11d08ec4337b6f131388dab4362d84810bcb15ed3a9a14c948fab5191147e
Instruction Fuzzy Hash: 1AF024703012205B8B24AA1BD88489BB7ABFBD45A8740843AD90ACB709DFA1DC0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 016E39C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e48b3360edd0972cb4cecbf01fc3d7779f77fb69fef2db1ad16eb040b6f2ad
Instruction ID: c59cf893dcb9446c50af83a49ab21d6f50271b4a7b87b04c4ec9cc8b5536d457
Opcode Fuzzy Hash: 51e48b3360edd0972cb4cecbf01fc3d7779f77fb69fef2db1ad16eb040b6f2ad
Instruction Fuzzy Hash: BCF0C2316007145BCB64EF24DC449AEBBA7EFD42587504A2DD50687658DBB0AD0AC7E4

Uniqueness

Uniqueness Score: -1.00%

Function 016E0BF8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb3d008be5ef46e5a48d4ba630850779c0709aefb05a2a7d0eca88c1d60f31b
Instruction ID: 3601f24fc98f6f749ac2a68be405ea9629dad83f32a72bcfc91f328f6354c8c4
Opcode Fuzzy Hash: eeb3d008be5ef46e5a48d4ba630850779c0709aefb05a2a7d0eca88c1d60f31b
Instruction Fuzzy Hash: 7CF090713014185FC624B769EC2855D729BEBC9695B45022AE606E7394CFB11C0187E2

Uniqueness

Uniqueness Score: -1.00%

Function 016E0468 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45ac5aed47f797114ea5048ea9fb33aa8f5125899a9fc577acc22c4fef67685
Instruction ID: 11fc0bf3a36d19eccd85e3ec83f86ee2cde4f696a295a1eb15157122fd163984
Opcode Fuzzy Hash: a45ac5aed47f797114ea5048ea9fb33aa8f5125899a9fc577acc22c4fef67685
Instruction Fuzzy Hash: 5EF0B430305206DFD724EAA89D1EB2D76E3FFC5600F144269E6069B7D4DFB19C018795

Uniqueness

Uniqueness Score: -1.00%

Function 05724901 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddf1526514503989f9efcc51efd1fdac6701cb40616a12fc7ebe9c5773eb764
Instruction ID: 2d8cfe789ae1d5076f275584c62fff8d3f3b44a991a092a8fd3eab2f80b661e4
Opcode Fuzzy Hash: 9ddf1526514503989f9efcc51efd1fdac6701cb40616a12fc7ebe9c5773eb764
Instruction Fuzzy Hash: 0CF04F71D042259FCB40DF68C888799BBB2BF09200F2980A5D999EB355E730DD41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 057209A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad899923cff6588bf7c21431e233bfb5f9d07b11881350648afc74a3f5265ca
Instruction ID: 20eb36323798ea4d3c6a85b251cda61171151b9744b85efdba72c02ec35aeef3
Opcode Fuzzy Hash: aad899923cff6588bf7c21431e233bfb5f9d07b11881350648afc74a3f5265ca
Instruction Fuzzy Hash: 53F02430A082088FCB08FB74C91953C7BF2AF46108B1982BCC00A9B7A1CF319C059B51

Uniqueness

Uniqueness Score: -1.00%

Function 0572B8FF Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0874115da9bf1d990f36be481dae29eee90e04659c3bb52db5e10175f6451e
Instruction ID: 7493ad7ccc759120f68816c329098bba551498179ae892e7589fc462de3c15b6
Opcode Fuzzy Hash: 2b0874115da9bf1d990f36be481dae29eee90e04659c3bb52db5e10175f6451e
Instruction Fuzzy Hash: 8CF0E5337042602FCB14A1795C28A7EBBD98BD9220F24403EE50EC3243EC388D419399

Uniqueness

Uniqueness Score: -1.00%

Function 0572B340 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4905a07fb8edd16a8483e72a03034fb4eee6d28de67d24ad10a07e784cf732d
Instruction ID: 0d28b73b4107a1ef6fdd8d20b0b7a23946977919c773eab1b59922fe12762627
Opcode Fuzzy Hash: c4905a07fb8edd16a8483e72a03034fb4eee6d28de67d24ad10a07e784cf732d
Instruction Fuzzy Hash: 21F0E5233083601F870566395C5856FBBEDDFC621031940BAE509C7343DD288E0193BA

Uniqueness

Uniqueness Score: -1.00%

Function 05721930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e6d7aa1e3be133d573eca59ea14cb4e2e35d0c7a66235719edf5c82720d286
Instruction ID: 95d8ac05faf5b1beda59732b0a1e7aafa18f0d0a68090a8e430b4679e149449e
Opcode Fuzzy Hash: 56e6d7aa1e3be133d573eca59ea14cb4e2e35d0c7a66235719edf5c82720d286
Instruction Fuzzy Hash: 88018C75D00219AF8F00DF99D9448EEBBF5BF4C250B108066EA59A7220D3319A21DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0572B910 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946677142b9760363679ce3c9ea163834ced591848aea30b776a96fabad7beb3
Instruction ID: 62862ddc26b22cd734a923c43911c6176490fe4ab7eede0ff27f40a62a96b701
Opcode Fuzzy Hash: 946677142b9760363679ce3c9ea163834ced591848aea30b776a96fabad7beb3
Instruction Fuzzy Hash: CFE08C223006212B4718616E6C2897FBACE8BC9660710803AE50EC3342DD398D4253E9

Uniqueness

Uniqueness Score: -1.00%

Function 0572B350 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577a24fc4667de46648a17f9f49cf4e2138e9564f6da73ee36489ddfbe07706e
Instruction ID: 021a0f0f2da632d02abecd938f8fc39fc15106efccd2b38e5c680a6260a473a2
Opcode Fuzzy Hash: 577a24fc4667de46648a17f9f49cf4e2138e9564f6da73ee36489ddfbe07706e
Instruction Fuzzy Hash: 3BE08C223006212B4718616A6C2897FBACE8BC9621714803AE50EC3342DD398D4252E9

Uniqueness

Uniqueness Score: -1.00%

Function 0572E76B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7395fe43423d41e0a2908e6afc68cabf9b5f351c24b9d26dc9f6cb7d032fcca
Instruction ID: adbaec5904ce8c81c1481a236d28f769cbd089ea5fa2f6ba4de1dfa354a787b1
Opcode Fuzzy Hash: a7395fe43423d41e0a2908e6afc68cabf9b5f351c24b9d26dc9f6cb7d032fcca
Instruction Fuzzy Hash: EAE05B237006312B4758717F6C5C52FBACEDBC95707250139E50EC3346ED754D4252D9

Uniqueness

Uniqueness Score: -1.00%

Function 0572BF18 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b10af024010801f92cf3e0e1c087870cc418c13219b4ffad7d8e678dd4d5ab
Instruction ID: 1da4a24f90e26005111998675be50d5e2992ecc13c4e74aed8ba1b5797474ea0
Opcode Fuzzy Hash: 31b10af024010801f92cf3e0e1c087870cc418c13219b4ffad7d8e678dd4d5ab
Instruction Fuzzy Hash: 93E0C231B006307B8B1922396E2C87F66DECBCAA22310007BF409DB780DD724E02639A

Uniqueness

Uniqueness Score: -1.00%

Function 05724058 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019ef7497496e0801b3e37d5f220c0d3bfa65b2a8c5500a70dac31cf99520176
Instruction ID: 576f2a8ca833ddd636a480fa02606a80eb6b112661ce7f8278362252446c2b59
Opcode Fuzzy Hash: 019ef7497496e0801b3e37d5f220c0d3bfa65b2a8c5500a70dac31cf99520176
Instruction Fuzzy Hash: F4D01232700124179625256E6C54A2BB6CFE7CE5B1B54403AE50DC7340DC658C0793A5

Uniqueness

Uniqueness Score: -1.00%

Function 0572E770 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed078d3e184b4f05d60615b2f7cc19ab285b83e37c4177ce1908f3d198a551ae
Instruction ID: 5bb256ebd6ea2cc8515d0d10969b606001c09920685010fc5b37597ac8c31082
Opcode Fuzzy Hash: ed078d3e184b4f05d60615b2f7cc19ab285b83e37c4177ce1908f3d198a551ae
Instruction Fuzzy Hash: B7D05E22700A312B4768727F6C6C92FB6CECBC9A30721003AE10EC3386ED754D4252EA

Uniqueness

Uniqueness Score: -1.00%

Function 057285E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71f066f4789a1abf6b1254f7debec9ce4a79e7d4318e230d68acb0b4de2c49f
Instruction ID: 69ecc266ad85a9dc0969cc8696b74e315c8ad5c4aa455239a6d06f6acc2e46f0
Opcode Fuzzy Hash: c71f066f4789a1abf6b1254f7debec9ce4a79e7d4318e230d68acb0b4de2c49f
Instruction Fuzzy Hash: 70E0863470873087C7285A2A542492AB297FBC9620B14C07AD5068B344DE76CC0647C6

Uniqueness

Uniqueness Score: -1.00%

Function 0572203F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60702d204f8fa05125ae879fc5c03755d4599aba9d503ef010405d603e26ad2
Instruction ID: 91f8de32539cddeb8554b994d33356d75f68c5e139c5d01bebb76f392f9f30bb
Opcode Fuzzy Hash: c60702d204f8fa05125ae879fc5c03755d4599aba9d503ef010405d603e26ad2
Instruction Fuzzy Hash: 5CE0D876218654DFC7368B60E410084BF71BBDA325314C0EAE5498B657DA33CC57DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 057258F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db2b675b64da02f20e3bf2e0a6da2f36e4241529d23e4724e1c738c6937b36a
Instruction ID: 4d807d90b002827330acfc9170952a7e2b2233ecffe36777e0c33bfbf7908132
Opcode Fuzzy Hash: 9db2b675b64da02f20e3bf2e0a6da2f36e4241529d23e4724e1c738c6937b36a
Instruction Fuzzy Hash: BBE08C3235022873DA2065099C05F9A778A9BD4B20F20812AB614AB2C489F1B90152DC

Uniqueness

Uniqueness Score: -1.00%

Function 0572ACB9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252faf2629e3a21cb7d46bdca90957eda2b0eea7a4b15202d14d828a809b3669
Instruction ID: 8f84979ac7833092ec957d10c3bfd4d79fc2a74366f5e73d7f65aa33ce4e7d06
Opcode Fuzzy Hash: 252faf2629e3a21cb7d46bdca90957eda2b0eea7a4b15202d14d828a809b3669
Instruction Fuzzy Hash: 72E0C222708330ABCB0BA278592803D3BA68B8A12032404B7D40AC7743F8728C4353C5

Uniqueness

Uniqueness Score: -1.00%

Function 057258A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b9b60114e2456d745b131e70edd4442173815fed1f487ca14fa385abe5353a
Instruction ID: b8ace74f3919929cd4cfb7b9fa41848681247d44b80b16d3a810aa4fe39d6d4b
Opcode Fuzzy Hash: 60b9b60114e2456d745b131e70edd4442173815fed1f487ca14fa385abe5353a
Instruction Fuzzy Hash: 50E06D70D06244AFCF01EFB49E4896DBFB2AF0A200F2081DAEC04AB652E2315E10DB41

Uniqueness

Uniqueness Score: -1.00%

Function 057265C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9e3c02bbe0b86193860f95a9f161439bd4c7c612d42a325f98953959bff77b
Instruction ID: 042a84f21982bddce81dd4fd6b7a540b0afb5b283b06b31400c52ffbefb2e13c
Opcode Fuzzy Hash: fe9e3c02bbe0b86193860f95a9f161439bd4c7c612d42a325f98953959bff77b
Instruction Fuzzy Hash: 95D05E36710020274B14611E6C4893E36DF87CC5223294066E50AC3344CEA09C0313E5

Uniqueness

Uniqueness Score: -1.00%

Function 0572BF28 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee03d1e8c4ea5f5f8257015192b7002448de27fffbf16a3443dea4fbfa83eac
Instruction ID: fc8b08e461fc8beb50eb9537417b5419e1ab6e8396086aac060b09ddf3be9741
Opcode Fuzzy Hash: 9ee03d1e8c4ea5f5f8257015192b7002448de27fffbf16a3443dea4fbfa83eac
Instruction Fuzzy Hash: 54D0A731700730574B19327D692C42F72DECBCAA21320007EE00AC3340DDB68C4353D9

Uniqueness

Uniqueness Score: -1.00%

Function 0572AE60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0c7528f62d15faf8fd88ce3e854dd9baa3362da9da8984c696a2fdeff7ed90
Instruction ID: 1e00a3689a2e74b33b28978994030dbdce02fe3410f14f2d5821a3ff16368c1b
Opcode Fuzzy Hash: ca0c7528f62d15faf8fd88ce3e854dd9baa3362da9da8984c696a2fdeff7ed90
Instruction Fuzzy Hash: 70D05E31700330574A19327D682C42E72DECBC9A21320003EE00AC3340EDB68C4243D9

Uniqueness

Uniqueness Score: -1.00%

Function 016E0507 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6fd89e20ea122438be7e91c820074c3363702353fb34c51762c96c7e8d4e42
Instruction ID: 237f4a4ed735ad1b332287be15fca089303ee29e8b368990c1df0b5caaa6c4cf
Opcode Fuzzy Hash: 7d6fd89e20ea122438be7e91c820074c3363702353fb34c51762c96c7e8d4e42
Instruction Fuzzy Hash: B8E08C35A082918FC7424BB8D8586A47FF89F8B25430901EBF048CB333DB215C29CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016EE890 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7e8f5ec0d8acd9c7db5bfe74dc18d55eadb0f35ecb67580e31a447fe6a34d9
Instruction ID: da867f7d502d3b488bd47752bc27bed5f6637d0a58ab8e62d8236d7607a810d6
Opcode Fuzzy Hash: ca7e8f5ec0d8acd9c7db5bfe74dc18d55eadb0f35ecb67580e31a447fe6a34d9
Instruction Fuzzy Hash: A7D05BB194D3D19FC7033AB04C5C095BF61EE1251138A52C7D480CE2D7D61E990C8766

Uniqueness

Uniqueness Score: -1.00%

Function 057258B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88cd7a742211a41f756cec8576e6979c50787974353a28ce5b7cacb9abc973f
Instruction ID: bb20d7a6313e6951541b9e626eb1e497d0868f6838a173304adc7a8d86dd0c97
Opcode Fuzzy Hash: d88cd7a742211a41f756cec8576e6979c50787974353a28ce5b7cacb9abc973f
Instruction Fuzzy Hash: 28E0B674E02208ABCB40EFB4DD4965DBBF5EB09200F6086A9D904A7240E6716A509B81

Uniqueness

Uniqueness Score: -1.00%

Function 057264BC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8170a9b8432249971a4d4a9c2f129cd8b33139e0cecd20301f235885e34a75
Instruction ID: 387a882b3aae595c1205d1140186326ba2bff083644eb6cbed5eee5e641413c8
Opcode Fuzzy Hash: de8170a9b8432249971a4d4a9c2f129cd8b33139e0cecd20301f235885e34a75
Instruction Fuzzy Hash: 68D0A736F044218B4B20C69AE84009CB3A1EF8826471041B3CA0AD3308FF30CE56C780

Uniqueness

Uniqueness Score: -1.00%

Function 0572ACC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba299b183fda402fae1da7bf2f7965fa6d946ef88d4478857194a0f7c205ca1d
Instruction ID: 41259856b9c1705e263e1557fde99409b6d8efc2037079373ae3db97c666c7e5
Opcode Fuzzy Hash: ba299b183fda402fae1da7bf2f7965fa6d946ef88d4478857194a0f7c205ca1d
Instruction Fuzzy Hash: DBD01232700334574B193678681C06E72DE8B89521310407BD50EC7344DD769D4243C5

Uniqueness

Uniqueness Score: -1.00%

Function 016E0518 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629080a72b127f9d708b6bee9b98e023101e5ff7bf39eb175f46a5b24a57fe7f
Instruction ID: ff71c6768a4d69a38ae84c49d51834290b9295ddec0f8a41fddd32b1c5f78944
Opcode Fuzzy Hash: 629080a72b127f9d708b6bee9b98e023101e5ff7bf39eb175f46a5b24a57fe7f
Instruction Fuzzy Hash: 79C012397401249F8700ABFDE84898977EC9F8955530000A6F505CB720DF31AC0187C1

Uniqueness

Uniqueness Score: -1.00%

Function 0572493F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c803470d2c98c6773bbed00886c95a6df20a06d49054b650a46b5218a7eac1a
Instruction ID: 504d407456b16a8252602821f22190dd30cccd73022b5ef3f4878f34323b0c74
Opcode Fuzzy Hash: 1c803470d2c98c6773bbed00886c95a6df20a06d49054b650a46b5218a7eac1a
Instruction Fuzzy Hash: FDD01239B04930CF8E24DBA4D05859CB3A5AF44A18B174095EA5BDB370CB209E11C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 057277A3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af87dd903fe8d9415ef4d0e88d719cd9bc44a1de4c2a921b112a99c5e252d0d7
Instruction ID: 81e3943abd57d370fcd0bc59bdc56cb07bb50a6be80adc5d32b13a1955d22465
Opcode Fuzzy Hash: af87dd903fe8d9415ef4d0e88d719cd9bc44a1de4c2a921b112a99c5e252d0d7
Instruction Fuzzy Hash: F6D012367040348B4F2596A8A8015ECB7A2E78C271B5041BDDA06E3394CB715D1547D5

Uniqueness

Uniqueness Score: -1.00%

Function 016EEA19 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7795add34a51589844e0361baafc86647f01493b430f38a92af942b65d0fc43
Instruction ID: 7d55a04a17d63435a6f72014e88312f7df140a7054c427ed2e1e43b82a3329b6
Opcode Fuzzy Hash: b7795add34a51589844e0361baafc86647f01493b430f38a92af942b65d0fc43
Instruction Fuzzy Hash: 95D0A77590A3809FCB42CB249C0C288BB70BF6332070141CEC000CA055E2510640DF21

Uniqueness

Uniqueness Score: -1.00%

Function 05726C57 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction ID: 802a8da926a41abd706304a17f0c3ae7b29c3a2660eea79cf221cf65507d129c
Opcode Fuzzy Hash: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction Fuzzy Hash: A7D09E39A01008DBCB04DF84E5409DDF772FB84325F10C05BED1567350CB32AA66DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05726589 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f47850e60cb1262adc67c0fe3e9207c7f8c8d4c0a6c86884a8f98e4d6c48db4
Instruction ID: 217f2a48a11a975ccb8dc8218c96a6f0cd184afa114426b52cec6d6abed34a45
Opcode Fuzzy Hash: 4f47850e60cb1262adc67c0fe3e9207c7f8c8d4c0a6c86884a8f98e4d6c48db4
Instruction Fuzzy Hash: 22D0C936F00108DFCB14DBD4EC444DDF731FB84216B209162D91A97208CA301926CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05726C70 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d7c9b47b921d794742899fc65bfc357396299d9b3c8d220af1381261fd7c46
Instruction ID: df92b693fc3c1863fdc4114581f9df6255d8b71356eca42a598416827b108652
Opcode Fuzzy Hash: d4d7c9b47b921d794742899fc65bfc357396299d9b3c8d220af1381261fd7c46
Instruction Fuzzy Hash: 63C01230C09348DB8750FFBC99070297FF8D604214B4045A7CD0CC3205F93562515BD1

Uniqueness

Uniqueness Score: -1.00%

Function 016EFE8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefec3800046db57b24baf28e5b1e125e2500493c4e737a541e90243fcfbe635
Instruction ID: 79b7f6146b1605498a2a2d1461ce500c0682c5a02e5b9ecb5ae722fca1ccab5c
Opcode Fuzzy Hash: eefec3800046db57b24baf28e5b1e125e2500493c4e737a541e90243fcfbe635
Instruction Fuzzy Hash: 57B09237B0000ADF8B14DBA4FD558DCF330EB94226B2041A7D615A20048A721A35CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016E4141 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32da062e5d6c53a0e14fbbd68c126d081d44fe05e6d171de2b61bda13aa3b99
Instruction ID: 4ae09947f95d83864d58911535d6e728194767b109cb5076a7fe8a557f236057
Opcode Fuzzy Hash: f32da062e5d6c53a0e14fbbd68c126d081d44fe05e6d171de2b61bda13aa3b99
Instruction Fuzzy Hash: E4C09B1504D3C0DDD70767141D100A1BF336E4368C39D45D79084DE553D046D415C335

Uniqueness

Uniqueness Score: -1.00%

Function 016E42C8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb6767d5a485c4409002c82a97a0330bdfea2df5084b7d170051cceb9a9c464
Instruction ID: 3a8fe24912b34cf22cdc19dea420f889c97c1fcd5d1f290db7cff9a78fa5190a
Opcode Fuzzy Hash: ebb6767d5a485c4409002c82a97a0330bdfea2df5084b7d170051cceb9a9c464
Instruction Fuzzy Hash: 0CB01230005B0D4FCB40BBA5FC049483B5C9944608B404515920C4501D5BB429608F9C

Uniqueness

Uniqueness Score: -1.00%

Function 0572ECC3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa254df8804684845c05706ad8230f63093f27234c917daedb6fc33ee78f311
Instruction ID: b99fe8496bf4c359316d96954688ee3d5881c79ad30c66bd5effa2dd52fcb7bb
Opcode Fuzzy Hash: 9fa254df8804684845c05706ad8230f63093f27234c917daedb6fc33ee78f311
Instruction Fuzzy Hash: CEB092B2904A609BDB269A30CD293063A62BB92306F2C8AA8810180795C679E491E652

Uniqueness

Uniqueness Score: -1.00%

Function 0572E743 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bcee33112c8144e9e65169280f7fe6a1aa2f599dd37de767df8da485a0a182
Instruction ID: c9129ff8752323ef5aa9cef073d9cb0868f39d00c8e19cba4faa276c8f43d815
Opcode Fuzzy Hash: e6bcee33112c8144e9e65169280f7fe6a1aa2f599dd37de767df8da485a0a182
Instruction Fuzzy Hash: B6C09B71500144DBFF159F75CD497453715BB41305F14C4F4940158559CB75C585D780

Uniqueness

Uniqueness Score: -1.00%

Function 016E06D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb26bd04d0890f5de4254aa7ab4a270d7050cb20fb997278eeb824fc82535fe
Instruction ID: 3992b7c1826427371640eafe91ec9710c67007b03326ea390dd08092baef1dc6
Opcode Fuzzy Hash: fcb26bd04d0890f5de4254aa7ab4a270d7050cb20fb997278eeb824fc82535fe
Instruction Fuzzy Hash: 10A01132008A0CABC3202BA0FC0C00C3B3CBA00202B802222A20E80088CAA228208B82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 016E0C6F Relevance: 5.7, Strings: 3, Instructions: 1958COMMON

Download Yara Rule

Strings

O3&8, xrefs: 016E19B2
z.x:, xrefs: 016E1EC0
X-*2, xrefs: 016E34F2

Memory Dump Source

Source File: 00000000.00000002.446331964.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_confirm order.jbxd

Similarity

API ID:
String ID: O3&8$X-*2$z.x:
API String ID: 0-4115271885
Opcode ID: 13374cdb23987d244cb9b675cae571cd08a10e005b8f5f1f1f8a9890935dcad3
Instruction ID: 9ae499fb529756add5129b67e2ac4c50ed4798f867d5741e0db854145628b038
Opcode Fuzzy Hash: 13374cdb23987d244cb9b675cae571cd08a10e005b8f5f1f1f8a9890935dcad3
Instruction Fuzzy Hash: 07439271C217AB8ACB619F6488442C9F771BFA6304F6597D6D5483B101EBB02BDACF81

Uniqueness

Uniqueness Score: -1.00%

Function 05722C00 Relevance: .8, Instructions: 759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.455275793.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ac2a1b3ac45acd77b63bc212815e8e2faf7ce037cc0f0d032a8876067cb86c
Instruction ID: 2c1f55edf866075029de04e60be81b5eb612f53d635154c8d3b1f3c3464665da
Opcode Fuzzy Hash: f3ac2a1b3ac45acd77b63bc212815e8e2faf7ce037cc0f0d032a8876067cb86c
Instruction Fuzzy Hash: 34523C75E042299FCF14CFA9C8849AEBBB2FF88310F29C56AE914EB315D6359C41DB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: confirm order.exePID: 1020, Parent PID: 5552COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	101
Total number of Limit Nodes:	5

Executed Functions

Function 02D7B6C0 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D7B730
GetCurrentThread.KERNEL32 ref: 02D7B76D
GetCurrentProcess.KERNEL32 ref: 02D7B7AA
GetCurrentThreadId.KERNEL32 ref: 02D7B803

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 700d4a9c6a909e1a90272fdcc78ed2f58884008d668036445c5e866d4555ed16
Instruction ID: e7f142ef1b2e361828ecdde49d019bf4913a4196ea9e81daa24cde06f226628e
Opcode Fuzzy Hash: 700d4a9c6a909e1a90272fdcc78ed2f58884008d668036445c5e866d4555ed16
Instruction Fuzzy Hash: 235144B09046488FDB10CFAAD588BAEBBF1BF49318F24845AE019A7350D7795945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D7B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D7B730
GetCurrentThread.KERNEL32 ref: 02D7B76D
GetCurrentProcess.KERNEL32 ref: 02D7B7AA
GetCurrentThreadId.KERNEL32 ref: 02D7B803

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8ea3d209542e2b6149922e1a63e9c61e41f6a8199adc9eb07659cfc617e5ea58
Instruction ID: c17504be5dcc1e22fd3412dbb64d849ee8958f4909143b0cff0d64c980eebbc6
Opcode Fuzzy Hash: 8ea3d209542e2b6149922e1a63e9c61e41f6a8199adc9eb07659cfc617e5ea58
Instruction Fuzzy Hash: 105155B0D04648CFDB10CFAAD588B9EBBF1BF49318F24845AE019A7350D7789944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D793E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7962E

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc0395b91531c1fa8b1ddb2f2123ec4fbf87d5100b30ea73bc07acf910820802
Instruction ID: 458d6efa33122def7372a03c3b8eee1b8efe6de33018322d556050adf44e46c7
Opcode Fuzzy Hash: dc0395b91531c1fa8b1ddb2f2123ec4fbf87d5100b30ea73bc07acf910820802
Instruction Fuzzy Hash: 78711271A00B058FD724DF2AD45479ABBF1FF88218F008A2DD58ADBB50E779E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D7FB61 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D7FD0A

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 53f9a4d2243036d570017396169ffecd53000b0ec7a19b22fb902ac82a908793
Instruction ID: 1b9d20bf0ffc0ee1cebd0f0736ab5525ccef500f4c33274fa239bf88a0b2da94
Opcode Fuzzy Hash: 53f9a4d2243036d570017396169ffecd53000b0ec7a19b22fb902ac82a908793
Instruction Fuzzy Hash: 5B51F0B1D043489FDB14CFA9C884ADEBBB1FF48314F24816AE818AB211D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D7FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D7FD0A

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ee4e1c5a44127797741e500580bfa3a4b930288098f2b82a87c8f6156cb28c04
Instruction ID: 5770b8f63460eddbecfdf0472390fb07707b40bbbde878b75480bb8223ff9fca
Opcode Fuzzy Hash: ee4e1c5a44127797741e500580bfa3a4b930288098f2b82a87c8f6156cb28c04
Instruction Fuzzy Hash: 854190B1D003099FDB14CF99D884ADEBBB5BF48314F24812AE819AB250D7759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D7BCF9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D7BD87

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ee1cd56a13840f4719dbafc620cc231c6181693d64e1a7557abb4d72c1ba92e
Instruction ID: c2b6c20da77ff7f0d70674f9ef1eed76d64fe4ae603d8f498caeb0019932f582
Opcode Fuzzy Hash: 9ee1cd56a13840f4719dbafc620cc231c6181693d64e1a7557abb4d72c1ba92e
Instruction Fuzzy Hash: CD2103B59002489FCB00CFAAD884ADEBFF8EB48324F14801AE914A3310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D7BD00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D7BD87

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc3e38ce51db703c78ba88fc28a87512617cce3520b77d0dd07542c308b7c724
Instruction ID: b22f136dbb9eb62ddaf7c6ec835af696199ccba6e07b0194a152689c26432097
Opcode Fuzzy Hash: cc3e38ce51db703c78ba88fc28a87512617cce3520b77d0dd07542c308b7c724
Instruction Fuzzy Hash: 0A21F3B5900208DFDB10CFAAD884ADEBFF8FB48324F14801AE915A3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D78768 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D796A9,00000800,00000000,00000000), ref: 02D798BA

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a58e8fa0eae0698f26d17ce97dd14642a8babc14ea931ca8b21e2ff282552e7e
Instruction ID: 91a50dd85df66006cc4f0c37bd34aa1804a5fd6e80930d974ddeb9fd3ef56858
Opcode Fuzzy Hash: a58e8fa0eae0698f26d17ce97dd14642a8babc14ea931ca8b21e2ff282552e7e
Instruction Fuzzy Hash: 731103B69042098FDB10CF9AC444BDEBBF4EB88324F04842ED925A7700D3B9A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D79849 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D796A9,00000800,00000000,00000000), ref: 02D798BA

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e8ccd1c44b07ecc420fd2ad5ed96d14964d242e57be87e6c53bbe4d243c829fc
Instruction ID: 27a7cfed779fcdc840bd37c51c93af35546063977f5b6cce4db28df472d812d0
Opcode Fuzzy Hash: e8ccd1c44b07ecc420fd2ad5ed96d14964d242e57be87e6c53bbe4d243c829fc
Instruction Fuzzy Hash: E011E4B6D002099FDB10CFAAD448ADEFBF4EB88324F14852ED915A7700D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D795C8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7962E

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9327c248144327e48779492373840d0fc968016d59534ae715cc72ae7ddfa72
Instruction ID: fc5c6df13f4908658152ae86a9ea1a158fc2371fee277e1b98e1421e2079ac69
Opcode Fuzzy Hash: b9327c248144327e48779492373840d0fc968016d59534ae715cc72ae7ddfa72
Instruction Fuzzy Hash: 6C11E3B6D006898FCB10CF9AD444BDEFBF4EB88324F14851AD819A7700D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D7FE38 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 02D7FE9D

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 23182c518ce0d45304037bb12bcc02f78050195fc424d1ddae551161081dc8d0
Instruction ID: a7e8f2ccc4732efe2321762f578c275880774bab4b3d58444fa61c7ca0cb7157
Opcode Fuzzy Hash: 23182c518ce0d45304037bb12bcc02f78050195fc424d1ddae551161081dc8d0
Instruction Fuzzy Hash: 301106B58002489FDB10CF9AD589BDEBBF8EB48324F14841AD959A7741D374A944CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D7FE40 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 02D7FE9D

Memory Dump Source

Source File: 0000000E.00000002.530890125.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d70000_confirm order.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0edb32cccefe669eea9319f6c76f4892e899c848a12ec4719c15c9454d6738f7
Instruction ID: 2bb081e878e18793ce3f427c32925397b8fd22e0ce3d35ca4859c471f5122e3b
Opcode Fuzzy Hash: 0edb32cccefe669eea9319f6c76f4892e899c848a12ec4719c15c9454d6738f7
Instruction Fuzzy Hash: D31115B58002488FDB10CF9AD588BDFBBF8EB88324F10841AD919A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0126D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.529791740.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_126d000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c838d71a140409e26f5e4be9edaf3d6eddcabc9ec9b1b1bab8af86f8281c31
Instruction ID: 9d65a6d9eceb6e7a635eef59058810ef59f2aedffad47d81b9563c49016e5888
Opcode Fuzzy Hash: 97c838d71a140409e26f5e4be9edaf3d6eddcabc9ec9b1b1bab8af86f8281c31
Instruction Fuzzy Hash: DD2167B061824CDFCB10CF54D8C0B22BB69FB88354F20C56DD9894B286C377D887CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0126D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.529791740.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_126d000_confirm order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2086cfafe7b775522e1fe6caef052131a468968b21b04099ddd64f22d34c767f
Instruction ID: 8c8fa765cfbf9e84d15a9d99082abe5fb5db744097961d03b5d47f3be0d59f94
Opcode Fuzzy Hash: 2086cfafe7b775522e1fe6caef052131a468968b21b04099ddd64f22d34c767f
Instruction Fuzzy Hash: A511BE75504288CFCB12CF14D5C4B15BB71FB88324F24C6A9D9494B696C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Ugtphvhf.exePID: 5292, Parent PID: 3452COMMON

Executed Functions

Function 0101AE9B Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66def4f25d3cc91b5a83472e19a19686ba59380d3f0ab3af84efb4c96f09d14b
Instruction ID: 4d814a5a28233bdc48ed2f9bd5b6135b2670ae93822baf03a5a928ee349368a6
Opcode Fuzzy Hash: 66def4f25d3cc91b5a83472e19a19686ba59380d3f0ab3af84efb4c96f09d14b
Instruction Fuzzy Hash: A1D19CB4B002118FCB68DFADC05452DF3F2BF89214B1585AEE586CB7A6DB78EC458B41

Uniqueness

Uniqueness Score: -1.00%

Function 04F3CE27 Relevance: 13.4, Strings: 10, Instructions: 877COMMON

Download Yara Rule

Strings

t% l, xrefs: 04F3D329
D! l, xrefs: 04F3DC31
c!+h^, xrefs: 04F3DDC6, 04F3DDCB
DY#l, xrefs: 04F3D35C
t% l, xrefs: 04F3DC8E
LZ#l, xrefs: 04F3D428
D! l, xrefs: 04F3D3F5
<X#l, xrefs: 04F3D230
,V#l, xrefs: 04F3CF6C
4W#l, xrefs: 04F3D038

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: ,V#l$4W#l$<X#l$D! l$D! l$DY#l$LZ#l$t% l$t% l$c!+h^
API String ID: 0-2935795497
Opcode ID: b190eb271effd4823b475f2ed982005acf4db923bba7d99021a16995a7a5ebf0
Instruction ID: e9bbafe9038b8870a064c4ee66f543de92d4ab0442454d49735ff06aa4a6bb94
Opcode Fuzzy Hash: b190eb271effd4823b475f2ed982005acf4db923bba7d99021a16995a7a5ebf0
Instruction Fuzzy Hash: 5592E5B590021C9FDB259F60D891BEDB7B2FF45304F1041EAD60A6B264DB719E86CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F3CE38 Relevance: 13.4, Strings: 10, Instructions: 867COMMON

Download Yara Rule

Strings

t% l, xrefs: 04F3D329
D! l, xrefs: 04F3DC31
c!+h^, xrefs: 04F3DDC6, 04F3DDCB
DY#l, xrefs: 04F3D35C
t% l, xrefs: 04F3DC8E
LZ#l, xrefs: 04F3D428
D! l, xrefs: 04F3D3F5
<X#l, xrefs: 04F3D230
,V#l, xrefs: 04F3CF6C
4W#l, xrefs: 04F3D038

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: ,V#l$4W#l$<X#l$D! l$D! l$DY#l$LZ#l$t% l$t% l$c!+h^
API String ID: 0-2935795497
Opcode ID: 9f561d77b35e81d16353ca2df93a4f01c2c514cda07960220d0ed2126cd6c396
Instruction ID: 0d1d3030719017222ed8ea32320929909ebc25bf4edb0a438b10be3a62c06693
Opcode Fuzzy Hash: 9f561d77b35e81d16353ca2df93a4f01c2c514cda07960220d0ed2126cd6c396
Instruction Fuzzy Hash: A892D4B590421C9FDB259F60C891BEDB7B2FF45304F1041EAD60A6B268DBB19E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F3DF40 Relevance: 3.0, Strings: 2, Instructions: 517COMMON

Download Yara Rule

Strings

d, xrefs: 04F3E193
hC$l, xrefs: 04F3E4D4

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: d$hC$l
API String ID: 0-793003403
Opcode ID: 6fceb74a0afe82d3c3ba6253073e0f9f263381daa9a2e8c439f4e9514a2b469c
Instruction ID: 6f7c4b41693dd3f41cbc408ad7f658bbc329652a352ebf06cf84bc8f438b856d
Opcode Fuzzy Hash: 6fceb74a0afe82d3c3ba6253073e0f9f263381daa9a2e8c439f4e9514a2b469c
Instruction Fuzzy Hash: A1128934B006158FD714CF68C480AAAB7F2FF88315B158A69D55ADB762DB30FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EA50 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

d, xrefs: 00F2EC58

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 6b4bb6b721c09aed99a7508cc2e69c460e6e8690b17df4996fb1cef3843adb21
Instruction ID: 28ab06ea2326c61c36772355a427fc1776cdebf9d1f4be21f760fba871d733c2
Opcode Fuzzy Hash: 6b4bb6b721c09aed99a7508cc2e69c460e6e8690b17df4996fb1cef3843adb21
Instruction Fuzzy Hash: 1BB1E874A0022ACFCB14CF98D8809ADB7B2FF89314B158695D905AF356D774ED45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010159AF Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

1, xrefs: 01015BF5

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 98be1fe11a767f193111e44a9761a5772d60f29582c7f1b35a03e6cde1ac09c0
Instruction ID: 2ba596e09bdae263c2e20ad5dfcc135fd0490f0cbdf029ad4e5bb95278da1019
Opcode Fuzzy Hash: 98be1fe11a767f193111e44a9761a5772d60f29582c7f1b35a03e6cde1ac09c0
Instruction Fuzzy Hash: 1DA16E31A002199FCB54DFA8C884A9EBBF2BF89304F1581A9E545EF365DB34EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EAF8 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

$l, xrefs: 04F3EB53

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: $l
API String ID: 0-3628365842
Opcode ID: a9df3be0c341bbcf8997ecd265b8bc4e5f60a4757514f422dec64d78f4429c15
Instruction ID: deeb8cdfc1df7a8bed7f1e001a33bb6f67c077105446dc5097de37c59597ed60
Opcode Fuzzy Hash: a9df3be0c341bbcf8997ecd265b8bc4e5f60a4757514f422dec64d78f4429c15
Instruction Fuzzy Hash: AA51D571B4411A47DB189B66C86067FB2A76FC464AF14807ACA42DB784EF35EC03D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F20538 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

`#l, xrefs: 00F205BA

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: `#l
API String ID: 0-1636341610
Opcode ID: ce724fb92222b42ce4cc4c761a18e39c79faa49e748bd260a8294b7b37cb2b42
Instruction ID: e88c130a8415220a9d819397de78a583ddbc65066288dfe62a618858277c3795
Opcode Fuzzy Hash: ce724fb92222b42ce4cc4c761a18e39c79faa49e748bd260a8294b7b37cb2b42
Instruction Fuzzy Hash: 953104317046604FD7059B79D854A6EBBE6EFCA71470984BAE409CB362DF30DC09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F205B0 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

`#l, xrefs: 00F205BA

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: `#l
API String ID: 0-1636341610
Opcode ID: 79ef7395bcad5da8736122d924439a00159511bed51dbdfd5a91d822b162b16b
Instruction ID: 204d5f29b0c1e13e94d3a8392d6eb293ae1d4431ec33fb5568db550d6dd00c6a
Opcode Fuzzy Hash: 79ef7395bcad5da8736122d924439a00159511bed51dbdfd5a91d822b162b16b
Instruction Fuzzy Hash: AD31E4317082608FC304DB79D86092ABBE6EFC961471985BAE419CB7A7DF30EC05C791

Uniqueness

Uniqueness Score: -1.00%

Function 04F38F20 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

h?$l, xrefs: 04F38F6C

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: h?$l
API String ID: 0-1158508168
Opcode ID: 1d3cf7edf268a25f52f8b4ad7cf7b1ed4bf44c567314e7ac2b5e1a46d701806d
Instruction ID: 02fed54b5374b209ab4517d2b8ec585a57b945f2276a60a4040a5f97e7120dc7
Opcode Fuzzy Hash: 1d3cf7edf268a25f52f8b4ad7cf7b1ed4bf44c567314e7ac2b5e1a46d701806d
Instruction Fuzzy Hash: 14310230B002189FC7159B78C4546AE7BF6EFC9740F19406AE905EB3A2DF759C068BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01016A88 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

2, xrefs: 01016B20

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 2dfd1d6e28778796a0d1c0495eb79ae0b0bf7a3fa82e1709676cc860ec5cede8
Instruction ID: 5b7170bd7c2bd6fbdb1c52fe1b834dec6d706fc5e2b0ef42a621d87baff7b2fa
Opcode Fuzzy Hash: 2dfd1d6e28778796a0d1c0495eb79ae0b0bf7a3fa82e1709676cc860ec5cede8
Instruction Fuzzy Hash: B2316D35A01209EFCB05DFA8E8809EDBBB5FF88310F10806AE855E7355DB319A16CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F3E840 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Z#l, xrefs: 04F3E89C

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: Z#l
API String ID: 0-2967072770
Opcode ID: 6a7eeb0440f5b6ecadb633699b014227d1fc63c4c96f50b2f228a6dd25229517
Instruction ID: 641e1353f4cf1c626278fbbf7f742c9b4587f45274d40f51b9ce298b2f245fa7
Opcode Fuzzy Hash: 6a7eeb0440f5b6ecadb633699b014227d1fc63c4c96f50b2f228a6dd25229517
Instruction Fuzzy Hash: 8B116174E00249AF9B44EFB9D9416ADB7F2EF89604F1088AA9415FB305EB30AE018F45

Uniqueness

Uniqueness Score: -1.00%

Function 04F399A8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

T+h^, xrefs: 04F399DF

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID: T+h^
API String ID: 0-1492051427
Opcode ID: d6c2d12688734e5ba74f448537f94a00e6b318f58973093a0838caeb8455ff8e
Instruction ID: 7f60568107d987a8ce77dbe9c31e0190dec21abdca5e230f87052d4730537d6f
Opcode Fuzzy Hash: d6c2d12688734e5ba74f448537f94a00e6b318f58973093a0838caeb8455ff8e
Instruction Fuzzy Hash: 9BF05979600A001F93105A2A688168AB7D5DAC0568301883AE209C7702EE94AD078795

Uniqueness

Uniqueness Score: -1.00%

Function 04F31AB4 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5af311a7b941ad365b6a211e209c9d728ded77afa808522c0fe9cf1cb43871
Instruction ID: c2c1ea1dabe6f4414de9cd0dff447c099675d54e19517666f038547d111afdbe
Opcode Fuzzy Hash: 7b5af311a7b941ad365b6a211e209c9d728ded77afa808522c0fe9cf1cb43871
Instruction Fuzzy Hash: 2D42703A600514DFCB06DF98C988D59BBB2FF49715B1A8098E6069B376CB32EC52DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0101B950 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65d3658ee77a29989846abbb0f4da89166dec745fe6025176b497e29c39f9a5
Instruction ID: 70da0ae00f2defabfad799fd0d465233bfb40ee011d4ac258c674b8727a08c0a
Opcode Fuzzy Hash: c65d3658ee77a29989846abbb0f4da89166dec745fe6025176b497e29c39f9a5
Instruction Fuzzy Hash: 57F1D075B00205CFCB68DF6CC094A6DB7F2AF88310F1585AAE586DB7A6DB38DC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0101B392 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a331703b9780519965745d726f3d4599105f1c2183cd36c870e1d4c9d50a3f83
Instruction ID: d24e1b4aa4ac9a70e1552e964d6b2d76986942a7b41fb92548fa94e39456c0e7
Opcode Fuzzy Hash: a331703b9780519965745d726f3d4599105f1c2183cd36c870e1d4c9d50a3f83
Instruction Fuzzy Hash: A0F1A074B042018FCB65DF69C454A6DB7F2BF88314F1884AAE586DB3A6DB38DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0101E7B2 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cd2022324646c2eff233ac4844d480da653a118d7375889ac89a7354ae62b4
Instruction ID: 4ad1b0c0774903209d4698c596f852455e3953cd656c67ce3ac9056d8d48e658
Opcode Fuzzy Hash: a4cd2022324646c2eff233ac4844d480da653a118d7375889ac89a7354ae62b4
Instruction Fuzzy Hash: 40E1E374B042018FCB6ADF6CD45456DB7E2FF84314B1984AAE98ADB3A6DB38DC41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010152F7 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabd8ecaa6b839b69795e4ed7e4d4bdb569d55155b6d53aeed0df2cd82f4a770
Instruction ID: d96035d76480651ff3ef94f92347dab5a7781b0af4fdc00535e5da39647caa8b
Opcode Fuzzy Hash: fabd8ecaa6b839b69795e4ed7e4d4bdb569d55155b6d53aeed0df2cd82f4a770
Instruction Fuzzy Hash: 6DF10674A00218DFDB14CBA8D984AADBBF2FF89314F1580A9E5459F3A5DB35EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01018630 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ece3ad46dcde7b89c3c5e14e2cf4ab0351fbfdd6f8c7cf2d89f21386f33d89
Instruction ID: 257d98fb136b4aca413f9ca296ab006d604e0064e2c22f452d90fd43fbdd3e0f
Opcode Fuzzy Hash: c0ece3ad46dcde7b89c3c5e14e2cf4ab0351fbfdd6f8c7cf2d89f21386f33d89
Instruction Fuzzy Hash: 2FE15C35B001199FDB14DFA9D594AAEBBF2BF48300F15806AE945EB368DB34DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3AF50 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3323571c28b452a892bc859758b7f3b11baf81f9caa948d5d3c1a34b88d7b733
Instruction ID: cfbd889c0dda900bbc99fc9139fd6bb428a85c0ee316760ca01b444972e3f1b1
Opcode Fuzzy Hash: 3323571c28b452a892bc859758b7f3b11baf81f9caa948d5d3c1a34b88d7b733
Instruction Fuzzy Hash: A7E18075A002098FCB05DF68C594AADBBF6FF89301F158165E905AB366EB30FD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01017C90 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7c57cf6be9990154c37e23fdca201cca70c28cf7f4b8272d5af2dbcd18969d
Instruction ID: cbf8bec23f9cdc077dabd85de2b9085adf1f0bb5586e80886f002d3a1fd167a1
Opcode Fuzzy Hash: 3a7c57cf6be9990154c37e23fdca201cca70c28cf7f4b8272d5af2dbcd18969d
Instruction Fuzzy Hash: 3BA1D530B04106CFDB65DF68C050A2EB7E1BF48314B1584AED589DB39AEB79ED42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F290 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14cf5884a8cad9962a0c93a64f25f2b291d4390c0a6cf5ba829034efb0eece8
Instruction ID: 5fe49e86aa0297b3fe2c40a706a575287c5199830a3f99cc075ba2739d115587
Opcode Fuzzy Hash: b14cf5884a8cad9962a0c93a64f25f2b291d4390c0a6cf5ba829034efb0eece8
Instruction Fuzzy Hash: 28B16874B006058FCB14EF34D584A6EBBF2FF88205B148969E956CB365EB74EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01019B50 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adf50d50823dbdbc6d858738a9fc3b67d5619d689b29587ed6a591c81efec6a
Instruction ID: 0184bbc455e469830865345ceec7b2c5b18a9276790cd0a7a60170137242a4d6
Opcode Fuzzy Hash: 7adf50d50823dbdbc6d858738a9fc3b67d5619d689b29587ed6a591c81efec6a
Instruction Fuzzy Hash: 54A1F3747042018FCB659F6DC4A0529B7E2BF88218B1585AED1CACF39ADB78EC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 01010F38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159b5c899dded96f1b5004c17699fada39a588f84ddc786bffff208938da1b70
Instruction ID: 13cae95af6d56668114dea15a04c567047f436d0ea6bff615d0bdfa57f9019e0
Opcode Fuzzy Hash: 159b5c899dded96f1b5004c17699fada39a588f84ddc786bffff208938da1b70
Instruction Fuzzy Hash: F6B16974A00605CFCB14CF68C98099AFBF2FF88314B24869AE559DB366D730EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04F3ABF8 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7ba8c036741e960489578799e3b1d20fb173414fd4e03bb7241b91439c5d0f
Instruction ID: e014275e7cb19b6edfdd455f71bb30e6c65333a1c5312e2dbe3d0541bfdadae3
Opcode Fuzzy Hash: fb7ba8c036741e960489578799e3b1d20fb173414fd4e03bb7241b91439c5d0f
Instruction Fuzzy Hash: 725184B660D7C14FC7169B7A98E24907FA1EE9710430B82EBD484CF66BE7148D07C766

Uniqueness

Uniqueness Score: -1.00%

Function 01016608 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdcc21b93d889d187e7995a2546fc97b978e46ec1427c407e5b123df5d481ca
Instruction ID: 4686c4838f7275282c3a1a4b673ca53c08501eea67ad0ea7758a832cecb26339
Opcode Fuzzy Hash: 9fdcc21b93d889d187e7995a2546fc97b978e46ec1427c407e5b123df5d481ca
Instruction Fuzzy Hash: FCA1B174A00208DFDB15CF94C854B9EBBF2BF48704F158059E545AF3A8CBB5AD81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01014FA8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f406af0f7c0d82f13664baf4cc3ce32599aa6ac42745a61644eac5b76a14e371
Instruction ID: cbd108f19386a0394b95d2524c12906c7fd869ed6349d824d0190a2efd4221a0
Opcode Fuzzy Hash: f406af0f7c0d82f13664baf4cc3ce32599aa6ac42745a61644eac5b76a14e371
Instruction Fuzzy Hash: 7091C334B002058FCB05EB78C4907EEF7E2AFC6214F08C459D196AF79ADB799D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0101862F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de45f926e979f8089ca43efeec3882db5feb3b301ef64a82b9d6d60ca43a6d4
Instruction ID: 59c2e5d7cb96f7dbdfa3e0dcc46138bb790b5c9aa96527f5529f8bd16da9e800
Opcode Fuzzy Hash: 4de45f926e979f8089ca43efeec3882db5feb3b301ef64a82b9d6d60ca43a6d4
Instruction Fuzzy Hash: BEA13A75A001199FDB04DF68D594A9EBBF2BF88300F15C06AE946EB369DB34ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01014FA7 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee258a7f99aee0ad1750a13308070ae3be063d93d21f9ddfeac09d156674f81
Instruction ID: f36408f4b92f34f3257455e01f8a54d57731fbb32113124efdb6d51138017af9
Opcode Fuzzy Hash: 5ee258a7f99aee0ad1750a13308070ae3be063d93d21f9ddfeac09d156674f81
Instruction Fuzzy Hash: BD91C134A002068FCB05EB78C4907EEF7E2AFD6214F08C559D096AF39ADB799D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B950 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0503603e8b712279ac0ac1c4e3ae158857d63783b6831c42efab3358b436dff
Instruction ID: 97ed5615e2d08efa91682ae0d4bdae3390a1b1f290532449ec18bc1b3bbf4f67
Opcode Fuzzy Hash: a0503603e8b712279ac0ac1c4e3ae158857d63783b6831c42efab3358b436dff
Instruction Fuzzy Hash: 7671D135B042149FDB148B74D864B6E7BF6EF88715F158069E90ADB3A2DB35EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01012158 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b2a6bc030164f65eb6e364c735ec09480062502480a82d22e3ed3d99870fa0
Instruction ID: 663734039c2c633bfbeeac458392ce4f257158250a09256d8c0ca5384d7102e7
Opcode Fuzzy Hash: 47b2a6bc030164f65eb6e364c735ec09480062502480a82d22e3ed3d99870fa0
Instruction Fuzzy Hash: D681BE35E04215AFCB16CFA8D8849ADFFB2FF89310F25856AE945A7346C7399C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01014348 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4d8e1adc05fcf5d54ea3a7250bb7ae66507831baf5805ddcd8a2c918e79fef
Instruction ID: 874b23adadd3af55a80058e8f3f2232fd816bce4bbb6fd16ec123543bb5cab0a
Opcode Fuzzy Hash: 5f4d8e1adc05fcf5d54ea3a7250bb7ae66507831baf5805ddcd8a2c918e79fef
Instruction Fuzzy Hash: 40712535B042058BCB14DF68C450AAEB7E2EFC4365F05807AEA99CB399EF34DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 01017498 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be357636d9cc2f8551013fb38a78067428ce9fc3bcbb23a5dfd14c4c1dba0055
Instruction ID: a4affef94ef3000580c2db78a72bde1f8da6f4c817f0270ab9bc012e513219cc
Opcode Fuzzy Hash: be357636d9cc2f8551013fb38a78067428ce9fc3bcbb23a5dfd14c4c1dba0055
Instruction Fuzzy Hash: EC81E938A00115DFDB259B64C414BBCB6E1FF88340F19459AC586AF79AEF7D9C04C762

Uniqueness

Uniqueness Score: -1.00%

Function 01010A70 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0027a361958e37185a8311b9598c9ab12092be4211de3eb2c30425fa805c4591
Instruction ID: dc6206d7c256d278f6044e6c85a15293b32fcb36dc87b22246c638a43579089c
Opcode Fuzzy Hash: 0027a361958e37185a8311b9598c9ab12092be4211de3eb2c30425fa805c4591
Instruction Fuzzy Hash: A971E2317006188FCB14DFA8C880AAEB7F2FF88314B158569E58ADB355DB34ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101ECE2 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ef821bcafc1208787acea04eb499feac80525ad7979ab5cce2ae8a656ce2de
Instruction ID: 456b1cf51d91d64a57bbe0c0837468fd9d898c4e10f8be541c0ea05e0647cb37
Opcode Fuzzy Hash: 15ef821bcafc1208787acea04eb499feac80525ad7979ab5cce2ae8a656ce2de
Instruction Fuzzy Hash: 18519225F08505CBEBAB562DC41453D67D26F85220F0A85BADDCBCB3EEDA2CCC464742

Uniqueness

Uniqueness Score: -1.00%

Function 04F33B80 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0956fdf7b17c368433d82a0cec70283625cc252fc8b033aab7b8c2e5e4d6abb5
Instruction ID: 821edf79a56352dcef313663507f0a434b1b9dcb1f1b70dbbb443366ac991dd6
Opcode Fuzzy Hash: 0956fdf7b17c368433d82a0cec70283625cc252fc8b033aab7b8c2e5e4d6abb5
Instruction Fuzzy Hash: 10512B35F085058FDB69DA2DC414539B3D2AF84266F0AC4B6DD8ACB3A4EA34FC474342

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F281 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c413fda71a6b45ec0c7a680767d1ee3600c050521b80159d936d9a8e592c47dc
Instruction ID: a431ccff250826d84efec51b3c15194b80620c5f78829a38293c7ec9314e5c6d
Opcode Fuzzy Hash: c413fda71a6b45ec0c7a680767d1ee3600c050521b80159d936d9a8e592c47dc
Instruction Fuzzy Hash: E2717974A006058FDB04DF34D584AAEFBF2FF89204B048A69D946CB365EB74ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3C370 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323c658406c32b9fe902e9d1dbca9b15fcd76427a29ca179d08f4ca45672495e
Instruction ID: 4c372ee4c8e574c1bca56951e6059e8f499a7afb9f4c1f80fe6d98b88579ea1d
Opcode Fuzzy Hash: 323c658406c32b9fe902e9d1dbca9b15fcd76427a29ca179d08f4ca45672495e
Instruction Fuzzy Hash: FF5146327001418FDB589F2DD598A2A73E6EFC9B1272980A9E506DB375EF31EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01016350 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb46ea71fadb17b0f4dbc9b0047e177a20d676973e872973999bca5ea18e52
Instruction ID: 7bf4ece05bcc81fe7a84b5fb17223d4a5d27bba1cdd493cc43946c34fb6a5969
Opcode Fuzzy Hash: 65fb46ea71fadb17b0f4dbc9b0047e177a20d676973e872973999bca5ea18e52
Instruction Fuzzy Hash: B0714E74B002198FCB14DFA9C894A9DBBF2BF88310F158169E506DB369DB75EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F37B09 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e0f4b1068589ec7a86d166486f6a8d2e1c3a416372e8c3042a17c538d79a91
Instruction ID: 14765e68f9c5958462db67edd264f3437d22e55475ea52efbf8799176cf97fd8
Opcode Fuzzy Hash: 27e0f4b1068589ec7a86d166486f6a8d2e1c3a416372e8c3042a17c538d79a91
Instruction Fuzzy Hash: E4612AB5B002058FCB15EF69C88496ABBF5BF89751B19C5A5E815DB362D730EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01013DE0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d74c26026c31ff0eed5a04712a52f9d8fef0f51f7d7c633d7a70a34fa46838
Instruction ID: 03b5c57201dd94c7e80df270dd97c98ca57cffb771d1de4bd7606a627426d7b2
Opcode Fuzzy Hash: 47d74c26026c31ff0eed5a04712a52f9d8fef0f51f7d7c633d7a70a34fa46838
Instruction Fuzzy Hash: C951E131B007058FCB25DF68C8507AEB7F2FB85724F1485AED1869F796DB34A8098B81

Uniqueness

Uniqueness Score: -1.00%

Function 04F37338 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6c3cf0e19635af1f24ec604762eae8be79ad07283476aeb89378ec9de7e375
Instruction ID: fb3f7c629441d5e0e1da98f7ed24c4acdbcc44f162a7bd1420541b6ef254a28f
Opcode Fuzzy Hash: 2b6c3cf0e19635af1f24ec604762eae8be79ad07283476aeb89378ec9de7e375
Instruction Fuzzy Hash: 00516D75F00619DFCB14DFA8D480A9EBBF2AF88315F15816AE515AB361DB30EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101607F Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ee4d4ef96a985e87b8ff7ee22e1c8ffb02fdbd34add6a06480079dfee7739e
Instruction ID: 55f9f6f3a9a29dc178c57d9421f61139531c0d9bd74692bc35d7ec3b87ae75da
Opcode Fuzzy Hash: 65ee4d4ef96a985e87b8ff7ee22e1c8ffb02fdbd34add6a06480079dfee7739e
Instruction Fuzzy Hash: 92518034600716CFC725DFA9C4446AEBBF1EF45304F1084AED086AB796D67AEC44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F377F0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab911968ed868f10cfc2a00e4679dad532c59b7b772772951286e3402d1d3f5
Instruction ID: cbd330e90138c2777b4f0560457c42cacd89342efa866d8547e62f2ec18d14a3
Opcode Fuzzy Hash: 8ab911968ed868f10cfc2a00e4679dad532c59b7b772772951286e3402d1d3f5
Instruction Fuzzy Hash: E2414CF1F09202CBEB297A69885017963D29BC6227F29C776C546CB391FA30AC47D342

Uniqueness

Uniqueness Score: -1.00%

Function 04F30522 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9af4771d083958c22900231ade75e8c8c7bf02a15d5305299ea4db57292240
Instruction ID: 19f28b06279064a052fb06b18d0146bad00a681387309920169e556d26b042c9
Opcode Fuzzy Hash: 8a9af4771d083958c22900231ade75e8c8c7bf02a15d5305299ea4db57292240
Instruction Fuzzy Hash: 41512A71A00706DFDB14DF65C98496AB7F6FF98306B10892AE842D7758EB31F846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F928 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1283e88a9e6182fa45563d25fa35e5b1768ff852bf02ddea1cff046a125f7530
Instruction ID: ab7061954fcc30bcf816853dec012c70d204d9be1875efa158c68613cd2c70f9
Opcode Fuzzy Hash: 1283e88a9e6182fa45563d25fa35e5b1768ff852bf02ddea1cff046a125f7530
Instruction Fuzzy Hash: 2751E031B087408FC725DB25D454A2ABBF6AFC9204B09C5A9D54ACB766DB34FC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01015EA0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68294707a718b540493e1218cb0f8ee4dc4dc47b46bd07d37a5dd46cacafa000
Instruction ID: 3647889b939e4af48869a318fe9354a7a4e3add4b9d30077f751ab329c2a2a41
Opcode Fuzzy Hash: 68294707a718b540493e1218cb0f8ee4dc4dc47b46bd07d37a5dd46cacafa000
Instruction Fuzzy Hash: 824126326045218FC716CB18C8805ADFBB2EFC2314719C6AAD5A99B646D776EC47CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04F3A8D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41a649f66636c62beb7c1c2964a107e7e79c55ae6613e2dcc3298e51ac3b824
Instruction ID: 3163c1e19a51fe4653141481f68e1408d7897da3417e23d69fa059ef3e15a7e2
Opcode Fuzzy Hash: f41a649f66636c62beb7c1c2964a107e7e79c55ae6613e2dcc3298e51ac3b824
Instruction Fuzzy Hash: 7C511734A0020DABDB04EFE0E9507AEBBB2FF88344F104419E61677399DB356E52CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010145C7 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e6f64ded9143304ad0b218cfee97d44b692d4e7ef87d38fc8cbe3bcca6c144
Instruction ID: 22d8edcc03daa0975b1fc05d91a1007c452db70157c5d3225fcac393b9021346
Opcode Fuzzy Hash: 22e6f64ded9143304ad0b218cfee97d44b692d4e7ef87d38fc8cbe3bcca6c144
Instruction Fuzzy Hash: 72515B30A002098FDB04DF68C584ADDBBF2BF8C304F2586A9D505AB3A5DB71AD05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101ACEF Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c1d228430b33d4b6871b35ffbe4d349aaac794f4396e53da133b2cf8639730
Instruction ID: 38d381643de9b14034caa5f111ed7749e689e6dbb3522a44ddc048973f51351e
Opcode Fuzzy Hash: e8c1d228430b33d4b6871b35ffbe4d349aaac794f4396e53da133b2cf8639730
Instruction Fuzzy Hash: A941E1797016108FCB19AB7DD01056CB3E2EBC822571585ABD18ACB7A2DF78DC468B81

Uniqueness

Uniqueness Score: -1.00%

Function 01014230 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc61482665ae8c82570fc9854c4bcf6fcd3be0c60833ebe5bdab7c2389919f1
Instruction ID: 048e134e04c079da4bf8817d91c7cf4e8c2ad51aa7be79444bcdecb88aa24ab6
Opcode Fuzzy Hash: 3dc61482665ae8c82570fc9854c4bcf6fcd3be0c60833ebe5bdab7c2389919f1
Instruction Fuzzy Hash: 6341AE30A092459FCB05CB68C8509AABBF5AF85350B59C0ABE489DB766E734E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F37328 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddd7484dbd1d1416b57748949f18298b82d2717f522bf9e7318c3c6f380ef57
Instruction ID: cc83336edd082529e456f0fad37fd65a688ffc69fc41455b7593a703d296933e
Opcode Fuzzy Hash: 5ddd7484dbd1d1416b57748949f18298b82d2717f522bf9e7318c3c6f380ef57
Instruction Fuzzy Hash: 6C414AB5E01619EFDB10DFA8D880A9EFBF2FF84315F158169E515AB261D730E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01014090 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e4b4aa784e05dbddda6c227bbe52ef50db563e2d5bb6d6cdfafbe9162eda0e
Instruction ID: a8e6302aa3518bb1ae1f5dab80d0c218c313f3ceae19a30cca8b9df882c9fb66
Opcode Fuzzy Hash: 05e4b4aa784e05dbddda6c227bbe52ef50db563e2d5bb6d6cdfafbe9162eda0e
Instruction Fuzzy Hash: 303125353092A01F872A6738D82456EBFE29FC2A0470A44FED985CF757DF159C0A87D2

Uniqueness

Uniqueness Score: -1.00%

Function 010145D0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ae05ebfaf110a3a91ca9002b18f867bd19bc60dce27ba7e58784b3b1383e8e
Instruction ID: 6b8835ff1c7efef66bd2123d256064f22e8a5f860fa89d05e6d121231aa3370b
Opcode Fuzzy Hash: 92ae05ebfaf110a3a91ca9002b18f867bd19bc60dce27ba7e58784b3b1383e8e
Instruction Fuzzy Hash: 8C512834A006098FDB04DF69C584A9DBBF2FF8C304F2585A9E505AB365DB71AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F3DF11 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ade140905f1c81ca475d6c3e425c0c7539cf9c8521d81340b2ce862be0fa118
Instruction ID: 915b57bf54669a928c649b89940b5eead0182d79bfdba71ab8891c3ff371971c
Opcode Fuzzy Hash: 4ade140905f1c81ca475d6c3e425c0c7539cf9c8521d81340b2ce862be0fa118
Instruction Fuzzy Hash: 43418775A006158FDB14DF69C080AAAF7F3FF88315B168A69E45A9B751DB30FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F20001 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563423117.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e51caf0fc613999ba8f61852ba2595e526547787a5a14c11aa539e14a4d6f7
Instruction ID: 873d8da458d411e40f02222a0ae18614153352af3bd848e4bce100e21dae00a1
Opcode Fuzzy Hash: b1e51caf0fc613999ba8f61852ba2595e526547787a5a14c11aa539e14a4d6f7
Instruction Fuzzy Hash: D741F876D083908FD7129F64886109DBFF2EF83210B1945EBC565AB6A3D735AC07CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E170 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145f30a95c76e90cd1c256a8f9cc7418d5457ec04a6dc12d30bd7bd771c560f7
Instruction ID: c81311c8e52fbbe930ea8a5e1f86d9b6e477da64c94064a54778d56666f047de
Opcode Fuzzy Hash: 145f30a95c76e90cd1c256a8f9cc7418d5457ec04a6dc12d30bd7bd771c560f7
Instruction Fuzzy Hash: C6310674B086418FE757972CC8246AD7BE3ABC1214F1EC4EAD9C5CB3EADA398C058741

Uniqueness

Uniqueness Score: -1.00%

Function 04F328E3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa27cf98a497915099db370ad4d1b5abbdd2750348bb1ca5dea4cf35b06337f
Instruction ID: 22407811c63945656d82a58363316caa7216d9a754d87b49494e1ad85178af54
Opcode Fuzzy Hash: 2fa27cf98a497915099db370ad4d1b5abbdd2750348bb1ca5dea4cf35b06337f
Instruction Fuzzy Hash: 39417B35B002088FDB24DF98C451BAEB7F2AF89714F1584A9D505BB795DB70EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0101634C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dc23c759a6806169936038505897d6f63e163f8d496c036b9725ca89398db6
Instruction ID: 23cf65ad6d5740c56f069985f240391b7a62b018b7514c6bf483c8d4eadddcbf
Opcode Fuzzy Hash: 75dc23c759a6806169936038505897d6f63e163f8d496c036b9725ca89398db6
Instruction Fuzzy Hash: B6415D74E0031ACFDB14CFA5C844A9DBBF6BF88310F158169E505AB359EBB4A846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F33540 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72401b453f73e8fe073b807a77cb13efdbb9f3d7c16b26bbabcd1e8bd2caa6a0
Instruction ID: 2be82610857dfec0fb20c892dc1b0b9844697329dc7968698cf1de7bb244a888
Opcode Fuzzy Hash: 72401b453f73e8fe073b807a77cb13efdbb9f3d7c16b26bbabcd1e8bd2caa6a0
Instruction Fuzzy Hash: 3B3128357042518FC759DB3DC45486DBBE2AFCA21130A80BEE54ACB3A6DE35DC078791

Uniqueness

Uniqueness Score: -1.00%

Function 04F3E8E8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703f960c354603d2c1e09ebacfd9fd1359bb037a943dfa04f9543daf046a12be
Instruction ID: 991becbe2648f6fbc0339f80ae95d2294f5e5988b1f9916befff665eb2dfbf8c
Opcode Fuzzy Hash: 703f960c354603d2c1e09ebacfd9fd1359bb037a943dfa04f9543daf046a12be
Instruction Fuzzy Hash: EF31C135B011059FDB10DB69E880AAAF7EAFFC4269B05C17AD608C7751D730EC16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010192A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82a04de478a8d32effcd1430580c2e515efa3b21333f3dd1f3b835cdfb2ff09
Instruction ID: ac270aa45d77ad3ab473f396d2305825dfbe7efab07a941c7221b030e801a834
Opcode Fuzzy Hash: f82a04de478a8d32effcd1430580c2e515efa3b21333f3dd1f3b835cdfb2ff09
Instruction Fuzzy Hash: B031AF31B482048FCB14DFA8D85895D7BF5EF8A218B1580A6E986CB3AAD735DC02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FD51 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a1981279416f48b28cfe2090840379d6ef1e83a888426fddd60df8123d12ac
Instruction ID: 53017cddc66c7cd2b7f21e18852b619c337c93967075b6cdce22c2cdeb6d25f9
Opcode Fuzzy Hash: f9a1981279416f48b28cfe2090840379d6ef1e83a888426fddd60df8123d12ac
Instruction Fuzzy Hash: DF41AD34A046098FCB05DF64C458A9EBBF2FF8C314F2585A9E405AB365CBB1AE05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0101D7A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e555c1d4066c225b166449445fd141eb1b9bf597d20cd9e3ed61b9071b68e
Instruction ID: cdbf7ab074f9e03f07710da9fe21bba09ba86303aca02a17af4d0702241ff0c7
Opcode Fuzzy Hash: fd0e555c1d4066c225b166449445fd141eb1b9bf597d20cd9e3ed61b9071b68e
Instruction Fuzzy Hash: 8F31EA74B002089FDB44DF99C494AAEB7E6FB88314F1080A5E9499B355E735ED02CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F34C9F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835bfe133d6087905f70f88438d634d88530c0fe385b4c65589ed5e7647f2870
Instruction ID: 495d8edb2f3bf29395221fd7c9b1aaa77d84eba644ae26cd6a8cc5920c7215b3
Opcode Fuzzy Hash: 835bfe133d6087905f70f88438d634d88530c0fe385b4c65589ed5e7647f2870
Instruction Fuzzy Hash: 6331BC75B042148FCB24EF78C4905AEB7F2AF8A20571145B9D41ADB7A1DB70ED43CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F710 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb43bdba854e2b0f43bae5cb8a34f4db05b1b153d41392ab4e47571254f2f49a
Instruction ID: 0ed374b01d808e14e2bd9f07b12d41d4ebf3fe3e978e79fe175a36031656362f
Opcode Fuzzy Hash: bb43bdba854e2b0f43bae5cb8a34f4db05b1b153d41392ab4e47571254f2f49a
Instruction Fuzzy Hash: E9315931B08B404FD3169738D85462EBBE6AFC5615B49807AC44ACBB62CF64FC07C391

Uniqueness

Uniqueness Score: -1.00%

Function 01012078 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb22a2eab027a85af77a9622aa0eabd9b91ba91863773f28aa056a8908325264
Instruction ID: 76abd402d4194e19be5d657b967dc236ddbfdeaf49c5b30bed5e5dac0912900b
Opcode Fuzzy Hash: cb22a2eab027a85af77a9622aa0eabd9b91ba91863773f28aa056a8908325264
Instruction Fuzzy Hash: B031D23A7082048FDB66CB5DE444A59BBF6EBD4321F2480BBE14CCB61ADB36D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FD60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e1b24f384fde3dadab7b0329df43a5e7c31b5766f7cdffe15af0ae5796676f
Instruction ID: 4cbec24ca946802906ed3609a684699464eaa831b9cf93da594cb0b81f319da7
Opcode Fuzzy Hash: 20e1b24f384fde3dadab7b0329df43a5e7c31b5766f7cdffe15af0ae5796676f
Instruction Fuzzy Hash: 09318D34A006098FCB45DF65C444A9EBBF2FF8C314F2585A9E405AB365CBB1AE45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010115CC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eef278fa5af8185dbb7b9e8112e6655b834531188d87c3c49a0bdfcd9af0e0
Instruction ID: 6ea0d864227ba078eb75313bc2cb9fc21295b2e2078ca9d3c74430a3d3a3e07a
Opcode Fuzzy Hash: a8eef278fa5af8185dbb7b9e8112e6655b834531188d87c3c49a0bdfcd9af0e0
Instruction Fuzzy Hash: 9A314A31A04645DFCB65CFA8C9809AFBBF2BF48344F184D19E68297A14C735F985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01019EC0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a8c5e6f4f21182c71a5c8f3cd38d5cc2868073b96bbc0bcc41d48cc78d0aed
Instruction ID: a2c02ab67e1ecd5391c090029269fda16c97f09ece6ab57ec1b06df999970e52
Opcode Fuzzy Hash: d5a8c5e6f4f21182c71a5c8f3cd38d5cc2868073b96bbc0bcc41d48cc78d0aed
Instruction Fuzzy Hash: FC316F75E00206CFDB14CF69C890AAEBBF1EF88318F1580A9D545AB3A9D734AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FEDD Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c849fd47f473e87b7a7b6e92f02b72663823fb6fc456f0f368e9caadd66a7e4b
Instruction ID: e0056164d472c21aceb0bc4d35a7bd75205d699973665b0006b99ec8ba161409
Opcode Fuzzy Hash: c849fd47f473e87b7a7b6e92f02b72663823fb6fc456f0f368e9caadd66a7e4b
Instruction Fuzzy Hash: 51218C30704A108FC754DF3AD450A5AF7E2AF89324B158A7AE14ACB776DB60ED45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EA40 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232eb45d50e6040f29027e4fe0eb66ecbcd77ad06e75da82e80a8573e96dd3ac
Instruction ID: 8daa3b7eb985486d26884d13fd76c2b2eb7302f1675485cf8535138d0f855c23
Opcode Fuzzy Hash: 232eb45d50e6040f29027e4fe0eb66ecbcd77ad06e75da82e80a8573e96dd3ac
Instruction Fuzzy Hash: 8B312D75A002298FCF11CF98D8809AEFBB2FF89314B55C695E915AB356C734E841DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01015EAF Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74729194d33ae5065c4e15a47172d0f68acfe17e20d096debb049969d100bfcc
Instruction ID: 63b5b97c9423dcb284a72e6416a5075fc80fa73085f1c613de8cf7e737f43337
Opcode Fuzzy Hash: 74729194d33ae5065c4e15a47172d0f68acfe17e20d096debb049969d100bfcc
Instruction Fuzzy Hash: F12126316044318BC71ADB18C4505ADBBE2DBC230C36EC9ADE4995F607C766ED478BD4

Uniqueness

Uniqueness Score: -1.00%

Function 01014AB0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234bfe4b418f219fa458c1a52eaea142b3f49234c6e661731e2a6610a46bb3c1
Instruction ID: 8c09a0af1291ec363aa68eb4b2b09da896d2f5bfd60dd00cca008e8a2b24e03d
Opcode Fuzzy Hash: 234bfe4b418f219fa458c1a52eaea142b3f49234c6e661731e2a6610a46bb3c1
Instruction Fuzzy Hash: D6213770A046469FD705DB38C454BA9BBE2BF45300F4584AED086DBBA6CBB9ED10CF80

Uniqueness

Uniqueness Score: -1.00%

Function 010117A8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8932af5c0e26fc62db9fc80ea3e0f9af2b7bd8cb2bcf5394be2820c93d9d378f
Instruction ID: 389ee4280220ed4d67e5d1c51de564a0c254121ee33aeba7c7885a65dcda2a0e
Opcode Fuzzy Hash: 8932af5c0e26fc62db9fc80ea3e0f9af2b7bd8cb2bcf5394be2820c93d9d378f
Instruction Fuzzy Hash: 4221C1323057406FC726CF79D844B5ABBF6EFC5610F14846AF68A87A51D631F8028B61

Uniqueness

Uniqueness Score: -1.00%

Function 01019ED0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2af04b4ee7c847caf28d5510fa93b7aceba4da38299d8006c0c69f3695ba15d
Instruction ID: 61ba7e528a95956f561f7c8b28fe73872ebb06161d298187f636a53e25f2c6d2
Opcode Fuzzy Hash: a2af04b4ee7c847caf28d5510fa93b7aceba4da38299d8006c0c69f3695ba15d
Instruction Fuzzy Hash: 6C315074A00205CFDB54DF69C890AAFB7F2FF88714F1180A9E645AB3A5D774AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F358D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f44bf099ac3fc7e6a3494d72d4b6b3f3399dd066b6ce4143e8b46769dd54f4c
Instruction ID: e13804955e082455ebe7adaf507d139f37785514461f54e2029b812fd2c65dbb
Opcode Fuzzy Hash: 4f44bf099ac3fc7e6a3494d72d4b6b3f3399dd066b6ce4143e8b46769dd54f4c
Instruction Fuzzy Hash: 5B11B1757002042BE7146A69981176FB1C7DFCAB54F54C17AA609EF3CAEDB4DC0383A6

Uniqueness

Uniqueness Score: -1.00%

Function 01014978 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53832f70f4b7b446948e433b5f953b231c0822aca4f3d144a42a3480fddee819
Instruction ID: 1ec575aa951c921d4ee6a693240a72557418851d2a5efa883fdaed6c9687deb9
Opcode Fuzzy Hash: 53832f70f4b7b446948e433b5f953b231c0822aca4f3d144a42a3480fddee819
Instruction Fuzzy Hash: 61219C75A042199FDB11CBA9C850BEEBBF6AF48700F104059E541FB398DB799E41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01015D43 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14b39ed444ff467a1acf21433d3b91313c40557f1d207fdc14b7679cf6f5cae
Instruction ID: 9a987d19af5e79b121ac4786a68b9ae2cac9ccd6f83944c7a96facfc33a700b5
Opcode Fuzzy Hash: a14b39ed444ff467a1acf21433d3b91313c40557f1d207fdc14b7679cf6f5cae
Instruction Fuzzy Hash: 5F31D071E006488FCB25CFADC488AAEFBF2EF89300F148969D189E7750D734A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01013F90 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02caada526b5837ba9e21a094c7077bf63b86fac940cf012af45e2af51cce93
Instruction ID: 01c14ea3d5f1f7a516e02d3f0a15698023e186cf487a78f392e236cdd0e7b51e
Opcode Fuzzy Hash: b02caada526b5837ba9e21a094c7077bf63b86fac940cf012af45e2af51cce93
Instruction Fuzzy Hash: 2E117D337082250FC7155AE99C9097FBADAEBC6524719007EE689CB746CE244C0643D1

Uniqueness

Uniqueness Score: -1.00%

Function 0101DE81 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a37053011f1c4007dd20f8af2edb66598db1ac9ac2833cad40e8cf2681799b8
Instruction ID: 0f9853061cfd31cb702ca4e8b650c6819e0870840b898fa833341becd910840d
Opcode Fuzzy Hash: 0a37053011f1c4007dd20f8af2edb66598db1ac9ac2833cad40e8cf2681799b8
Instruction Fuzzy Hash: A011323270D3904FD32227741C6575A7FD58B83A54F2A45EBE290DB2D7D968A80B83A2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A058 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6b32343a5c602d15275ed9b901618ec48d31a5567972a7af17fd1b4954c257
Instruction ID: edf8c474b333da51ddc2cb4ff4751afe1c911aa6dfa2b24c7e187c7db608f3dd
Opcode Fuzzy Hash: 9a6b32343a5c602d15275ed9b901618ec48d31a5567972a7af17fd1b4954c257
Instruction Fuzzy Hash: F311363270A2818FD326466C94412EDFBE09FC2351F1884BFE1CA87A95D639CC95C791

Uniqueness

Uniqueness Score: -1.00%

Function 04F200A8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563423117.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346c4eebf9bc561d5533904ccffbfba6248c3c462695436d96865d9319aa7cdc
Instruction ID: 90429accb6d68794c1145ccaf1ef580f911a11d35bde52c10f537c8a1f91946c
Opcode Fuzzy Hash: 346c4eebf9bc561d5533904ccffbfba6248c3c462695436d96865d9319aa7cdc
Instruction Fuzzy Hash: 97210735D083549FC711AF65C89109EBBF6BF86200B25459AC664AB792CB31BC47CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F33459 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b94b15f0f4e96eaea8ae00ab6a710d22d01d6d2dff806524f1d33722e48f214
Instruction ID: 10e400f92765997426a5a019a3d32f72e6934125093a65b60e679ba1cf2a4a8b
Opcode Fuzzy Hash: 9b94b15f0f4e96eaea8ae00ab6a710d22d01d6d2dff806524f1d33722e48f214
Instruction Fuzzy Hash: 0F11E6727042141BE32067699C2176FF2CA9FC6650F24847AA509EF7CADDF4DC038395

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EDC0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbc8321f83693b38b9c1435486179750878d9fd2a25ef8464cbd85e25de7fce
Instruction ID: 9a9d0b13b3796628c7fca4c0d7d8ecea1a51b6d7ad9f42b3022c1b2f36d09d1f
Opcode Fuzzy Hash: bbbc8321f83693b38b9c1435486179750878d9fd2a25ef8464cbd85e25de7fce
Instruction Fuzzy Hash: DD1160367042058F9724DA6DD894A6FB3D6EFC8265716803EDA0AC7345EE71FC428791

Uniqueness

Uniqueness Score: -1.00%

Function 00F23EA7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f1505d865e01ce97d6e9906262f240af9352b8fca2f6f0ec39e3788a86623
Instruction ID: ccb2c077eefdcbf6473fe4c07b3e3d9612ffe95e5f27795fed4168d4e0a5aa01
Opcode Fuzzy Hash: 8b7f1505d865e01ce97d6e9906262f240af9352b8fca2f6f0ec39e3788a86623
Instruction Fuzzy Hash: AA2125B5E092299BDF00DF14E544BED7BF1EF88710F054059D401AB385D7789E4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F3E788 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae18686ec26f6f7f48a329c9c1c6852bffcccc2e2c02b8bf514dbe394ba4f10
Instruction ID: 92eeb13b464ca54fdd1a4bb25526cc78ea9c706cce0a61a5e6c4e15572ae582c
Opcode Fuzzy Hash: cae18686ec26f6f7f48a329c9c1c6852bffcccc2e2c02b8bf514dbe394ba4f10
Instruction Fuzzy Hash: 4D117036B042094F5B249AAEB49496FB3DEEFC8165715803AE61DC7744EFB0EC024791

Uniqueness

Uniqueness Score: -1.00%

Function 010105C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0bef4887c148f6940771c1776549928e5c24855aeff4bd0588c8d51d1c398b
Instruction ID: 1b4e6a35fb88f27eefdf10a7f49182147d89ed0e44bb048018caeb05ade64d66
Opcode Fuzzy Hash: 3a0bef4887c148f6940771c1776549928e5c24855aeff4bd0588c8d51d1c398b
Instruction Fuzzy Hash: B421DA35A041569FCB05CBA8C8848AEFFF0FF89310B2580A9E599DB326D734EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F37C88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957c39f2ce0fde9c23f518ecf94963a0740a026c0b9b7cb5baddbdb087230ea4
Instruction ID: d20ed36562624c137a4f690352726ebda2079ca332471d2ea89fa96cf4ab5eb4
Opcode Fuzzy Hash: 957c39f2ce0fde9c23f518ecf94963a0740a026c0b9b7cb5baddbdb087230ea4
Instruction Fuzzy Hash: 9111A3327041004FEB14EA5AE440A6AB7D6FBC57A2F14C03BE908CB360D632E8028760

Uniqueness

Uniqueness Score: -1.00%

Function 04F33468 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea4b520118975b0fae1a172022514d3c16c2d324aa4936ccc8ab459fec52938
Instruction ID: 1bbe746ea4dfc5a4726d8e46aac0cbf00b47c91b7521a454975e63b715241224
Opcode Fuzzy Hash: fea4b520118975b0fae1a172022514d3c16c2d324aa4936ccc8ab459fec52938
Instruction Fuzzy Hash: 9311C1317042141BD3246A699811B6FE2CB9FC9A50F24853AA609EB789DDF4EC038395

Uniqueness

Uniqueness Score: -1.00%

Function 04F35F18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d50c97a80590c05488f416b4423730097e22f72267cd331762444c8c623dc9a
Instruction ID: beb92a3ffdbe5d04f23d13608cd1023d84aea5c8e326f5b148618c54398122d0
Opcode Fuzzy Hash: 0d50c97a80590c05488f416b4423730097e22f72267cd331762444c8c623dc9a
Instruction Fuzzy Hash: 6E11C1317002142BD3246A699811B6FE2CB9FC9A50F24853AA609EB789DDF4EC0383A5

Uniqueness

Uniqueness Score: -1.00%

Function 01011872 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a487f03075fab0c4741d5a87ad982b0e6995aa661559410abc83acebe7d386fb
Instruction ID: 8324ed0626a935626fa3cadb7f87426ef56ef0674c5d0f389c82f700a286b748
Opcode Fuzzy Hash: a487f03075fab0c4741d5a87ad982b0e6995aa661559410abc83acebe7d386fb
Instruction Fuzzy Hash: B0112B323082546FC7164F71881477E7BA2DF86315F1980A6FA4587782C73A9D57D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EDAF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cddbecbd8349d33ecc60c6b36570e8a13308bb2f44d2a55d80f38a71ff9e4a
Instruction ID: 25be84fb6182521a3b88ef1789983e2ebd586574e7f905f642102586bfe0c4bf
Opcode Fuzzy Hash: f9cddbecbd8349d33ecc60c6b36570e8a13308bb2f44d2a55d80f38a71ff9e4a
Instruction Fuzzy Hash: D211AC357042044FE714CB69E894B6FB7E9EF882A5B05803AE909CB351EB60EC438790

Uniqueness

Uniqueness Score: -1.00%

Function 01016B68 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2b088331d87ccb5f8e4924fdbf08b713ff06e72aa6d58bc5b50d9feabda420
Instruction ID: 9989bc771ab8a2be4ecd73b563c8d3b8adb7cd298046423700ec8e0ff292464a
Opcode Fuzzy Hash: ce2b088331d87ccb5f8e4924fdbf08b713ff06e72aa6d58bc5b50d9feabda420
Instruction Fuzzy Hash: 3F212535A15209DFDF11DFA4E984AADBBB2FF44314F000465E442EB2A5CB79DA84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01013D30 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0784cdda8f7b44cb329e1f0fcd4ad062736e10adfbbca11fb199afeb9aca8a3a
Instruction ID: c2c15797f020790e8a1957f3907feba12dac4482b85681c66c9ad51c6513df1a
Opcode Fuzzy Hash: 0784cdda8f7b44cb329e1f0fcd4ad062736e10adfbbca11fb199afeb9aca8a3a
Instruction Fuzzy Hash: AC110471A082664FC715AA68A8001ABFBF5AB85200B1481ABE095CB34ADA78CC46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2420C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642025948dd8dce621a550b003c08285dadf7125871b9cf7f0cb342e49239889
Instruction ID: 71782a4ca7e8e8197e8c34f32a9aaf17267632171db77f5748ed0f682a7874cd
Opcode Fuzzy Hash: 642025948dd8dce621a550b003c08285dadf7125871b9cf7f0cb342e49239889
Instruction Fuzzy Hash: 831193317096504FC714DF39D89085A7BE3AFC53283298AADD1698F6D6DB71AC078790

Uniqueness

Uniqueness Score: -1.00%

Function 04F33577 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dd2ea37d181eec02ffee61ab3ab7fd4d60197a66c02083b3b069530cb964f7
Instruction ID: 5abfff42897f6546b9dd5c3dc4a4c61786b42d20a997c46bc88b8a935631fa6e
Opcode Fuzzy Hash: 43dd2ea37d181eec02ffee61ab3ab7fd4d60197a66c02083b3b069530cb964f7
Instruction Fuzzy Hash: 191180357001028F8B55DB3EC45492EB7E6AFCD22131980B9E90ACB3A4EE35DC028750

Uniqueness

Uniqueness Score: -1.00%

Function 01014968 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee041158602cf7f3039fee4fe02e491067f8713abf1ab52f26cd9b469462379
Instruction ID: 7deb8a9fd5e813d441d4c296759c4022333062b1bd219e5ee092f356a77df311
Opcode Fuzzy Hash: 5ee041158602cf7f3039fee4fe02e491067f8713abf1ab52f26cd9b469462379
Instruction Fuzzy Hash: C111EF76A041589FDB11CBA8D5506EEBBF1AF49300F1000A9D585FB269E7755E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101007A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d62ab878acd49dd72942278ed83c2d8cb6f888309a78c19e6959ce914741bac
Instruction ID: 00f93ea76b1f7705d1b348e1ed6bbaf04c3394c3a35957abce32697209bf6e38
Opcode Fuzzy Hash: 0d62ab878acd49dd72942278ed83c2d8cb6f888309a78c19e6959ce914741bac
Instruction Fuzzy Hash: 0E11C4343046105FD315EB78D45466AB7E6FFC9604F0409BEE14ACB7A6DE71AC088792

Uniqueness

Uniqueness Score: -1.00%

Function 04F375A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb13e00dc4ced7903bd67f9daaf932e56ad404c7feb80e6e65ecdf8fb5b1116
Instruction ID: 68d0ecce950d1dea47ae352e901d6016f22d701c1f48b12da67585c43fd03931
Opcode Fuzzy Hash: cdb13e00dc4ced7903bd67f9daaf932e56ad404c7feb80e6e65ecdf8fb5b1116
Instruction Fuzzy Hash: 6D012D73B0521417E72032656C51B2BB6CB8FC6764F21847AF105DB3D6DDA4AC0682A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F670 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e725a3e593cb2ecff54cbf9daa21be6dca38c47d1f98bacf6783c4df238d29
Instruction ID: 1b103af00ea34a8b268e86f4408c82c5e07340d6a51bc8e55254bb62428ff865
Opcode Fuzzy Hash: a6e725a3e593cb2ecff54cbf9daa21be6dca38c47d1f98bacf6783c4df238d29
Instruction Fuzzy Hash: 8C11BE316067968BC311CF25E490456FFA6FF8A214309CBAAD9994F716C730F94ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01010080 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8be1bb651aba00479b9722dddf7d7e0096672dba2208b755c57ad8aea403db
Instruction ID: b111a91e0746bd34e83175c39db6ea3a6553607a04f8f8b98a3b71e382d483c3
Opcode Fuzzy Hash: cc8be1bb651aba00479b9722dddf7d7e0096672dba2208b755c57ad8aea403db
Instruction Fuzzy Hash: 3C11E0343046105FD329EB6DD85466EB7E6FFC9614F0409BEE14ACB396DE71AC0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 01015DE6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466ce6b38ac6a16d9ca56255437363c28b33111adea28220e4ab97598086fdd
Instruction ID: e8f5485c0fe53c600c8889c14a6c6854ffeb0d9a50939e85c3e1234ee03d98ea
Opcode Fuzzy Hash: 5466ce6b38ac6a16d9ca56255437363c28b33111adea28220e4ab97598086fdd
Instruction Fuzzy Hash: 5A219D31A04A058FDB25CF68C948BAEBBF2EF89300F548498E0869B755DB74ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F35201 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae3fdc1f62e63286dbd55bf6a169466c983585266e79a87c3ae7915d93414fb
Instruction ID: 77f8361b81929b80e8df0fd0cdd6f1c37d55c0ae2be0f6e6a6843a9ccfd8815f
Opcode Fuzzy Hash: 0ae3fdc1f62e63286dbd55bf6a169466c983585266e79a87c3ae7915d93414fb
Instruction Fuzzy Hash: 61014732B482102BE72026755C11B6F66CBCFD2B50F20403AF605DB3CAECA8AC0742A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F33580 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d381c519c59dcf131f139cb99ecde3f4c13cdf7a5b590b4a2508a0f214ad3e5
Instruction ID: d2092ec63d268481d0f76dc640725fe98d6b8fec283768d800a92e98927a0be2
Opcode Fuzzy Hash: 8d381c519c59dcf131f139cb99ecde3f4c13cdf7a5b590b4a2508a0f214ad3e5
Instruction Fuzzy Hash: 0B015E357001028F8B95DB3EC45892EB7E7AFCD62531980B9E94ACB3A4DE35DC028750

Uniqueness

Uniqueness Score: -1.00%

Function 04F337EA Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dfafb65bf0f00ab734fbd970fa977a873d990c3596679db1a40aaeca21ffac
Instruction ID: c5449fd5bf01bd9683e63457d3146c3460104e9c0ff560ec43120537a9fd068f
Opcode Fuzzy Hash: 69dfafb65bf0f00ab734fbd970fa977a873d990c3596679db1a40aaeca21ffac
Instruction Fuzzy Hash: 5A01283274432027D32427786C56B6FB2CA9BC5B50F24847AE106AF7C6DDA4EC038395

Uniqueness

Uniqueness Score: -1.00%

Function 04F318E4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb8cd48048c86c2109590518b1b997e6b53228aef4834643b6eb7e5d2403fb3
Instruction ID: 355d57a4372eeccd5092b0278b43fa8a55df44b0b719842f5884e7367ebaef3b
Opcode Fuzzy Hash: 8eb8cd48048c86c2109590518b1b997e6b53228aef4834643b6eb7e5d2403fb3
Instruction Fuzzy Hash: B9213B74A0520ADFDB01DF94D5A4BAEBBF2AF48709F208019E505FB354DB71AA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3C2B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3560d3e9738b54de98149333f3fd9697dc857dbc25bd94c2a311ad2381f212eb
Instruction ID: 5233a17acd51976d4ad66c51c24bfe73a151047e56f3fcfe69c87628b62423d9
Opcode Fuzzy Hash: 3560d3e9738b54de98149333f3fd9697dc857dbc25bd94c2a311ad2381f212eb
Instruction Fuzzy Hash: 7C210674E002199FCB00EFE8C194AAEBBF2FF48314F5085A9D545A7350DB30AA41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 010105C2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f0d3492481f7de07b2b376f4a6798e0bd69af64237e1fe066ebd4cdae6098
Instruction ID: c5b69d7e3ccb7456bfe233c3bebcfb5d644cf85857a523003aa38b88ca63106b
Opcode Fuzzy Hash: c60f0d3492481f7de07b2b376f4a6798e0bd69af64237e1fe066ebd4cdae6098
Instruction Fuzzy Hash: 0D113075A005169FCB05CFA8C4818BEFBF0FF88314B25816AE85997316D234AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3ED30 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9f3f44009562ae947ea5c54a962e165cd1f1f45cba10688771cd3eb4330a4b
Instruction ID: ea8fc56db59ee7fd74b7d120d8c294c551b8cde1700fa41fdb72df9923c48c28
Opcode Fuzzy Hash: fb9f3f44009562ae947ea5c54a962e165cd1f1f45cba10688771cd3eb4330a4b
Instruction Fuzzy Hash: 8F01BC327082186BD711CA59E850AAABBEDEB852B0705812BE908C7340EB24EC0282A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F37500 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f6b09231ba905ba0a9d8a7cdd2ac990b740c70f9753f95d3a51f2dd126e7e4
Instruction ID: 11961d7ea34cf3535b0ce190adcbf60b90ea40f5d908d2a5bde5c4bc7576433d
Opcode Fuzzy Hash: 08f6b09231ba905ba0a9d8a7cdd2ac990b740c70f9753f95d3a51f2dd126e7e4
Instruction Fuzzy Hash: 5B012B3374421417EB2476795C51B2FB1CB8BC9750F21843AB609DB7C9DEF4AC0352A5

Uniqueness

Uniqueness Score: -1.00%

Function 01014AAF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6dca9ed7391f6b9d35bff7ad814124c3c6fa5fc3ea21791d746218e1051408
Instruction ID: 0b8b20a344afc23eae8e669d5c92358bce3ef06bafebe0f9fb18ef72ef16e25c
Opcode Fuzzy Hash: 7a6dca9ed7391f6b9d35bff7ad814124c3c6fa5fc3ea21791d746218e1051408
Instruction Fuzzy Hash: C5118F70A046159FD714DB28C594BAABBF2BF48300F14846DD486EB7A5CBB9ED50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F680 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541fdf42d75d2404a993d22949295042da10bd2be146b5122817a4e6fcec775c
Instruction ID: a99206761ccf79271547a48b269d9b09668636020217e1c2661bddc6dc188b22
Opcode Fuzzy Hash: 541fdf42d75d2404a993d22949295042da10bd2be146b5122817a4e6fcec775c
Instruction Fuzzy Hash: 4611BF316057538BC315CF25D090852FBA6FF89214309CBA9D9594F716C730F94ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04F35210 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ae91811dcbdf70e75ca519c01dc46e3acbeafeaaf8bd89dfc8cbe1aa5d6617
Instruction ID: 690348f6c9ea91569d43abeebd042b18a0ec1a6b946c005a904eca754ed48dfd
Opcode Fuzzy Hash: a0ae91811dcbdf70e75ca519c01dc46e3acbeafeaaf8bd89dfc8cbe1aa5d6617
Instruction Fuzzy Hash: 2101D632B0421127E72466A95C51B6FA1CBDBC5B54F21403AB605DB3C9DDA8EC0342A5

Uniqueness

Uniqueness Score: -1.00%

Function 0101F909 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26b5e4699dd961d4fc309bd3dde8fd19433b2e7ff525ab3dd7f401e9cb2b966
Instruction ID: 542861eb046f1fd01bcb7db462dc328ff324649bb71514bd9fd11d88aa317d3a
Opcode Fuzzy Hash: b26b5e4699dd961d4fc309bd3dde8fd19433b2e7ff525ab3dd7f401e9cb2b966
Instruction Fuzzy Hash: A3012432B043101FE72022682C0276EA7D6ABC5B50F1184BBE145DF28BEDA898068392

Uniqueness

Uniqueness Score: -1.00%

Function 01012608 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0952bba3ef662fa657df700efd94c1c478aa87b9b2cb636997ff938f353c11e
Instruction ID: cd3da56281e4c15bf16fbc0a13af3b2419e43423d2e8195862cded18917ab3cc
Opcode Fuzzy Hash: f0952bba3ef662fa657df700efd94c1c478aa87b9b2cb636997ff938f353c11e
Instruction Fuzzy Hash: BF012B363002005BD725A769F88475AB3D6FBCC765F10443AE24DC7B81CA36EC458350

Uniqueness

Uniqueness Score: -1.00%

Function 04F37647 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc83a2ba120f1104ae4621a44c8a15a93a73b81a49e79b9e374e05c3893e7af
Instruction ID: 789ed99ee9676ed94d6b8b3867ef789eb7b48b7563406952b9968a42cf9e97f0
Opcode Fuzzy Hash: acc83a2ba120f1104ae4621a44c8a15a93a73b81a49e79b9e374e05c3893e7af
Instruction Fuzzy Hash: 82F02D73B4422417E72036796C5176A73C6DBC5765F208032F604DB696DDA4680742A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F337F7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c8e07d304bd8422840c8a6aa8e706aee30e5f8448886c88906b1998dc4e90c
Instruction ID: efb6fcc826e8abce6aa18a8e33d4a7e747769191a5efe515bd1dd2ef6585d001
Opcode Fuzzy Hash: f2c8e07d304bd8422840c8a6aa8e706aee30e5f8448886c88906b1998dc4e90c
Instruction Fuzzy Hash: C301D432B442201BD3346B686C56B6FA2C69BC5B50F21853EA11AAF789CDA49C038395

Uniqueness

Uniqueness Score: -1.00%

Function 04F337F8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f879dbc29c2bb2571c8c98d300bcbe77eb4baa4e6e179ea02feda7bec880d13a
Instruction ID: d4d590377a4c296f0cd36e4c321c35044204dc296441e571947ccdb447bc4029
Opcode Fuzzy Hash: f879dbc29c2bb2571c8c98d300bcbe77eb4baa4e6e179ea02feda7bec880d13a
Instruction Fuzzy Hash: DC01D43274422017D32427685C56B5FB1CA8BC5B50F218439A119AF789DDA4AC028395

Uniqueness

Uniqueness Score: -1.00%

Function 01019FB1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24aa754b4984b3425213b5660ceb42a1862b5408003466f32ece6b8d7537c29
Instruction ID: 04a0444bd7e081ab2d97c856914518b523260f3e7f91394d21471743e5e6e77a
Opcode Fuzzy Hash: b24aa754b4984b3425213b5660ceb42a1862b5408003466f32ece6b8d7537c29
Instruction Fuzzy Hash: F301F732B043105BE73077685C52B6E63D69BC1B50F20407AF106AF7CADDA8AC028795

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E8B1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9256149b88d028019f817ae84f31339bf9d8374cd90a5705bdb7fc6d59644b7
Instruction ID: 62c527c014961e4417257e1f09e352447d636c5143fac83d27f15d17903730db
Opcode Fuzzy Hash: a9256149b88d028019f817ae84f31339bf9d8374cd90a5705bdb7fc6d59644b7
Instruction Fuzzy Hash: 71014530308B204FC7249B38D81091EBBA6EFC62A4B158A2ED586CB705DFB5AD04C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00F24160 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f69db3977294b22019d5484b910e2fb383146fd79d74c1872c6cdc39952b422
Instruction ID: 8dfcae20e238390bcc36e91f74b1bbe7516d62ac035b99528a9183717c2d6153
Opcode Fuzzy Hash: 9f69db3977294b22019d5484b910e2fb383146fd79d74c1872c6cdc39952b422
Instruction Fuzzy Hash: ED0145302047218BC7259B74D840A0EBBB2FFC5268F054A3DDA46CB705DFB5AD0987E5

Uniqueness

Uniqueness Score: -1.00%

Function 04F374FF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbf35e988dff20ec5b6f84001b456439dc66ecafc341ee6812a74dceaffc846
Instruction ID: dc217ff5193c04908abe85776400c8a1523bf34e3eba4de8464c45ea975c1e2b
Opcode Fuzzy Hash: 6dbf35e988dff20ec5b6f84001b456439dc66ecafc341ee6812a74dceaffc846
Instruction Fuzzy Hash: EA01263374422427EB2466755C41B6FA2CB8BC9750F20803AF60ADB7C9DEB4AC034295

Uniqueness

Uniqueness Score: -1.00%

Function 04F3FB71 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd266e2d1e8a136c7abf91ea05e82c7e01ef2ee46836b9ab34d48b41fa8040b
Instruction ID: 04775fe7dab1258361a8acb55b909cda309f70b08caa6f0d682f0b682e820ced
Opcode Fuzzy Hash: 6dd266e2d1e8a136c7abf91ea05e82c7e01ef2ee46836b9ab34d48b41fa8040b
Instruction Fuzzy Hash: 6801D672B052115F97058B6DACA4A3EBBF9FBC556571601BBE005C73A0DA60DC0287B0

Uniqueness

Uniqueness Score: -1.00%

Function 01019FC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564ae89a0590fc6c7a514d576d6e0b5489fe922e963fc8d0a0d82203aa5ff9e4
Instruction ID: 3689e9800ec69ffa01f2c82a36e897fbc8cb67260e54b45282f894b0e1cb2736
Opcode Fuzzy Hash: 564ae89a0590fc6c7a514d576d6e0b5489fe922e963fc8d0a0d82203aa5ff9e4
Instruction Fuzzy Hash: 8801F232B042105BE72036795C12B2E61C79BC2B90F21407AB209AF78ADDA8EC024396

Uniqueness

Uniqueness Score: -1.00%

Function 04F375B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dec7c525ba5b76f6dba84e03c7ebf9e65ca0b4ba5c0cdd4fceb3bacde4a537
Instruction ID: 9706fcccdf39f95677f35dd727338b152cf011cf76c09fd41054695891d932c8
Opcode Fuzzy Hash: f2dec7c525ba5b76f6dba84e03c7ebf9e65ca0b4ba5c0cdd4fceb3bacde4a537
Instruction Fuzzy Hash: ECF0A932B4421417E72436795C52B2BA1CB8BC5A65F218036A605DB7D9DEB4EC0242A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F36F10 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f4bd8df9f456b0c01eadd77c7961d9c3ecae9426064df6eed6f6b2a2cd2d98
Instruction ID: 1ba45022a848e6b0a5708e1053574362955a873724757d68009668d5829ca408
Opcode Fuzzy Hash: 99f4bd8df9f456b0c01eadd77c7961d9c3ecae9426064df6eed6f6b2a2cd2d98
Instruction Fuzzy Hash: D6F0F433B4422427EB3062795C42B2BA1CB8BC5A50F21443AB609DB7C9EEB4BC0252A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F36840 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ff6334ac974fe52f00a823dcd18553845b4285ad76eae64cc65b8ca6f75d9d
Instruction ID: 96bf72f14ebe24b258cbb2b6c2731c5d0692bfbfd9d818690cfeebb96bc715e5
Opcode Fuzzy Hash: e5ff6334ac974fe52f00a823dcd18553845b4285ad76eae64cc65b8ca6f75d9d
Instruction Fuzzy Hash: 57F0A932B4421027E73466695C5276BB1CB8FC5B54F214436A609DB7C9DDB4AC0742A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F352D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833188adc992781447663bf3021fa5c8972d237f5b0918c51de3df8e59202659
Instruction ID: aba17ee888ff7e61104a76f3f5d2a88c841f7914bfcedb6780450e8ad2183e86
Opcode Fuzzy Hash: 833188adc992781447663bf3021fa5c8972d237f5b0918c51de3df8e59202659
Instruction Fuzzy Hash: 86012632B483502BE72127786C51B6A76879BC2B50F64447AB201DF3CADCA8AC024396

Uniqueness

Uniqueness Score: -1.00%

Function 0101F918 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dec7ff28a8aed79b0ae3ef0ab0dc692be6c165d6f6c0c479d7b566b94c6924
Instruction ID: 2cef83397d368769f28cfa5d83b03fef501e3053d7878427a0d99fe542f316d0
Opcode Fuzzy Hash: 06dec7ff28a8aed79b0ae3ef0ab0dc692be6c165d6f6c0c479d7b566b94c6924
Instruction Fuzzy Hash: 9401D1327443152BE73032792C1272EA1C79BC5A54F21847AE605DF78AEDA8AC0643A6

Uniqueness

Uniqueness Score: -1.00%

Function 01016FC8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794301e45eac158e57a72050d8d804709367cde331f647f13b48eeb86f312519
Instruction ID: 7b56d7f96028aab7751d5fd3f6a430859f2127faa112a67318c52fb8d8141a2e
Opcode Fuzzy Hash: 794301e45eac158e57a72050d8d804709367cde331f647f13b48eeb86f312519
Instruction Fuzzy Hash: 95012975B00219AFCB149FA9D801BDEBBF5EF88710F104066EA05EB3A0DA71A911CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04F376D7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dd0846fdaed25fe6aa44bea96e3068099a54062c551f9e76d120b58094fb16
Instruction ID: 26b4891a972d9c169823fc21390c333a633cd570eea8f51d4189503223b500ed
Opcode Fuzzy Hash: e9dd0846fdaed25fe6aa44bea96e3068099a54062c551f9e76d120b58094fb16
Instruction Fuzzy Hash: F2F0C83274422417E72436695C45B5AB6CADBC5B54F604439B205DB78ADDE46C030295

Uniqueness

Uniqueness Score: -1.00%

Function 04F3365A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2875ac22b33ea9684e6c1579928d75e321fe6091dde5b698b18fe203cac6f5f
Instruction ID: 33b87daa16b320c521e5ea2d5bbc64a867cda62bbe41bdb2c459973c9bbac7d0
Opcode Fuzzy Hash: e2875ac22b33ea9684e6c1579928d75e321fe6091dde5b698b18fe203cac6f5f
Instruction Fuzzy Hash: F8F07833B483341BD3243374AC42B2BB6CA8BC1A50F20847AF6029F786DEA4AC0343D0

Uniqueness

Uniqueness Score: -1.00%

Function 04F352E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930a94c1c4b0fcc375727559d7e77fd883cb8396e4888dea9f46ba6d5bed8f9a
Instruction ID: 864b02c9818786733d2e21d03ffbe57513eaaf7a775f0e9dd3458e2bd06dca12
Opcode Fuzzy Hash: 930a94c1c4b0fcc375727559d7e77fd883cb8396e4888dea9f46ba6d5bed8f9a
Instruction Fuzzy Hash: 09F0A432B4431027EB2426695C51B6B71C7DBC5B54F64443AB2059F3C9DDE8AC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 010185B0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e30459cf13f60a6c56ce2c08a774b9b95b30bc9a786e5d6231db4526a59be1
Instruction ID: a07885ab8e0e5b6573681bf4e8a956214dd8191476c267b80a8a5e3f8de1c14f
Opcode Fuzzy Hash: 38e30459cf13f60a6c56ce2c08a774b9b95b30bc9a786e5d6231db4526a59be1
Instruction Fuzzy Hash: 9D01F43170D7808FC71707789C206A97FA5EB97235B18C5E7D5C2CA1EED46A8C0B8352

Uniqueness

Uniqueness Score: -1.00%

Function 04F39E90 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f9b6ab6d88b7b468e05515c8b695e6bf55ba11616db0925b348ea5bbff5fcd
Instruction ID: aa3c321c78febe898064d435a3656020c84a0e4b3bad7672b095e882d34d0ebc
Opcode Fuzzy Hash: 30f9b6ab6d88b7b468e05515c8b695e6bf55ba11616db0925b348ea5bbff5fcd
Instruction Fuzzy Hash: FF012B72B083444FD301DB6D94A4C953BF6EF8A314B1940AAE5C5CB353DAA5DC03CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F37640 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bf3871fa8fb9e5e72ae56620553ff37bc438f98cccbf13ed924329ab33ce1b
Instruction ID: 2077658525b24bb3accb1e056e83d3a6f91ba7f2aed486f980e0902e1adb1364
Opcode Fuzzy Hash: 50bf3871fa8fb9e5e72ae56620553ff37bc438f98cccbf13ed924329ab33ce1b
Instruction Fuzzy Hash: 0AF0FC73B4432417E72036796C61B6A72C69BC6B55F208036F6059B396EEA4B80242A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F39A20 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe48a909024d181d3abb26cb0ac89b1bafe71bf009c6e29464ce2c876b73e6d
Instruction ID: b3f25c92cb4cb14f49f1e00daeac96ec67bb68420ee28db834b3932caa25c81a
Opcode Fuzzy Hash: dbe48a909024d181d3abb26cb0ac89b1bafe71bf009c6e29464ce2c876b73e6d
Instruction Fuzzy Hash: E20121313082444FD719AB7CC46092E73D7DFC624930A88BAD649CB392EFA0ED038792

Uniqueness

Uniqueness Score: -1.00%

Function 01014901 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f1e0bd810da7c5a28365b6ee257f36b90e8faff8dfcf3c69483947e5c126c1
Instruction ID: dd23c815b81006389090fb34c5e3d31bbd5aeaaee2b60393661ccb54ab32fff5
Opcode Fuzzy Hash: c7f1e0bd810da7c5a28365b6ee257f36b90e8faff8dfcf3c69483947e5c126c1
Instruction Fuzzy Hash: 43012471E092499FDB01DFA8D8406ECBBF1AF05320F1400EAC589DB266E3388E46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01016CAB Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9893bc56a87f3d75141836b84af9ef815a31ccb704da1673d1f4f3e3848f97
Instruction ID: b45a65cc599f0f580a2ae4a9cfb96ee1d632ae0511a3812815a1d731e02a5ba3
Opcode Fuzzy Hash: 8d9893bc56a87f3d75141836b84af9ef815a31ccb704da1673d1f4f3e3848f97
Instruction Fuzzy Hash: 7A017175A0010D8FC748EFACD4527EEB7E5EB89700F0041BAD50ADB395EB758E518BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101DEA0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6564040442bcdbc6e60674e204dc4dfeb275b395026e65e198557dd43b945cf2
Instruction ID: 774022d221f02d1faf21a3c6bb91f189f1cea406aa9272a40fbeb0b6cfe112b9
Opcode Fuzzy Hash: 6564040442bcdbc6e60674e204dc4dfeb275b395026e65e198557dd43b945cf2
Instruction Fuzzy Hash: D3F0D63274422017D33037685C56B5FB5C68BC5B50F24857AB215AF789DDA4AC028395

Uniqueness

Uniqueness Score: -1.00%

Function 00F23A38 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed5023465403c7d569a43ae41a7e546e575177838dbdaa186e84ca6e74028c4
Instruction ID: f98533f03c242b1179ed82e18618153b73dbb55396bbaac6fb5efe71c651f626
Opcode Fuzzy Hash: 2ed5023465403c7d569a43ae41a7e546e575177838dbdaa186e84ca6e74028c4
Instruction Fuzzy Hash: DE014531509B244BC740DB24E84095EF7A2EFC1348701887ED181CB26DCBF46A0A8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04F376D2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07e1e66cd4cf8d3aba22544e9e4f0ebdb5fc606545e03e549ff214b89fae95d
Instruction ID: 3dd3de37df707278fcb838fda3c5bee3b84a192dfee3c520522db73917be3481
Opcode Fuzzy Hash: d07e1e66cd4cf8d3aba22544e9e4f0ebdb5fc606545e03e549ff214b89fae95d
Instruction Fuzzy Hash: 33F0963374422427E72436696C55B6BB2CB9BC5B64F614439F209DB78ADDE46C0212A8

Uniqueness

Uniqueness Score: -1.00%

Function 04F3431F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9646c5d993593a3ff32837eb9bcd0adf0a811185758b94ce3a3bdd1bf0b3f7d0
Instruction ID: 2dbb1df6ac72e55f78be169677246c767c9815b0fcac3e08d75138431adc6caa
Opcode Fuzzy Hash: 9646c5d993593a3ff32837eb9bcd0adf0a811185758b94ce3a3bdd1bf0b3f7d0
Instruction Fuzzy Hash: A901F436B093418FC7259A3858A05ADFB80EB9A666718C1BED44AC7325EA36D803D781

Uniqueness

Uniqueness Score: -1.00%

Function 0101D040 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40e2f45f2f576b73be93ec4cb06ae88ee9b668fa10c962260441797385b216d
Instruction ID: 580ec1462f239e6fa383a81ef644268c60f4ae5b0e8d15e65d060f8e886fd15e
Opcode Fuzzy Hash: e40e2f45f2f576b73be93ec4cb06ae88ee9b668fa10c962260441797385b216d
Instruction Fuzzy Hash: D0F0C832B543105BEB3126A46C46BAF63D69BC5BA0F204577F6019B289DEA868035395

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E8C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4767cb1366f84f8b526f61801baa1305cfd59934627e0dc43d459a98a510fe2a
Instruction ID: c8cafb0292ad8587ce737fcd3b9f71d84fe2d801d7fdd25b94126bddf22eb841
Opcode Fuzzy Hash: 4767cb1366f84f8b526f61801baa1305cfd59934627e0dc43d459a98a510fe2a
Instruction Fuzzy Hash: 0F01F231304B204BC7249B69E40091EB3E6EFC4668B158A2ED646CB704DFB6AD018BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00F24170 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b4ad25ffdfe82ea5e213c14b68a5b8b1ccd6e6444df8d0a708a1692956e393
Instruction ID: 206e34851989cc38f1038626f5ef6296123e182720dabcc6b941b6e602e8f42b
Opcode Fuzzy Hash: 65b4ad25ffdfe82ea5e213c14b68a5b8b1ccd6e6444df8d0a708a1692956e393
Instruction Fuzzy Hash: F0012631300B358BC7289F68D840A0EB7A6FFD4268B058A3CD606CB704DFB5AE0587D8

Uniqueness

Uniqueness Score: -1.00%

Function 04F37650 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d1b954fe4000089e5a59e830fa64f90e69f5de3e5d675cbdccbffda67f63b
Instruction ID: f91b4ff6fe2b61f4c785699efe6c071ebbec4e45195fab0ec250bfa486efc4e9
Opcode Fuzzy Hash: fa2d1b954fe4000089e5a59e830fa64f90e69f5de3e5d675cbdccbffda67f63b
Instruction Fuzzy Hash: 85F0FC32B4431417E72036795C62B2B71C68BC5B55F218436E605DF3D9DEB4AC0242A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F37750 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bf8fd8c046f46d388823a8896ba991c3890944a1ffb8a71b1ebb91f9928d52
Instruction ID: b13bcda7f3882f9bc683e8bc97744d54bc1e52abdab6ee81dceccd94ac169b15
Opcode Fuzzy Hash: 73bf8fd8c046f46d388823a8896ba991c3890944a1ffb8a71b1ebb91f9928d52
Instruction Fuzzy Hash: 6FF0F63374422427D72427742C45B6B728B8BC5B64F204435B205DF38ADDA4AC024295

Uniqueness

Uniqueness Score: -1.00%

Function 04F372A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2489d01c09b3ed2c73fec829f319f88b2cb38e940336365f2532bd5d728c0d68
Instruction ID: 958334e269dcdd36bcd5880d2ffef2e01a0c47bc26ed7b4d00a044758d1c6877
Opcode Fuzzy Hash: 2489d01c09b3ed2c73fec829f319f88b2cb38e940336365f2532bd5d728c0d68
Instruction Fuzzy Hash: A4F0F632B4832017EB2432756C41B6B72CA9BC5B54F208435E605EB7C9DDB4AC0243A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F37298 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d2066469d7b4a09f3130039f1efa578490fb4fc6ab14f5189f509150320385
Instruction ID: ea11ee07cc3041c234792df7d5a035f427368ae8ea10545c576aa3e0eddaac72
Opcode Fuzzy Hash: 34d2066469d7b4a09f3130039f1efa578490fb4fc6ab14f5189f509150320385
Instruction Fuzzy Hash: 17F0F633B482205BEB2032746C41B7B23C68BC6B55F208536FA05AB7C6EDA4AC025695

Uniqueness

Uniqueness Score: -1.00%

Function 0101E16F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4463ff21fd547a17ae67e5b887f8eafbfdab6d66c33529e85cfd0ef0cf9696b1
Instruction ID: d5fd6814719ff4504d28ef64a1a20b2ba61f9d47053b2ba56fd921b829125d72
Opcode Fuzzy Hash: 4463ff21fd547a17ae67e5b887f8eafbfdab6d66c33529e85cfd0ef0cf9696b1
Instruction Fuzzy Hash: DF01D6343006028BDB569628C810AAEB7D39FC1310B29C5BDD9C5CB39DDA79CC418781

Uniqueness

Uniqueness Score: -1.00%

Function 01014048 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72bd587052842ccf90a421ac86a1c038d30fea1a07ed2d9718bde3f0d02d60d
Instruction ID: de684b113059abd755b4266d4f778f5899a0a09ef6afb13681acba5347b0c596
Opcode Fuzzy Hash: f72bd587052842ccf90a421ac86a1c038d30fea1a07ed2d9718bde3f0d02d60d
Instruction Fuzzy Hash: 8AF0E9327091601FD713167A68905AEAFD5D7C626171441BBE589CB796C9264C078361

Uniqueness

Uniqueness Score: -1.00%

Function 0101D050 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c78774455af16c81e39c9cf5e087901343e2bbe16576d113e2f9e5aa15250c
Instruction ID: 1422bc7586650d746b245fd895a574e86c9040d89cbcf9c8a26d5f4cce127e30
Opcode Fuzzy Hash: f4c78774455af16c81e39c9cf5e087901343e2bbe16576d113e2f9e5aa15250c
Instruction Fuzzy Hash: 0AF0FC32B4431417E72122B92C56B2B71C68BC5B94F104576B605DF3C9DEA9AC024396

Uniqueness

Uniqueness Score: -1.00%

Function 01016FB8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087bb6174a7d39a99aac4e930b1238d9a7b1d96b0b2abebf2970627776b1c320
Instruction ID: 42d4be9a6425a9531e8932fb9a97b24d8e762c951c289027182cfcaba54beb31
Opcode Fuzzy Hash: 087bb6174a7d39a99aac4e930b1238d9a7b1d96b0b2abebf2970627776b1c320
Instruction Fuzzy Hash: 5C018175A002159FCF548BB998517EE7BF4EB8C350F10006AEA09EB351E7759946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F33667 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9167f9f47780fc6ad07280a3a7df40d18f456b2ae130cd3124be270839e9ec18
Instruction ID: 4c31a89e718f43de935ec0e60ebbae69c80dc86ff152591ad831c59be3a90017
Opcode Fuzzy Hash: 9167f9f47780fc6ad07280a3a7df40d18f456b2ae130cd3124be270839e9ec18
Instruction Fuzzy Hash: CCF02832B443241BD32427746C01B6FB2C68BC5B50F21843AE5029F385DEA49C024390

Uniqueness

Uniqueness Score: -1.00%

Function 04F33668 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f87dd573dbfe3700ba4a08fe01dd3de5da5e1ddf44e33836ae8bf29932b51c
Instruction ID: 386755acfa13bca83a883a2c814da6149d29b0e2af8cef0cc6c04605469c6b61
Opcode Fuzzy Hash: 02f87dd573dbfe3700ba4a08fe01dd3de5da5e1ddf44e33836ae8bf29932b51c
Instruction Fuzzy Hash: F7F0F632B4433417D2243775AC52B6BB6CA8BC5B50F21847AF6469F78ADEE4AC0243D4

Uniqueness

Uniqueness Score: -1.00%

Function 00F20BE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6ee1dcf76ceb0385b93891ca9e56ee5a5980fa10602fac7d2cd2067cc5b0c1
Instruction ID: a2bce7625ad64488bed5d36dacfbec62013975bc4e32cacf1e2bdd933e1d9506
Opcode Fuzzy Hash: 7c6ee1dcf76ceb0385b93891ca9e56ee5a5980fa10602fac7d2cd2067cc5b0c1
Instruction Fuzzy Hash: 400149793081254FC705B7A8E828F587BE6EFCA71470500BEE206CB362CF714D0187A6

Uniqueness

Uniqueness Score: -1.00%

Function 01011721 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983abe3bf3d66e4a15d0d0fd6c253c1cf6135cf5031cd1fcda6c127a39225df4
Instruction ID: 7886837274d6a8ce5b16495b05e19ba43fe3f04c9943719fc448ac6d1ec5eb57
Opcode Fuzzy Hash: 983abe3bf3d66e4a15d0d0fd6c253c1cf6135cf5031cd1fcda6c127a39225df4
Instruction Fuzzy Hash: 920188715097A45FD726C738D854B4ABFF9AF06204F0804EAE186CB6A3C62AA848C761

Uniqueness

Uniqueness Score: -1.00%

Function 04F38920 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30635a02f33de3d24dfa104395eae1e02d56950927ff9221a86a9fee092f1cbd
Instruction ID: 0e2f169ac06b03163b4211bfd3afda685c09b375b7b19c2361998b07d9893a1e
Opcode Fuzzy Hash: 30635a02f33de3d24dfa104395eae1e02d56950927ff9221a86a9fee092f1cbd
Instruction Fuzzy Hash: 53F02276B052044FD318CB08D4A4ABEB7E5EFC9364B14407AE80AD7311CB76AC02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F3AB08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1948309fd8b6877b6000b76f774143b4b40735844e184531db95b911cd9dd121
Instruction ID: 7e4d2f088fe70e3f7ecf908b7ee05430421bbe6679679c754e5266a7748af980
Opcode Fuzzy Hash: 1948309fd8b6877b6000b76f774143b4b40735844e184531db95b911cd9dd121
Instruction Fuzzy Hash: 21F044302002112BE700AB68E0402AEFBD6EBC53183018A2DD61ACB719DFB0BD0F87E1

Uniqueness

Uniqueness Score: -1.00%

Function 01010912 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd9542e5b79ac2d3c115ca376e429cdf5f02c40e6027a89cf581abc01d7f570
Instruction ID: 7ddd2a655eb1db48e385fdd91006c8770a438e1bae80f0369373630532b53e42
Opcode Fuzzy Hash: 9dd9542e5b79ac2d3c115ca376e429cdf5f02c40e6027a89cf581abc01d7f570
Instruction Fuzzy Hash: 3101F231704B028FCB269F29E88843EBBA2FFC8255704493DE04BCB759CB75594A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F30DC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c2b242ff99582a5346e5761aae32dcf8dc0ab495480df3e574da41aba4def0
Instruction ID: 974af426e10c6c03cd55b90bcd776025dd986576bdbc045d8b316948fcba4572
Opcode Fuzzy Hash: a5c2b242ff99582a5346e5761aae32dcf8dc0ab495480df3e574da41aba4def0
Instruction Fuzzy Hash: 67F0B43374422423E72422696C51B6FA1CB8BC5B54F21443AB209EB7CADDE86C020298

Uniqueness

Uniqueness Score: -1.00%

Function 04F376E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfe66277b9df3fc6a1f42082011fc094eb562516cf23d66f2aa725a4a993493
Instruction ID: f3ca75d99e75618ea8f1768d11438cd6adafb4216b0b4823cbfb1bf29f2674ed
Opcode Fuzzy Hash: 5bfe66277b9df3fc6a1f42082011fc094eb562516cf23d66f2aa725a4a993493
Instruction Fuzzy Hash: 3DF0B43374422423E72422796C45B6FA1CB9BC5B54F614439B209EB7CADDE86C020298

Uniqueness

Uniqueness Score: -1.00%

Function 04F32830 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8e70ee4e3e03fe5a657a1e7bc8c4980d3e802387e109b4bd8862e3ef54194d
Instruction ID: b03fbe18d57dabdf2b03f91ece4dc852c70afa758b0bf0d90be4f8272f3175d5
Opcode Fuzzy Hash: 2f8e70ee4e3e03fe5a657a1e7bc8c4980d3e802387e109b4bd8862e3ef54194d
Instruction Fuzzy Hash: 37F0B43374432423E72422696C51B6FA1CB8BC5F64F21443AB209EB7CADDE86C020298

Uniqueness

Uniqueness Score: -1.00%

Function 04F372A7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbcb4467544b2fd8e445f07f3b8e5a01799928594acae0f1c9223c242c15752
Instruction ID: 0f13b2c868d4f2b7304c1ea4c3738e013f8446be954b42da55ca069d1831ba0e
Opcode Fuzzy Hash: 7fbcb4467544b2fd8e445f07f3b8e5a01799928594acae0f1c9223c242c15752
Instruction Fuzzy Hash: AFF0B432B5432017EB3436756C41B7F62C69BC5B64F208536FA05EB7CADEA4AC0246A5

Uniqueness

Uniqueness Score: -1.00%

Function 01015E28 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3934244403aecfed5999f91a96426b98034b8f47b4f7fdd3023562bf37b10b
Instruction ID: 72a6dbfbf034dc13f311656e0b65c7509a4f836c83e9dab5ad7154e4f5b299d7
Opcode Fuzzy Hash: ad3934244403aecfed5999f91a96426b98034b8f47b4f7fdd3023562bf37b10b
Instruction Fuzzy Hash: BA017C75A003559FC751DBB8D80489ABBF9FF8A211B1484AEE99AC3350DB35ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01010918 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7095a648e255b164acaa56cda486a5f5323bca675f3a7238264c69c67a155a
Instruction ID: eb4592498b7f3dda258c47ef1960039b7cdb03051f364e2ece95203200b7fcee
Opcode Fuzzy Hash: 8c7095a648e255b164acaa56cda486a5f5323bca675f3a7238264c69c67a155a
Instruction Fuzzy Hash: E001A231704B028F87266F25E44452EB7A2FBC8255704493DE14BCB758DF7559468791

Uniqueness

Uniqueness Score: -1.00%

Function 0101A5B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af447df715c11bcd98e0fc0e3ebc61da0d9eac4b5f6944a1827bde27b1088f8c
Instruction ID: 8915c23153c25bebffd76b62c0c4a0c7e001e6dbcf39f006a20ee31d5e41d18a
Opcode Fuzzy Hash: af447df715c11bcd98e0fc0e3ebc61da0d9eac4b5f6944a1827bde27b1088f8c
Instruction Fuzzy Hash: 2E01F4307096048FC344DB28D440959B3E0AF45318B12C89ED189CF26ADB76ED06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F37760 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228df9aa8007f93cd6162bbeb806d06de0c0aba31b2a17def86c9fe79594d17a
Instruction ID: f916335ab80effcd7af2498a82514a82f5fadf3e505c359835af19dc6dc97e51
Opcode Fuzzy Hash: 228df9aa8007f93cd6162bbeb806d06de0c0aba31b2a17def86c9fe79594d17a
Instruction Fuzzy Hash: 79F0B43274422413D62422742C41B5B718B8BC5AA4F204439B205DF38ADDE86C0202D9

Uniqueness

Uniqueness Score: -1.00%

Function 04F3775F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb55c91e98ca903dc44b9b788016e9c505211ccf3f22febd6e0569544505888
Instruction ID: c52bc3b24d1e93034ddaed7e338a47a1d2467463feabe3e76f1950c0c724993b
Opcode Fuzzy Hash: cfb55c91e98ca903dc44b9b788016e9c505211ccf3f22febd6e0569544505888
Instruction Fuzzy Hash: 63F0E933B8822017D72423742C51B6F62C74BC5B94F204539F205EF7CADDE85C024395

Uniqueness

Uniqueness Score: -1.00%

Function 00F239C2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6470b1d6dddd0b3c2e4520890e2176dd8399d61e90417480b39995a3864837d5
Instruction ID: 0d55c302259d0e9820bb370a6af525294bd4b9b794cd6a005d45bc0a909c18c7
Opcode Fuzzy Hash: 6470b1d6dddd0b3c2e4520890e2176dd8399d61e90417480b39995a3864837d5
Instruction Fuzzy Hash: 00F028312097154BCB10EB65D85094EFBAAEFC53447054C7AE141C77AADFB06D0983E5

Uniqueness

Uniqueness Score: -1.00%

Function 04F30E40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b29551b8108968753c81c4ac50b811b00324d957b9d4b26ce9fe1304aebaf3
Instruction ID: b310477bcf61976975cd97cd697142bdd0170090f7f9afeaae1e0e98354b8294
Opcode Fuzzy Hash: 59b29551b8108968753c81c4ac50b811b00324d957b9d4b26ce9fe1304aebaf3
Instruction Fuzzy Hash: B0F05932B012118F83644A6D841056FF6C5EFC8A61719807FD849C7344DF35DC4383D1

Uniqueness

Uniqueness Score: -1.00%

Function 04F34330 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ab2464f498108e2523c35a479cccf268b9bdad4a06cd0082ffc8ac7592bd96
Instruction ID: 78dec55a751c6b48459a1b6207fdb471551dd15036430a361fd6d0fe74d4b59d
Opcode Fuzzy Hash: 86ab2464f498108e2523c35a479cccf268b9bdad4a06cd0082ffc8ac7592bd96
Instruction Fuzzy Hash: 15F02432B053124B87289A2D845052EBAC9EBC9671719C07ED849C7360EF35DC0283C1

Uniqueness

Uniqueness Score: -1.00%

Function 00F20457 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3a4ab42135277bb14af76993d7b7ea21593aecf3791363d5a820c2de8377d
Instruction ID: ea358aa0405e202cf3d359005d4adf6aea40fb669195e7cb8c177bc99cc06f4b
Opcode Fuzzy Hash: f9d3a4ab42135277bb14af76993d7b7ea21593aecf3791363d5a820c2de8377d
Instruction Fuzzy Hash: 9DF0A4357442015FD714AA645866F587BA6EF81B10F2980EEF605CB3E2DE645C0547A2

Uniqueness

Uniqueness Score: -1.00%

Function 01010A18 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441a05e36ae25464bcfc2ef8e2e1f7c9aa2c0fe24c2a9496929fb67a577ed764
Instruction ID: 5409b59884014c6be853dfe50a7e389c9d00ed8057f1116f4b9be80416d3b0db
Opcode Fuzzy Hash: 441a05e36ae25464bcfc2ef8e2e1f7c9aa2c0fe24c2a9496929fb67a577ed764
Instruction Fuzzy Hash: C9F0E9323082945FD301066998107557BE8DFC3735F1541F7F168CF6D2D9959C458391

Uniqueness

Uniqueness Score: -1.00%

Function 01013D70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e442135677f7e3cb8ce5372f84c676da4b7e9fe010558481c3c6f53a5b8e97
Instruction ID: 2c8d09c5f087d30463af86621902f2e9f317d1356e1ed756de08abc098a30677
Opcode Fuzzy Hash: e2e442135677f7e3cb8ce5372f84c676da4b7e9fe010558481c3c6f53a5b8e97
Instruction Fuzzy Hash: 82F0F672B041568B8B11EFACAC404AFBBF6BBC4250710407ED546E7305DB708806C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04F38FEF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37124a9c1a0de6a44af137f85484eb9a2164b0dedc3a4e31c6a5593804e3553a
Instruction ID: 09647edea8335cbaf73ed8d3327622212efda474dd545c5a9d57186d9a5e72f9
Opcode Fuzzy Hash: 37124a9c1a0de6a44af137f85484eb9a2164b0dedc3a4e31c6a5593804e3553a
Instruction Fuzzy Hash: B2F0ECA67097A01FC3271378A82445E3FAACBC265570B80B7D945C7393DE69CD0B43E2

Uniqueness

Uniqueness Score: -1.00%

Function 01015E38 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73d2e5056f8ee0a23af2c6c9007d615e45e4df9eaab26ab61044ae34b7ae7ea
Instruction ID: 3b9b5e55376ab74909ad28c0419dc937a4af4cd1f9f8cc13d6a55049b8804bc1
Opcode Fuzzy Hash: f73d2e5056f8ee0a23af2c6c9007d615e45e4df9eaab26ab61044ae34b7ae7ea
Instruction Fuzzy Hash: 4E018C35A003159FC754DBB8D8048AFB7F9FF89211B10846EE59AC3750DB31E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F20B8F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3b1372cd68f3e80b4674ad5b2a84f06ed49729b01dc23dfe462345982b9f45
Instruction ID: beea3de3e4f154e8a4eb12639e416ba71967a9cc3cfbc76113013d867ad1a833
Opcode Fuzzy Hash: 5c3b1372cd68f3e80b4674ad5b2a84f06ed49729b01dc23dfe462345982b9f45
Instruction Fuzzy Hash: 68F0E9323483156FD7111730EC29F497B66EFC6711F158153F641DB6D5CAB094068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01011922 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346801bd06bcb800b33505dfe1bc33cb4066f466ab4f2b62c9d8d83d0d9d1211
Instruction ID: 2a099ba9410456286552228c67856ba45b0cdd0721080bb66d527a4bd86135c4
Opcode Fuzzy Hash: 346801bd06bcb800b33505dfe1bc33cb4066f466ab4f2b62c9d8d83d0d9d1211
Instruction Fuzzy Hash: F7010475D00209DFCB05EFA5D9459EEBBF1EF4C250B10C066E959A7220E3319A21CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01014170 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64b59f38c3241916e79a95758c64abd6d38535d0af212d2bd8d6e1bd7b57da1
Instruction ID: 710fddf1234a45fb862da83e4a7f13a5cf5860bddd7e5fb37c2e24c6273e1989
Opcode Fuzzy Hash: b64b59f38c3241916e79a95758c64abd6d38535d0af212d2bd8d6e1bd7b57da1
Instruction Fuzzy Hash: F3F0F634700200178611AB5EE88454FB7DBEBC4A54740443AD949CB70ADBA59C054BD0

Uniqueness

Uniqueness Score: -1.00%

Function 04F3E778 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2935ea4b30909578213f12a0ab438dba1c94be45474b7cfae2f40b64d746bac1
Instruction ID: cc7345dbb13fa7c9d2d1d41ac730c88962b1672db86e2e1e7435317e37bdaf90
Opcode Fuzzy Hash: 2935ea4b30909578213f12a0ab438dba1c94be45474b7cfae2f40b64d746bac1
Instruction Fuzzy Hash: AAF0A7717083490BD71897AA7854A5BBBDDDFD4164B05847FE619C7341DEA0DC024391

Uniqueness

Uniqueness Score: -1.00%

Function 04F3BB98 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742a74f1bc698f1323c24f54fea4a5dca42c1f97b5e4a666d90ca7bc384bf38e
Instruction ID: 4589f2b7ded836fa02a8992fb7491fe907b5664a9d173252bf3a84a8a7091107
Opcode Fuzzy Hash: 742a74f1bc698f1323c24f54fea4a5dca42c1f97b5e4a666d90ca7bc384bf38e
Instruction Fuzzy Hash: D3F0B4257093948F971B56748420129BBA2AF8354931A80EAC948CB793DE17ED07C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00F20468 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34cce3841e08d3db3e3f90444867f1a17b5b08b8f6f635938bf3c8fec994386
Instruction ID: 5c81cde90146c2dee4203074a736c3befd035f1a1052b203587390bca0d317c6
Opcode Fuzzy Hash: e34cce3841e08d3db3e3f90444867f1a17b5b08b8f6f635938bf3c8fec994386
Instruction Fuzzy Hash: 02F0BB357002055FD714E7A49826F2976D6EFC5B10F25806AF606CB392DE719C014395

Uniqueness

Uniqueness Score: -1.00%

Function 00F20BF8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcca929e52a0bf05b1de2da17916516c18e68fa9c271bda9e39168b792402ced
Instruction ID: 49dee4c59e1188c946a07a94c7dc6f9f642572236c17dffa1a1f13eb5311624a
Opcode Fuzzy Hash: dcca929e52a0bf05b1de2da17916516c18e68fa9c271bda9e39168b792402ced
Instruction Fuzzy Hash: BBF090793044255F8304B7A8E818F59B2DBEFC9B54706017EE20ACB354CF625D0197A5

Uniqueness

Uniqueness Score: -1.00%

Function 04F30E3F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1092326e6c0a0333321ad8177f5a49de3516aa6ec70d6e1d823d7efa0fc044cc
Instruction ID: fb524812a5d291de0e86e59dec837a12589ff81ba556fe0059bbd83183698a3c
Opcode Fuzzy Hash: 1092326e6c0a0333321ad8177f5a49de3516aa6ec70d6e1d823d7efa0fc044cc
Instruction Fuzzy Hash: 5CF0E232B052118F87258A2894509AAFBD1AFD9761718817FE84AC7355DE36DC42C780

Uniqueness

Uniqueness Score: -1.00%

Function 0101E762 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3619795cf209d9b0ba77de619f542384c18c54db9d2f5620eb96f29328a6b226
Instruction ID: d63e4b1c924a987dfac5e5f2e4a49d687d62f2e165120a9240a39e03892fa922
Opcode Fuzzy Hash: 3619795cf209d9b0ba77de619f542384c18c54db9d2f5620eb96f29328a6b226
Instruction Fuzzy Hash: 87E02B237095525FDB17523A5CA09FEAF869FDA12031940BEE28FC335EDC1808034154

Uniqueness

Uniqueness Score: -1.00%

Function 01013F80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe67a1aead032ca9e807ceb9825f14c707eb40f6637faacf037d335df843350
Instruction ID: 467d7f44cb394da93cba890a273bd44cc57b9a7ec30984c0a8dc125c89feacb2
Opcode Fuzzy Hash: abe67a1aead032ca9e807ceb9825f14c707eb40f6637faacf037d335df843350
Instruction Fuzzy Hash: 32E0E52375A2901FD75644B88CA02AADBA6E7C2030709C1BFE4D4CBA56C5088C0A4351

Uniqueness

Uniqueness Score: -1.00%

Function 00F239D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb205c432ab2b7a464d499000118e8cba938b38fd9ba4ddb02162f9b8a29d28
Instruction ID: 410dee5f4abd18c65ec65accd5fdb0ce8f4585033cf643887a0da10d71485b51
Opcode Fuzzy Hash: abb205c432ab2b7a464d499000118e8cba938b38fd9ba4ddb02162f9b8a29d28
Instruction Fuzzy Hash: 41F0243120061547CB10EB29D840D5EF7DAEFD43947404C39E201C7358DFB06E0547E1

Uniqueness

Uniqueness Score: -1.00%

Function 04F32C90 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d621cef37c022687bfbf178a2d7d26b643a77334ca6077ec4e023e55644e98
Instruction ID: a20fb72a96ebe64d896b98387e29ed718472074a1894e0682f6402b2e3a722df
Opcode Fuzzy Hash: 17d621cef37c022687bfbf178a2d7d26b643a77334ca6077ec4e023e55644e98
Instruction Fuzzy Hash: 04E06137B080509F471502261C108FF7B958BDAFF230B40FFE90AC7254FD5049034269

Uniqueness

Uniqueness Score: -1.00%

Function 010109A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562d8229c62f36b23e8237fd14c46d321a772661806bb05ea17508347bb920bc
Instruction ID: e2a8db48e0bb6df116b0cec9fe9f2658d5df02244daeb110b341fc95799c6c33
Opcode Fuzzy Hash: 562d8229c62f36b23e8237fd14c46d321a772661806bb05ea17508347bb920bc
Instruction Fuzzy Hash: FEF02430A042088FCB08FB74C52153C7FF29F42208B1981FDD04A9B7A2DF319D058B42

Uniqueness

Uniqueness Score: -1.00%

Function 0101B340 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9aaf3c9e6e9d078ce0c06cae8348d081cd3e1a7457d260104c419f4984ee31
Instruction ID: f5cad5f1c755666d62c6949ac07caf39b9c9ce4fe9bea0143ba9054bc732dc89
Opcode Fuzzy Hash: 1a9aaf3c9e6e9d078ce0c06cae8348d081cd3e1a7457d260104c419f4984ee31
Instruction Fuzzy Hash: 8EE02B227087561FC311A3795C505AFBBDE9FDB620319807BF149C7292DD284E1183F4

Uniqueness

Uniqueness Score: -1.00%

Function 01011740 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a84e71d908218159e77036dbb2b6ae3d2fafd899074156f3750e634abd3cbb1
Instruction ID: 6ab31ab5d3d9721e006d5ffb43cd4fe1b4cc506e7789c1fcb7289f720c9d0d99
Opcode Fuzzy Hash: 6a84e71d908218159e77036dbb2b6ae3d2fafd899074156f3750e634abd3cbb1
Instruction Fuzzy Hash: 1CF087712047A09FE738DA38D448B4BBFF9AB05318F00049DE28687792C77AF84487A0

Uniqueness

Uniqueness Score: -1.00%

Function 01011930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab2bf45d81b2a8ce6f340f1872a66738c30efe62eefec8f8918152f7ac91621
Instruction ID: 025b10426746f69f16574448432eb8e77baa66ff5a8144e0f429eb14a265461b
Opcode Fuzzy Hash: 6ab2bf45d81b2a8ce6f340f1872a66738c30efe62eefec8f8918152f7ac91621
Instruction Fuzzy Hash: 99019D75D0021AEF8F05DFA9D9449EEBBF5FF4C250B108066EA59A7220D3359A20DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F36EA8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54386cc165df1eec7bccc75b8eb236379b654150e61603974db03bc15d53cda5
Instruction ID: a0eead65b12af68b51094cbbe12b1c7726765035ba260584684c70c818716975
Opcode Fuzzy Hash: 54386cc165df1eec7bccc75b8eb236379b654150e61603974db03bc15d53cda5
Instruction Fuzzy Hash: D1E0DF37B8432423E6203370AC03BAE33568BC2FA4F200421F200EF6C5DEA87842229C

Uniqueness

Uniqueness Score: -1.00%

Function 04F3A016 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b14090baf98d68160be0da4394796c9a37c2c0baa503438f43b3ff889f3bb40
Instruction ID: 61933fae7382225f0139d667d226f5700cdade358da571a6119c036f00384da7
Opcode Fuzzy Hash: 3b14090baf98d68160be0da4394796c9a37c2c0baa503438f43b3ff889f3bb40
Instruction Fuzzy Hash: F8F0E566F0C1588EAF31577604600BE6691CFC1586705017AC5D6DB2A1FE31E9038393

Uniqueness

Uniqueness Score: -1.00%

Function 01013DD0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3432b6f04853794e875e9a47a3ef9e2bcc9df8d853bfa7973430a07ce6cf6433
Instruction ID: 1696cbfcf2c93c2de483fb5557b84d70a65ac0f3a6f03fa9788233a6cacf0638
Opcode Fuzzy Hash: 3432b6f04853794e875e9a47a3ef9e2bcc9df8d853bfa7973430a07ce6cf6433
Instruction Fuzzy Hash: 74F05C31A043425FD722476D58545EBBFF4FF81610F0480BFD9C04B146C7744406C340

Uniqueness

Uniqueness Score: -1.00%

Function 0101E767 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0f6609d2d1f6610ec3944b8fb50ab3fcd66a44c5d751a6d531d910b97476d0
Instruction ID: 3c46c6e6e0cf9e1df9bda3ba804e1ce4b43d46ffe59acd7568f65d05de74b01e
Opcode Fuzzy Hash: dd0f6609d2d1f6610ec3944b8fb50ab3fcd66a44c5d751a6d531d910b97476d0
Instruction Fuzzy Hash: 0DE0DF62B045130F8B1A623A6858AEEBBCA9FE9220714807EE64FC33A9EC180D034650

Uniqueness

Uniqueness Score: -1.00%

Function 04F36EB0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db310a3410b999c20de71a2acad5978e53617c2970e674cd3978f9b37009bd5
Instruction ID: afb5d55e7487ae58060f5c8fe8f7c41f294e94a9fc9cde0dae968af00b820247
Opcode Fuzzy Hash: 8db310a3410b999c20de71a2acad5978e53617c2970e674cd3978f9b37009bd5
Instruction Fuzzy Hash: 6BE0483278072427E62037756C46F5E73569BC2F64F604525F241EF5D5DEA478025298

Uniqueness

Uniqueness Score: -1.00%

Function 04F359E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdfeff03884ccd6cc1f52b6d0bf51608275937020baa3ddb2764526c7d82b69
Instruction ID: f330238decaf1d027c5bfe9646484c95a40e9ba527b474672772ef199dd9abfb
Opcode Fuzzy Hash: fcdfeff03884ccd6cc1f52b6d0bf51608275937020baa3ddb2764526c7d82b69
Instruction Fuzzy Hash: DCE0223170020247CB142B3A901466EB2CA8BC0620B18807FE00ACB391EE7D9C4347D1

Uniqueness

Uniqueness Score: -1.00%

Function 04F3C361 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43495679798fd8c95933c14e056681737391e124640c56a68225eb054a35ea6c
Instruction ID: acc055344c536692d0a8135a659b7a106f863f3b403d3341ad2978d3bfeb35c7
Opcode Fuzzy Hash: 43495679798fd8c95933c14e056681737391e124640c56a68225eb054a35ea6c
Instruction Fuzzy Hash: 0CE0DF323011108FC314AB7EF8C8A297BEAFFC962271840B9E20EC73A0CE24DC078650

Uniqueness

Uniqueness Score: -1.00%

Function 0101BF18 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57793cb616b515f2c7d0a26941dd477f404eb10eaba375c77534e2a70cb9ba78
Instruction ID: 46b361694d2e87fe8264060765b78506d43140e0bf86a62f27d06800ce51d1b6
Opcode Fuzzy Hash: 57793cb616b515f2c7d0a26941dd477f404eb10eaba375c77534e2a70cb9ba78
Instruction Fuzzy Hash: FBE086317042252B8615227958109AE76DD9BDBA1131440BBF545CB394DDA54D0243E9

Uniqueness

Uniqueness Score: -1.00%

Function 0101B90F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedcabf8fef43d8233e0bfce351d56aa0aad9e8e8216d313aec4f5bfe52bd1a2
Instruction ID: 54c57d6b48e233682d786dcbc07885aa10edd04b7b6b6ca2f3a0b0c214aa81e7
Opcode Fuzzy Hash: fedcabf8fef43d8233e0bfce351d56aa0aad9e8e8216d313aec4f5bfe52bd1a2
Instruction Fuzzy Hash: FCE08C227085622F8715A27A2C609FFEADA4FE9620718C03FF54EC3395CD6C4E0287A4

Uniqueness

Uniqueness Score: -1.00%

Function 0101B910 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3121d001ff887f5589322b509682bc2a1f62f96587843dfbf27f99cb79ac83e2
Instruction ID: e99ebed1cd67f1e4b6be63030a27435fbcecb29e61b89d555c5fb1e1a406e5ba
Opcode Fuzzy Hash: 3121d001ff887f5589322b509682bc2a1f62f96587843dfbf27f99cb79ac83e2
Instruction Fuzzy Hash: 85E08C223045262B4714626A6C609AFFACE8BE9520714C03AF64EC3355DD2C8E0242E8

Uniqueness

Uniqueness Score: -1.00%

Function 0101B350 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b027f4909954cfc3e5e0320a6e5c7ba37cc1f7d6acdd0269f5096cac81b8113
Instruction ID: 16d206f346573aeb9ffb8e91e2a8fcb3c8bbace7c1cc08ceeb75a2cc2cc676c0
Opcode Fuzzy Hash: 4b027f4909954cfc3e5e0320a6e5c7ba37cc1f7d6acdd0269f5096cac81b8113
Instruction Fuzzy Hash: E9E08C227046262B4714626A6C209AFFACE8BD9920718C03AF64EC3355DD2C8E0242E8

Uniqueness

Uniqueness Score: -1.00%

Function 01010A0A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e2f38af3ca5e7190c782fb09566c8399ba629f6a2415917a1ba368a36e43d3
Instruction ID: feecc7f2bfd96b408f7d55d008d8209246163c598ecf6fde3f8e291da46d11bc
Opcode Fuzzy Hash: 44e2f38af3ca5e7190c782fb09566c8399ba629f6a2415917a1ba368a36e43d3
Instruction Fuzzy Hash: 60E06D323592801FD30246698820A553BA99F82B70F1902FBE184CF3E7D9959C058392

Uniqueness

Uniqueness Score: -1.00%

Function 04F304DA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58cbc299f73c33d7827c91cc5ddc53fbfc62d1a1cc99fc9a319e80a1852997f
Instruction ID: adbc25b97297913ad25b86b7563c972deb41e69c80413eb87905d4a5fb76505c
Opcode Fuzzy Hash: b58cbc299f73c33d7827c91cc5ddc53fbfc62d1a1cc99fc9a319e80a1852997f
Instruction Fuzzy Hash: 1CE0D1A570D2419FD75A8F39941446B7BA2AF45213306449FC083C725FEE31D543C716

Uniqueness

Uniqueness Score: -1.00%

Function 04F32CA0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a00bf1eba3657a47086c81ea58ca54f842278030f6dccca5bb2b55b258ec18
Instruction ID: 5e69cffbbc9925d63c6cce30ae1f43ca72f9ec989402eecabe8e041cc16207dd
Opcode Fuzzy Hash: 88a00bf1eba3657a47086c81ea58ca54f842278030f6dccca5bb2b55b258ec18
Instruction Fuzzy Hash: 8DE0CD35704515471B15222E581087F71DE8BC9DB1706407BEA06C7394EE559D0343F5

Uniqueness

Uniqueness Score: -1.00%

Function 04F36EB8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e556e923b1ee64e502c43c0dda5bc9f5a6767805aad800ffe4f34c78fdfc203b
Instruction ID: 0b15e5cf214fd3740b7fdb4b02a6849af8638362653e81afed27cb1bf43e3d10
Opcode Fuzzy Hash: e556e923b1ee64e502c43c0dda5bc9f5a6767805aad800ffe4f34c78fdfc203b
Instruction Fuzzy Hash: 80E08C32B8032422E62032757C06F6E324A8BC1FA4F604825F240EF6C9DEA8780222D8

Uniqueness

Uniqueness Score: -1.00%

Function 04F32C97 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33d974b869eb1c9a4625e3106b66e3ec7575758375bd17a770a00cea9f13a80
Instruction ID: 14e87ff4c1a4342d43092fb5a47e1d2408576f12f44e13fe668ef8e5036273e4
Opcode Fuzzy Hash: a33d974b869eb1c9a4625e3106b66e3ec7575758375bd17a770a00cea9f13a80
Instruction Fuzzy Hash: 87E0CD317045255B5B25175958108AF76DECBCAEB170540BBFE05C7290DE545D0383F5

Uniqueness

Uniqueness Score: -1.00%

Function 04F39560 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fccd332ca58921cd9d34e524759e90150d36a5d7d92375d4fb6063f0b1114318
Instruction ID: 902cfaf0bcf47dd0781ee40c867d1e49a72c83841b3405a39bc36547e61c0797
Opcode Fuzzy Hash: fccd332ca58921cd9d34e524759e90150d36a5d7d92375d4fb6063f0b1114318
Instruction Fuzzy Hash: 28E0DF36D09208AFDB00DFB8F95318CBBB0DB41208B1188EEC409DB202EA316F038B81

Uniqueness

Uniqueness Score: -1.00%

Function 04F39119 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1a8df8c6c62874d225fed979d796b2a8a3da4f8b0e0eba458be2c4b2d103fc
Instruction ID: 6fe1ccec7a133b1bd1132e58c47c63db20b5f60c44f57c8ac29b1c8ad184fbb8
Opcode Fuzzy Hash: 3a1a8df8c6c62874d225fed979d796b2a8a3da4f8b0e0eba458be2c4b2d103fc
Instruction Fuzzy Hash: 78E0CDB7B442541FD3022669341845E7FA9DBC6B61307406FEA49D7353ED658D034791

Uniqueness

Uniqueness Score: -1.00%

Function 01014058 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12897141c83bf1d7e3cb11cab5c8ff7395eb0236fd979842436d14c221f43560
Instruction ID: d0595032c3edb81f85916adc39a862cb1f8ec05957df51d51fc5043d13a7c7e0
Opcode Fuzzy Hash: 12897141c83bf1d7e3cb11cab5c8ff7395eb0236fd979842436d14c221f43560
Instruction Fuzzy Hash: 15D0C232300120178215266E2840A2BFACEE7CA6B1B50403AF60DCB384DC658C0282A1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E770 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c66a6f49cc022ad231faf8886d79e9f2657219cf0087e2641bf9ff6706816c
Instruction ID: 1073c9b99c623bc100f547d4a9b6f079cb3e7ca35221e0b73e83a9b5e2373b87
Opcode Fuzzy Hash: 02c66a6f49cc022ad231faf8886d79e9f2657219cf0087e2641bf9ff6706816c
Instruction Fuzzy Hash: CAD05E22704A271B4758726F6C649AFF6CE8FD9930715803EF10EC3399ED684D0202E9

Uniqueness

Uniqueness Score: -1.00%

Function 04F3F620 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650d856361c525006d539f844fbcbf17137d94e2cf6e4b6f46290092d1c87143
Instruction ID: ab282c9b867062bde4eceab7289081b4126efb8cd49406eee3caaffde9ab3201
Opcode Fuzzy Hash: 650d856361c525006d539f844fbcbf17137d94e2cf6e4b6f46290092d1c87143
Instruction Fuzzy Hash: B2E0683120130447E300A324F40030ABBEAFBC0714F04461ED646C3701CB68B80247D5

Uniqueness

Uniqueness Score: -1.00%

Function 010158F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a345f6ed6ce3c694b0f08a2b1c88ed0e1a1a68efc9fd1fbfc2a455bae80e2b1
Instruction ID: 06459493a29e948fa4ce49922b58258aa4349b568a95d1ab8d444e73a5e343ef
Opcode Fuzzy Hash: 1a345f6ed6ce3c694b0f08a2b1c88ed0e1a1a68efc9fd1fbfc2a455bae80e2b1
Instruction Fuzzy Hash: E1E08C3275022433D7206508AC02F9A739A9BD4F60F208026B604AB2C48AF0B90152D8

Uniqueness

Uniqueness Score: -1.00%

Function 010185E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e8a59ba0f0ecf5288353b6b6c488065d4694803109d19ae2f6f78fded9bb07
Instruction ID: 3feecf666744b98d9440e8981c94afbfc25ee73a512d5ea4a9d17733246ba55f
Opcode Fuzzy Hash: 23e8a59ba0f0ecf5288353b6b6c488065d4694803109d19ae2f6f78fded9bb07
Instruction Fuzzy Hash: 60E0CD34704711C7D75A566D941096AF7D6EBC9130F14C0B7E6858B39CDE7ADC0247C5

Uniqueness

Uniqueness Score: -1.00%

Function 01015F5F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f74281cacfcae0a872d2fa454e91a295422c608128871538fbfffa748c5ad49
Instruction ID: 7c6ade68a3ed9746f354ff5e3f52dd8738f7952601d8a218827eef33418b4bec
Opcode Fuzzy Hash: 4f74281cacfcae0a872d2fa454e91a295422c608128871538fbfffa748c5ad49
Instruction Fuzzy Hash: 81E0D8326044124FC711DF1CD844D9A7B629FD5314747812EFD459B245CBB5EC468BD4

Uniqueness

Uniqueness Score: -1.00%

Function 010158A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbec77f04652e65a715e3b5cdcd4e057321bcb37036afd4b3fb56c963082af2c
Instruction ID: 3435be45499c15efd7d9801a2924cf80233dd89fa5ee4716f835a10498e59500
Opcode Fuzzy Hash: cbec77f04652e65a715e3b5cdcd4e057321bcb37036afd4b3fb56c963082af2c
Instruction Fuzzy Hash: 8FE01A71D45208EFDF00EFF4ED4A69DBBB4EB4A701F6045A6ED44EB215EA346A019B80

Uniqueness

Uniqueness Score: -1.00%

Function 010158A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9cfc7c4858bf8fb7c40a37f664a278a44f7f8f41c78067b046a3ed6068cfcd
Instruction ID: 239fee17923300b2a1096a16608e9f2f9ad03ce3340fa2326a9979298d618497
Opcode Fuzzy Hash: 4a9cfc7c4858bf8fb7c40a37f664a278a44f7f8f41c78067b046a3ed6068cfcd
Instruction Fuzzy Hash: D0E09A71D40208AFCF00EFF0EC4A69CBBB0EB49300F2040A9E900E7300EA306A009B40

Uniqueness

Uniqueness Score: -1.00%

Function 04F3C5E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3765d57f05e730c7c6bd103fd81eb20e6eda8e7fb4ad7038009d9c7cf306dae
Instruction ID: 98ae8c90983a6d5713f757a18ac22100bbc3ecdc72063f5e897755797e1ed9ba
Opcode Fuzzy Hash: f3765d57f05e730c7c6bd103fd81eb20e6eda8e7fb4ad7038009d9c7cf306dae
Instruction Fuzzy Hash: D2E05BF72445104FFB00EE24F84635977D5EB00306F151C5DD085D1582EB7CD591A652

Uniqueness

Uniqueness Score: -1.00%

Function 04F308E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474ab996ed44ad6ccc1f32b948ac924e3bb3c7098689bf5fadebb277a878a3ae
Instruction ID: 5967694d3544f17f719309e9340b73fde7a3a051d4e363f91f163d5e5babd07a
Opcode Fuzzy Hash: 474ab996ed44ad6ccc1f32b948ac924e3bb3c7098689bf5fadebb277a878a3ae
Instruction Fuzzy Hash: 94D0A732700226174B09327D682489FB7DE8FDA921324807FF10AC7354DDB98D0343E8

Uniqueness

Uniqueness Score: -1.00%

Function 01019380 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1125594e9fa2894d7b04d81acd4c5d23f2f7f5fd49cfca816573cd9b94de5b14
Instruction ID: 9daea50a1c93608ea6bce603b3cfb5ccf90d15f84c2434f9567a3e2a66cfa209
Opcode Fuzzy Hash: 1125594e9fa2894d7b04d81acd4c5d23f2f7f5fd49cfca816573cd9b94de5b14
Instruction Fuzzy Hash: FAE01271D55208EFCF40EFF8D8555DDBBB0EB46200F6085AAD844AB205D6356A119B40

Uniqueness

Uniqueness Score: -1.00%

Function 010165C7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5167eb20b3f6bdf00e796ba83b30e0cb7fb880ede0f58707d9240ff9918520
Instruction ID: 98a3410f6d9ebbae90795aea4ffe03a4cc3409499546c0fe73ef4cb5ffab7b17
Opcode Fuzzy Hash: 5c5167eb20b3f6bdf00e796ba83b30e0cb7fb880ede0f58707d9240ff9918520
Instruction Fuzzy Hash: CBD05E367181211B4B15522E3854DBE2ADF8BCC621329406BE40AC3394CEA48C034BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010165C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7c72dcc5c19c9c2525fcc92a3480d4f5380a7fa9cfa1201b7b26e2bf244f93
Instruction ID: 6524f41465c7101e019dbce1a803d8d6d43f134845b47ff54c9e34ec71efbfea
Opcode Fuzzy Hash: 2c7c72dcc5c19c9c2525fcc92a3480d4f5380a7fa9cfa1201b7b26e2bf244f93
Instruction Fuzzy Hash: C9D05E36714121170604621E6804D7E36DF87CC5213194066E50AC3354CEA48C0307F5

Uniqueness

Uniqueness Score: -1.00%

Function 0101BF28 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5250494bc8c468a13106c3429b436c9ebc5fa6eb3637d30e755a55bf4f16160f
Instruction ID: 4441cbaee6ef1f2895a4a0ba9252f356654ea9c3844b0f568ecc6d0c0db515e0
Opcode Fuzzy Hash: 5250494bc8c468a13106c3429b436c9ebc5fa6eb3637d30e755a55bf4f16160f
Instruction Fuzzy Hash: 9BD0A732700226174A09327D682489FB2DE8BDA921314807FF10AC3354DDB98D0343E8

Uniqueness

Uniqueness Score: -1.00%

Function 0101AE5F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fac07c256914a04c834c460983186ccfd35550e652a9260ab87365e081a39a6
Instruction ID: 68eb60a7644840e92090cebe44ba76d0fd0d93d4fef6022887740daa7c98c6c9
Opcode Fuzzy Hash: 6fac07c256914a04c834c460983186ccfd35550e652a9260ab87365e081a39a6
Instruction Fuzzy Hash: B7D05E327042221B4B19627D28248EEB7DA4BD9A11324817FF04AC3364DDA98D034794

Uniqueness

Uniqueness Score: -1.00%

Function 0101AE60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227ec1458de8a9432fa3748548f27b5bfa07eec72f177a62af602daf6e465748
Instruction ID: daa4cf709d2ebc7a056948668e6c1a081049710ac88f3bae2f4774e525a5f225
Opcode Fuzzy Hash: 227ec1458de8a9432fa3748548f27b5bfa07eec72f177a62af602daf6e465748
Instruction Fuzzy Hash: 51D0A732700326174A09327D682489FB2DF8BD9921314807FF10AC3354DDB9CD0343E8

Uniqueness

Uniqueness Score: -1.00%

Function 04F388F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9892765b8f0da1a8d765988d3d6cd2883504f9ecb65d4361a010ad09d70d541
Instruction ID: fee040a7ec3ddd430ddfebec8bda68a991408ec750e2fb0684a24e9f73f880c6
Opcode Fuzzy Hash: f9892765b8f0da1a8d765988d3d6cd2883504f9ecb65d4361a010ad09d70d541
Instruction Fuzzy Hash: B6D012317041189B6758DB5A945495AFBDDEFC95A4715C06AE50CD3204EE32E80147D4

Uniqueness

Uniqueness Score: -1.00%

Function 010185DF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a88aa0eb3ff9c8dd23001bbca743927e65053da95f326d0778ea4535735456
Instruction ID: fb80897296edbb5262aade18e82fdd5aee4540aafccd70f71b800824934f81ba
Opcode Fuzzy Hash: 85a88aa0eb3ff9c8dd23001bbca743927e65053da95f326d0778ea4535735456
Instruction Fuzzy Hash: E4E0CD347046118BD71646285410D79F7919B89120F14C1BBE54587358C9768C014785

Uniqueness

Uniqueness Score: -1.00%

Function 04F377D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186b3f52210d7117d254f6ff4c64e173a6669011dcbbc5b87a300a7e94b9daeb
Instruction ID: fc5f02ac8f5380dec22e6a5b605f88ae29bd9ea587faab775281f9207a1a440c
Opcode Fuzzy Hash: 186b3f52210d7117d254f6ff4c64e173a6669011dcbbc5b87a300a7e94b9daeb
Instruction Fuzzy Hash: 5DE0C2B350D2C14BCB0793306C18090BB21AFE212AB1941FFC48989893D8228087C262

Uniqueness

Uniqueness Score: -1.00%

Function 04F390E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd55180c588e6b9c6a6d89182604b65befa2581121ba5bf4b55f5c00376fba0
Instruction ID: aa461a217f5188d838e099123bf60364501e7b7eea6be937026126fdae8abf4d
Opcode Fuzzy Hash: 6cd55180c588e6b9c6a6d89182604b65befa2581121ba5bf4b55f5c00376fba0
Instruction Fuzzy Hash: 80E0C2B17092009FCB44ABA1A8648683F60EB84205311889EC48ACB343EA66AE038B00

Uniqueness

Uniqueness Score: -1.00%

Function 04F39128 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c818f06e25d870a9ebd238dbf272907efc08fd514661528f02075e173fbf6bf
Instruction ID: e55caaf712e847c3f3fd0e12e9cf67a3720ec2ee39eb2332edea4c8e64c62dc0
Opcode Fuzzy Hash: 7c818f06e25d870a9ebd238dbf272907efc08fd514661528f02075e173fbf6bf
Instruction Fuzzy Hash: 59D0A7363102241B0505256D741896FB6DECBC9F62716002FFB09D3301DDA5DC0243D5

Uniqueness

Uniqueness Score: -1.00%

Function 00F20507 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de49ecc618abbb81e347bfbba35125e2886badbb26b7ea567db504e375467901
Instruction ID: c89689f7c44d7c191b393bfc4413d461d05fd56522d9e7cba1b99131800a84a5
Opcode Fuzzy Hash: de49ecc618abbb81e347bfbba35125e2886badbb26b7ea567db504e375467901
Instruction Fuzzy Hash: 6DE01239B862914FC7025BB998588D53BF5DE8B50530501DFF046C7772DB289C1AC751

Uniqueness

Uniqueness Score: -1.00%

Function 0101099A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1511df9891912281d7d3cba78e7647688451245d7a8d0d2058c2b7fcc80ef8c
Instruction ID: 6d319d1648010f3e58da4bbe6ac8bcb7132805ac4e2d52e8322acfa368abb6fd
Opcode Fuzzy Hash: b1511df9891912281d7d3cba78e7647688451245d7a8d0d2058c2b7fcc80ef8c
Instruction Fuzzy Hash: C6E08C3122E6824FE7168A3CC8655287F61EF0321070983FEE4D9CB9EBC716C8668342

Uniqueness

Uniqueness Score: -1.00%

Function 0101203F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb779d5124a8ddb01655f2dcc9a6296af524809c6f42f25ba69ea299299cd86
Instruction ID: e1e48a535b4322543e0be85ba20494d1add83ac4ef9db1845bf946dbe2e0cf28
Opcode Fuzzy Hash: fcb779d5124a8ddb01655f2dcc9a6296af524809c6f42f25ba69ea299299cd86
Instruction Fuzzy Hash: F5E086715096C0DFC757572498140807FB29FCB10432880CFE08487677D92F8C9BD781

Uniqueness

Uniqueness Score: -1.00%

Function 04F39F38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca989d6b19c1d76219f7b11f2f11482e67b6fea4127ace90076f1ecf0022d24a
Instruction ID: 7f3d6246e8631b4da926c901ed8af4773c570953824a7f87b0afcdce7e7b72cb
Opcode Fuzzy Hash: ca989d6b19c1d76219f7b11f2f11482e67b6fea4127ace90076f1ecf0022d24a
Instruction Fuzzy Hash: 2AE0B674E0520CAFCB44EFA8E44449DBBF5EF48204F0085E9D949E7344EB346A14CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F34C67 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74527e2d99baacb29d581f6c569b8255b5a11a509634a9d2581594e474118c4
Instruction ID: 2e2031f32cff721c725c1d7498e1d8dea4e470bd1b763b3587b35da3eb736d41
Opcode Fuzzy Hash: b74527e2d99baacb29d581f6c569b8255b5a11a509634a9d2581594e474118c4
Instruction Fuzzy Hash: 07E0EC71D51318EFCF40EFF4E94A69DBFB0EB86310F6085AAE904BB205E6355A109B40

Uniqueness

Uniqueness Score: -1.00%

Function 04F34C68 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6bacd22bd0aa4ab103e6d6e67b35febebef32852cc5b8cdb3a83747bbd9348
Instruction ID: cfcde9e52d93e9b9d1340550fd091a1c80b8ed051f32a44a52465f4ece56b6ac
Opcode Fuzzy Hash: af6bacd22bd0aa4ab103e6d6e67b35febebef32852cc5b8cdb3a83747bbd9348
Instruction Fuzzy Hash: B9E0EC71D45318AFCF40FFF4A94A69DBBB4EB45200F6085A6E944AB245EA355A109B80

Uniqueness

Uniqueness Score: -1.00%

Function 04F328B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0de6715b0b4a55802669a5bcfefd8242cf3c821668c2351c0b44e79ab63fe2
Instruction ID: 5e7b48da701b761b63130f6b56b6920d80df88b38c47013e20507cf81ef8f464
Opcode Fuzzy Hash: 0b0de6715b0b4a55802669a5bcfefd8242cf3c821668c2351c0b44e79ab63fe2
Instruction Fuzzy Hash: B5D05E33300315D787259B59E4488DB77EDEAC8621304062BE18BC3604EE65F90687A0

Uniqueness

Uniqueness Score: -1.00%

Function 010158B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f31eeed7813aed81ae9ed6e5cc8450bb3c4b80b35d44683f66bba97c6113e8
Instruction ID: 611efe31231d939b5f1696ab7f44182c0fc062b5c1e44ee8091f51c035d3db2d
Opcode Fuzzy Hash: e9f31eeed7813aed81ae9ed6e5cc8450bb3c4b80b35d44683f66bba97c6113e8
Instruction Fuzzy Hash: 37E0B671D45208ABCB40EFF4E94A65DBBB4EB48201F6085AAE904E7351EA356A109B80

Uniqueness

Uniqueness Score: -1.00%

Function 01019390 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23301e11cbf97f2558468e1470b57e3e1f6df83e861104d9b75fc5e777e2ff8
Instruction ID: d7ffae99e16e1989068d32c4dedc1be0dba2570801d5f4531edaf1cc0f4a9024
Opcode Fuzzy Hash: e23301e11cbf97f2558468e1470b57e3e1f6df83e861104d9b75fc5e777e2ff8
Instruction Fuzzy Hash: 9CE0EC71D45318ABCF40FFF4AD4A69DBBB4EB45200F6085A6D944AB245EA355A10AB80

Uniqueness

Uniqueness Score: -1.00%

Function 04F32C72 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197696227f0827d7490d58edf76f544b1a44cb9a0a0f81f71d51107bcf6ed039
Instruction ID: 79e8e2de189f97298720f9b367436cbad7a8ac365929b4853f442fd680133269
Opcode Fuzzy Hash: 197696227f0827d7490d58edf76f544b1a44cb9a0a0f81f71d51107bcf6ed039
Instruction Fuzzy Hash: B9D01297A9D04067D60011092C514CE6B4586EABBA3A740DED0085522C501498474599

Uniqueness

Uniqueness Score: -1.00%

Function 010164BC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de24970ba4a1d733bbacea9465ceadd3a15e3fde6518e8a15df2bb51b62d8842
Instruction ID: 8cdadf0374dc8091b26945fa7768d00f9e7d7186c2b5060e0cf8eee4ec674e8e
Opcode Fuzzy Hash: de24970ba4a1d733bbacea9465ceadd3a15e3fde6518e8a15df2bb51b62d8842
Instruction Fuzzy Hash: 4DD0A737F084178B8B10C6D9EC0009CB3E5EB8416471041F2D90AD330CEB75CD46C790

Uniqueness

Uniqueness Score: -1.00%

Function 04F39570 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c38e1f1d40fca7a8eb18bad22742d41fa01e0d435c3c63c85da3caf664903d3
Instruction ID: 2284cc0b3ed843f1db6b7e7bce65840d468b07897d331ca4d5af0d46709fe340
Opcode Fuzzy Hash: 4c38e1f1d40fca7a8eb18bad22742d41fa01e0d435c3c63c85da3caf664903d3
Instruction Fuzzy Hash: 7BD01231D0420CEB9B40DFA8EA0155DB7F9DB45204B1044A99908D7214EA316F009B81

Uniqueness

Uniqueness Score: -1.00%

Function 0101ACC7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5959eb8edfbea2a37159c76e60d4bcfd61d5413e50da9d0dafd2260df41e7cf
Instruction ID: 2c18603789ba2866fee52da29c70893013cc72bc6b606460b836d9b821e190af
Opcode Fuzzy Hash: c5959eb8edfbea2a37159c76e60d4bcfd61d5413e50da9d0dafd2260df41e7cf
Instruction Fuzzy Hash: A7D01231B093264B8B1963B834244FEB7D65FD9615314857FE44BC7754CDB98C424BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0101ACC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baee4aabd8627c2a3bbdf996ef027cf54b13aef160907c6df547feffff5cac53
Instruction ID: c5d2da98df4df1242a8d3527c799a8c805132d9357af62b756f36baf5fc453f4
Opcode Fuzzy Hash: baee4aabd8627c2a3bbdf996ef027cf54b13aef160907c6df547feffff5cac53
Instruction Fuzzy Hash: 4FD01231704326474A1932B864144AEB2DE5B89515310847FE50AC7354DD799C4247D4

Uniqueness

Uniqueness Score: -1.00%

Function 00F242BA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8154fbad1aaeb3d6628d8a3b3d88eaaa5f38ba7fb568a90c7efa54b973add595
Instruction ID: acee136dafe636858077c9c6adecef875f1f25a2f2b4d710e4f67673b1b158ee
Opcode Fuzzy Hash: 8154fbad1aaeb3d6628d8a3b3d88eaaa5f38ba7fb568a90c7efa54b973add595
Instruction Fuzzy Hash: 19D0C96101E7CA4FC7426BB1A82A5443F649D4720474945EAD188CB9669A5414068756

Uniqueness

Uniqueness Score: -1.00%

Function 00F20518 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d36781c080ab5b5659cffe3bf5e457a629736d643f306203376f1c10d8f144
Instruction ID: 63b04a21a378c4bdb0b517e0fda8ee62936419128ee9fbe88b150065fb0243cb
Opcode Fuzzy Hash: e6d36781c080ab5b5659cffe3bf5e457a629736d643f306203376f1c10d8f144
Instruction Fuzzy Hash: 03C012397401249F8600ABF9E418C8A77EC9F4955530000A6F505C7730DB31AC0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2071C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ec563a2e7f2214a10a8ec105dbd43df085901e7306edf86eaca9b1878ef30d
Instruction ID: 8d102b74473655e3fc66ef5ca633915c2c1ee99e7621fc3d585bcb93191f6121
Opcode Fuzzy Hash: 25ec563a2e7f2214a10a8ec105dbd43df085901e7306edf86eaca9b1878ef30d
Instruction Fuzzy Hash: 69D0228310C1F50BC30202E82C101202F10E49338130840EFD081CF6A3D484C102A621

Uniqueness

Uniqueness Score: -1.00%

Function 0101493F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00e9053059765fd0a430ed0333165d69414b2f482221026a773e153bb5a90a9
Instruction ID: bc59a682dfa66ad1478d7f6fdb37e77d1a1dd132c1d67bff4b317f87271f92a1
Opcode Fuzzy Hash: e00e9053059765fd0a430ed0333165d69414b2f482221026a773e153bb5a90a9
Instruction Fuzzy Hash: 36D01239B04920CF8E25DBA8D05459CB3A59F44A18B1740D5EA5BDB374CB249E11CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd0109448fe63578166e828a2dca4e7e7472f2db97a4b88b53e078e2ce47144
Instruction ID: 6069b8dbe5894f534c56fc39fd12ca00bee378a44b063ec9e7ddff706699fdbd
Opcode Fuzzy Hash: 9fd0109448fe63578166e828a2dca4e7e7472f2db97a4b88b53e078e2ce47144
Instruction Fuzzy Hash: 59D05E302042008FC754DB1CE040645B3D1EB48218B14C8AEA04DCB346D673EC078B80

Uniqueness

Uniqueness Score: -1.00%

Function 01016C6B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec3be04f135977b05fd31f32f14da0fed02bc31bf5ce290dd48a266df61f106
Instruction ID: 2eaf7ea45b0a7c9791eb88550d8b21c755066ab65c905aa300d592f4ff5da5c2
Opcode Fuzzy Hash: cec3be04f135977b05fd31f32f14da0fed02bc31bf5ce290dd48a266df61f106
Instruction Fuzzy Hash: 0CD0A730C0030D8F8B409FBC58460BC7FF0D705210B1005AFCA88C3309E53B01014B80

Uniqueness

Uniqueness Score: -1.00%

Function 010177A3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ef96ad8e41c682e74ae3ee08f6deacbbe8803631f765b80295ae4c715b7bc7
Instruction ID: 44c481a206b1b9ee9c70234bd63e9933f9edbac5b705c04c5f675ee2b1e9f2b8
Opcode Fuzzy Hash: 63ef96ad8e41c682e74ae3ee08f6deacbbe8803631f765b80295ae4c715b7bc7
Instruction Fuzzy Hash: E8D0123AB040248B4E1197A8E4055ECB7B5FB8C661F4041F7DA46E3398DA755D1447D5

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EA19 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f07e54af17643ea42c1af13940fc2f10bb07a946b09c9ecae2f89efdd84876
Instruction ID: 1abff40e72ae1187b1daa3ac243167e552ec7c8da585dce79593b9ca6addc418
Opcode Fuzzy Hash: 28f07e54af17643ea42c1af13940fc2f10bb07a946b09c9ecae2f89efdd84876
Instruction Fuzzy Hash: 46D0927610E7C59FC7138BA08D29948BF71AF57300B0A81DBE185CB8B6C7658418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F206C2 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b50e75d193b00415732b6a0323a65c1a908acb124c1d7c83da8a61e8d7239af
Instruction ID: b06f4b977d05c79fccca6022e5a249008c0ae2f4d680d6727be914cee2344211
Opcode Fuzzy Hash: 9b50e75d193b00415732b6a0323a65c1a908acb124c1d7c83da8a61e8d7239af
Instruction Fuzzy Hash: 45D012B005E7DE8FC30267B0EC299003F78ED0720030A80EBE089CB5B3CA148806C727

Uniqueness

Uniqueness Score: -1.00%

Function 01011842 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6941748dcc94b8bd04dcb2d7eee6cbfa3740f019fe815c96dd0ad4542d9add7
Instruction ID: 5c380a8854e77e888555ec8ee283aa08e6d8015ef0c1433cd6ec731e5ab00720
Opcode Fuzzy Hash: c6941748dcc94b8bd04dcb2d7eee6cbfa3740f019fe815c96dd0ad4542d9add7
Instruction Fuzzy Hash: 4ED0953204528DBBCF038FA0EC058DA3F2AEB09250B008012FA0804422C3338932ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 01016C57 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction ID: 38b727cc5103b3d0e4a30a9e272ebf31897013fdc8d2af491ddd7657c5bc55a2
Opcode Fuzzy Hash: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction Fuzzy Hash: A9D09E3AA01008DBCB04DF84E5409EDF771FB84325F10C05BDD1567350C732AA16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01016589 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4a22fc65d6cc41ec2d7237b464644ae6b134c41fb54bb6ba168c77a727d9b9
Instruction ID: 64cdfc05662b35caaa4988df3a7156ef3a306d8e1e4cf2f045f98a937f64a50a
Opcode Fuzzy Hash: 1c4a22fc65d6cc41ec2d7237b464644ae6b134c41fb54bb6ba168c77a727d9b9
Instruction Fuzzy Hash: 5AD0C936F4120ACFCB04DB94E8448DCF731FB84256B108062D91AD7214CA301916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01016C70 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c593a83b4897aa746d959b18b9205efee378fc894ceaa2997d16e28c9cc76e09
Instruction ID: 683cf199e4b7203eacf29ebba862c5a18a6b43e5a51bbe939780f5b3e650a8fd
Opcode Fuzzy Hash: c593a83b4897aa746d959b18b9205efee378fc894ceaa2997d16e28c9cc76e09
Instruction Fuzzy Hash: 16C01230C0434D9B8740AFBC59064297FF8D604200F4005AA8D8CC3309E93A61114BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E742 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a08655f7ed72f019b6a915aa65ca5adb1524391b807df82f3970a039a3f366
Instruction ID: 9714a88173f39be024746495a68abcf1ac34c52493ccb30075d88c0fe49b93f0
Opcode Fuzzy Hash: 91a08655f7ed72f019b6a915aa65ca5adb1524391b807df82f3970a039a3f366
Instruction Fuzzy Hash: 22C02B0300D0829DFF0310306C505EC1F0067D302034E0CC5C1C74660E500820838008

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E890 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24052c77612bf6edf45541872accef47101d5d8d9d072ff7c55037ed89ba8c2f
Instruction ID: 0b6ebc798e4a63a6381693a2ff38cf24a28c73e97c8895b4046aaab7b4746c61
Opcode Fuzzy Hash: 24052c77612bf6edf45541872accef47101d5d8d9d072ff7c55037ed89ba8c2f
Instruction Fuzzy Hash: DDC0122014E7840FCB2207308A912003F209B07240F0684C3D681CA4A2CA48800C9322

Uniqueness

Uniqueness Score: -1.00%

Function 00F24141 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d31c82a514e2ba4fb4c0415ab2855c017814b26389e08b6876c9b5a6d9c8c1b
Instruction ID: 89f39628dc009012fe219e74eb51f3ebea5801773aaad4adfd88e869adf551b2
Opcode Fuzzy Hash: 3d31c82a514e2ba4fb4c0415ab2855c017814b26389e08b6876c9b5a6d9c8c1b
Instruction Fuzzy Hash: C7C04C068AD3C15EC31782710C745903F711D5704234E10DBC995DF2F7D08C99089336

Uniqueness

Uniqueness Score: -1.00%

Function 04F39F10 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa3b5927173d4683d3731842ef8965cc423c33a80477be816e8a282254837f4
Instruction ID: 7bc484887da8ff6837b30489e5bc9786a4a3446666c21167f8ed41d05b9c8f9a
Opcode Fuzzy Hash: aaa3b5927173d4683d3731842ef8965cc423c33a80477be816e8a282254837f4
Instruction Fuzzy Hash: 1AB0927094930CAF8650DA99D80181AB7ACEA0A118B0005E9EA0887310DA32A91056D2

Uniqueness

Uniqueness Score: -1.00%

Function 00F20440 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b516034e35564893a0500405cd5733a73d2747bdb72047131fbf4f826ab048
Instruction ID: 3e8e47c0f39512c66c0eeb65b66dfb0f5688be884c7a03e11506183a06cba88c
Opcode Fuzzy Hash: 71b516034e35564893a0500405cd5733a73d2747bdb72047131fbf4f826ab048
Instruction Fuzzy Hash: 00C0480580E3C08FCB8347B02E746C83FB0585750279E00DFC882CAAA7E40E191E933B

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FE8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d23970503950e157d1bec810e955928a52df29b418e0e4951bd98acab29a98
Instruction ID: 41cba2aa75013418674f600af4c070e213c4740fc21231ca55df20c116ad321b
Opcode Fuzzy Hash: f5d23970503950e157d1bec810e955928a52df29b418e0e4951bd98acab29a98
Instruction Fuzzy Hash: 6BB09237B0400BCB8B04DBA4FA558DCF330EB94226B1040A7E625A20108A321A25CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101B329 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b74034db17184afb3d4b57cbfd7322ebb6ce9e2012ce5bc1e33fa0928e56d1
Instruction ID: 2c5b540c1505861e1bef4b718153409cc84d1418cb6a06111ec74e37487e246e
Opcode Fuzzy Hash: 94b74034db17184afb3d4b57cbfd7322ebb6ce9e2012ce5bc1e33fa0928e56d1
Instruction Fuzzy Hash: EFC092315893058FEB599B309D497803721FB8270AF3488A8E150491A48E376217DE10

Uniqueness

Uniqueness Score: -1.00%

Function 00F242C8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530507267.0000000000F23000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f23000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16171dd7f59dc63546e5255bf46cfbd77d3261fc0e4080fae085943c75aae0d
Instruction ID: e91f5742173142dc91ffaa72bab35f750e722e43fb99e9672308bc8a52443975
Opcode Fuzzy Hash: e16171dd7f59dc63546e5255bf46cfbd77d3261fc0e4080fae085943c75aae0d
Instruction Fuzzy Hash: EEB0123000970F4F8A40BBE1F8048083B5D5D847087404819D20C8952D9FA425104A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00F204F3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1c19ec34bcaba6ca34834b20488971a0e0a75237224f9f683abebcad854b66
Instruction ID: a5b62538e79dc4335eb9c16e7d63edcda3624777a5ae61858509da479cd99e0d
Opcode Fuzzy Hash: ae1c19ec34bcaba6ca34834b20488971a0e0a75237224f9f683abebcad854b66
Instruction Fuzzy Hash: BEB01231A0472347CE906BB4F8184857354DF405953028E64E101CB22CD7709D0147C0

Uniqueness

Uniqueness Score: -1.00%

Function 00F206D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.530437180.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f20000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08bf0156234dac95a5b2c4690011839e5d1a306f1602d161a85f39b7dddf786
Instruction ID: 0ba21f7a91d36ab6d072d95bd3ceb4b9ebc84522d0073e696eae83fec198f835
Opcode Fuzzy Hash: e08bf0156234dac95a5b2c4690011839e5d1a306f1602d161a85f39b7dddf786
Instruction Fuzzy Hash: C2A011B0008B0F8B82002BA0FC0C8083B2CBA002023800022B20EC0220CAA2E8028AA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F33B60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.563465753.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f30000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288e9756b385621288689fa4a23eaf81eb80a57530ef845f27af316ed71672f8
Instruction ID: 0fcf5e07b99a499e360339ecae60876b9982c3cc22338395ab6733ff736d80d4
Opcode Fuzzy Hash: 288e9756b385621288689fa4a23eaf81eb80a57530ef845f27af316ed71672f8
Instruction Fuzzy Hash: 02A00230506302CFDF655B70D9187453621FB82306F2085B9E006947648A7BD482CE11

Uniqueness

Uniqueness Score: -1.00%

Function 01016331 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.531633481.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1010000_Ugtphvhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23aaac3c4562fc3446877ea1c365b58ae018ad54f164cc71997bfa6f796b72ae
Instruction ID: d42b486c930483b5a891e4c28740bc8f95a7ee89f075179bfd6331f6a1a1a1d4
Opcode Fuzzy Hash: 23aaac3c4562fc3446877ea1c365b58ae018ad54f164cc71997bfa6f796b72ae
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report confirm order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\confirm order.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zzuybal.sto.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dygobxst.ufu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2arnmm1.jms.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxgpca1x.l0u.ps1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe

C:\Users\user\AppData\Roaming\Prqhnsx\Ugtphvhf.exe:Zone.Identifier

Windows Analysis Report
confirm order.exe