Edit tour

Windows Analysis Report
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Overview

General Information

Sample Name:	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Analysis ID:	831701
MD5:	8b00956371455a2cec3430013108263c
SHA1:	7e4c0599f6c94762172431f522ced9873b2f01f6
SHA256:	86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
Tags:	exe
Infos:

Detection

Vector Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected Vector Stealer

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Machine Learning detection for sample

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe (PID: 5812 cmdline: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe MD5: 8B00956371455A2CEC3430013108263C)

CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe (PID: 2636 cmdline: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe MD5: 8B00956371455A2CEC3430013108263C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT		No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vector Stealer

{"C2 url": "https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.261105633.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.259729927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VectorStealer	Yara detected Vector Stealer	Joe Security
00000000.00000002.261250417.0000000004621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636	JoeSecurity_VectorStealer	Yara detected Vector Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x298b1f:$s1: file:/// 0x298a2f:$s2: {11111-22222-10009-11112} 0x298aaf:$s3: {11111-22222-50001-00000} 0xc9d23:$s4: get_Module 0x198343:$s4: get_Module 0x2980b2:$s4: get_Module 0x441683:$s4: get_Module 0xc5217:$s5: Reverse 0x193837:$s5: Reverse 0x29833d:$s5: Reverse 0x43cb77:$s5: Reverse 0xc9432:$s6: BlockCopy 0x197a52:$s6: BlockCopy 0x296558:$s6: BlockCopy 0x440d92:$s6: BlockCopy 0xc93e1:$s7: ReadByte 0x197a01:$s7: ReadByte 0x440d41:$s7: ReadByte 0x298b31:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x373f3f:$s1: file:/// 0x373e4f:$s2: {11111-22222-10009-11112} 0x373ecf:$s3: {11111-22222-50001-00000} 0x1a5143:$s4: get_Module 0x273763:$s4: get_Module 0x3734d2:$s4: get_Module 0x51caa3:$s4: get_Module 0x1a0637:$s5: Reverse 0x26ec57:$s5: Reverse 0x37375d:$s5: Reverse 0x517f97:$s5: Reverse 0x1a4852:$s6: BlockCopy 0x272e72:$s6: BlockCopy 0x371978:$s6: BlockCopy 0x51c1b2:$s6: BlockCopy 0x1a4801:$s7: ReadByte 0x272e21:$s7: ReadByte 0x51c161:$s7: ReadByte 0x373f51:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	ReversingLabs: Detection: 59%
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for sample

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Joe Sandbox ML: detected

Source: 1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vector Stealer {"C2 url": "https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713"}

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02E505E7
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA7A82
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA3BD8
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA0040
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA3BCA
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA0006
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then jmp 02FA127Bh	1_2_02FA0F38
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then jmp 02FA127Bh	1_2_02FA0F28
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FAB4C0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FAB4B2
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02FA44B1

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/users/
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip6
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip6SOFTWARE
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vectorstealer.com

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.257821594.000000000138B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 0_2_015BC01C	0_2_015BC01C
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 0_2_015BEC78	0_2_015BEC78
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 0_2_015BEC68	0_2_015BEC68
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E513C0	1_2_02E513C0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E547F0	1_2_02E547F0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E50B38	1_2_02E50B38
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E53EE0	1_2_02E53EE0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5CEB8	1_2_02E5CEB8
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E513B0	1_2_02E513B0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5B6F0	1_2_02E5B6F0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E50B28	1_2_02E50B28
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E53EF0	1_2_02E53EF0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5DED8	1_2_02E5DED8
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5AFE0	1_2_02E5AFE0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5AFD0	1_2_02E5AFD0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA9228	1_2_02FA9228
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA1430	1_2_02FA1430
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA5530	1_2_02FA5530
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA9218	1_2_02FA9218
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FAB0F0	1_2_02FAB0F0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FAB0E0	1_2_02FAB0E0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA89B8	1_2_02FA89B8
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA89B6	1_2_02FA89B6
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA2178	1_2_02FA2178
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA2167	1_2_02FA2167
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA1421	1_2_02FA1421
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA8DF0	1_2_02FA8DF0
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02FA25C0	1_2_02FA25C0

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000000.250467987.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUZv.exe6 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.257821594.000000000138B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.258712247.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.258712247.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.270395762.00000000063B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Binary or memory string: OriginalFilenameUZv.exe6 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	ReversingLabs: Detection: 59%
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

File read: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe:Zone.Identifier

Jump to behavior

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static file information: File size 1729024 > 1048576

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1a5800

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.261105633.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259729927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261250417.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

.NET source code contains potential unpacker

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, LogicGames/Menus/MainMenu.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.af0000.0.unpack, LogicGames/Menus/MainMenu.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E577FD pushad ; ret		1_2_02E57801
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Code function: 1_2_02E5780B pushfd ; ret		1_2_02E57811

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Static PE information: 0xC4266EA6 [Fri Apr 13 13:50:30 2074 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.772614775846585

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME"SELECT * FROM WIN32_COMPUTERSYSTEM

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 2620	Thread sleep time: -40023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 2228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 4704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Thread delayed: delay time: 40023	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga!SELECT * FROM Win32_PortConnector!Win32_NetworkAdapterConfiguration
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware2C:\Program Files\oracle\virtualbox guest additions
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Process created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	Queries volume information: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected zgRAT

Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Source: Yara match	File source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

Yara detected Vector Stealer

Source: Yara match	File source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

Remote Access Functionality

Yara detected zgRAT

Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Source: Yara match	File source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

Yara detected Vector Stealer

Source: Yara match	File source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	13 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	59%	ReversingLabs	ByteCode-MSIL.Trojan.RemLoader
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	72%	Virustotal		Browse
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://discord.com/api/v8/users/	0%	URL Reputation	safe
https://vectorstealer.com	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com/api/v8/users/	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip6	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip6SOFTWARE	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vectorstealer.com	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831701
Start date and time:	2023-03-21 18:59:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 117 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, PID 2636 because it is empty

Simulations

Behavior and APIs

Time	Type	Description
19:00:04	API Interceptor	1x Sleep call for process: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe modified

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.770181396854002
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
File size:	1729024
MD5:	8b00956371455a2cec3430013108263c
SHA1:	7e4c0599f6c94762172431f522ced9873b2f01f6
SHA256:	86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
SHA512:	7214b72993008193a557fa3cec474c327152eff56d1abaa4a9249eaef26b5a27843a461bfc4c09727560a94821e7c96fba0e86dd0291abfa4e19bef781703ab5
SSDEEP:	24576:Zr9N2v2XcyPon9gjLP2f1a5fRC7BmUITNKpM7F89ioA7sg1YtCb:Zh8WcVKjL6qfR9xKuB89VKpYC
TLSH:	A585BDC24334480EFDA01E7E335564B3DE53DD99D8EBB2AF1A97BC2A64F844405CE962
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n&...............0..X...........t... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x5a74c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC4266EA6 [Fri Apr 13 13:50:30 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
sldt word ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a7470	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a8000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1aa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a7454	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1a5648	0x1a5800	False	0.8432790953069395	data	7.772614775846585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a8000	0x59c	0x600	False	0.4186197916666667	data	4.058109001413359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1aa000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1a8090	0x30c	data
RT_MANIFEST	0x1a83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	19:00:03
Start date:	21/03/2023
Path:	C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Imagebase:	0xaf0000
File size:	1729024 bytes
MD5 hash:	8B00956371455A2CEC3430013108263C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.261250417.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	19:00:06
Start date:	21/03/2023
Path:	C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Imagebase:	0xa90000
File size:	1729024 bytes
MD5 hash:	8B00956371455A2CEC3430013108263C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.261105633.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.259729927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VectorStealer, Description: Yara detected Vector Stealer, Source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	127
Total number of Limit Nodes:	8

Executed Functions

Function 015B9AA8 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4bee502ba950833a67f8c7d23ea7b13e13daf71d845eded523870e4a6a564f29
Instruction ID: 47fb277295cf97488287f36f4824b61045defdeb9a7b59b761e8287e0f951d1f
Opcode Fuzzy Hash: 4bee502ba950833a67f8c7d23ea7b13e13daf71d845eded523870e4a6a564f29
Instruction Fuzzy Hash: 717147B0A00B058FDB64DF6AC49579ABBF1FF88208F00892DD54ADBA50DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015B5369 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B5421

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 093b368ee737fc3d085e95930a3ab6bfc2ea60bc83f76adead5798e7c76baf08
Instruction ID: 89314cb3a293810bce670e88e0d9ffb97dad1752c2614b594011d958fc579983
Opcode Fuzzy Hash: 093b368ee737fc3d085e95930a3ab6bfc2ea60bc83f76adead5798e7c76baf08
Instruction Fuzzy Hash: 9441F371D00618CFDB24DFAAC984BCEBBB5BF58304F24806AD418AB251EB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 015B3CAC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B5421

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64f71dd21ed3946bfdd31f74e0cba3e21b9a63fa715b596364f3d8492957d122
Instruction ID: 57bf0f9291b27db7aa651bbd1668dd78d387b8da4410625dec3f794163c0abbf
Opcode Fuzzy Hash: 64f71dd21ed3946bfdd31f74e0cba3e21b9a63fa715b596364f3d8492957d122
Instruction Fuzzy Hash: 4841E271D00618CFDB24DFAAC884BDEBBB5BF48304F64806AD419AB250E7756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015BC47A Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015BC37E,?,?,?,?,?), ref: 015BC43F

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8613968c8b5a845333c04ed30a73a31aed59848e59a4ad78ac5284aa7203a740
Instruction ID: b05f893cdf8f25a61844e75ec5854c15fa768970eb34bcd75d8bca3d8528a0ef
Opcode Fuzzy Hash: 8613968c8b5a845333c04ed30a73a31aed59848e59a4ad78ac5284aa7203a740
Instruction Fuzzy Hash: B2315C38660708AFF748AF65E46A7B97FB6FB85301F504429F9058B396CF746804CB10

Uniqueness

Uniqueness Score: -1.00%

Function 015B8EA8 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,015B9ABB), ref: 015B9CEE

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a98975583cc9b37f3a61cd21557f623b3b34dfb9f0d674818447dc6cc3cf9a9f
Instruction ID: 992abd6b8145a9d10d6493d20091d248e24dc16083d5f317fd8f8f773b00c561
Opcode Fuzzy Hash: a98975583cc9b37f3a61cd21557f623b3b34dfb9f0d674818447dc6cc3cf9a9f
Instruction Fuzzy Hash: A531BBB18007488FDB10EFAAC4446DEBBF8EF49324F14806AD509AB701D774A445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015BC3B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015BC37E,?,?,?,?,?), ref: 015BC43F

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9afe760d525899a27b96537d9631c702be54b434ecee1e246aae7e8909609af0
Instruction ID: 947db917b0bedf217059bfca0ea5a98b9c0da8a75c912e658c58c2acb00a8ae8
Opcode Fuzzy Hash: 9afe760d525899a27b96537d9631c702be54b434ecee1e246aae7e8909609af0
Instruction Fuzzy Hash: 6221E9B59002089FDB10CFAAD984ADEBFF8FB48320F14845AE914B7350D378A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 015BBCEC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015BC37E,?,?,?,?,?), ref: 015BC43F

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b8201fa323ae0ddd8b85e27f9d98b49bfbb2ae91c4d1b537292ff7b9c9a4afd2
Instruction ID: ec8df005ae19d28c55cd8e21d31b965403561958e282d897974df0dd2436109f
Opcode Fuzzy Hash: b8201fa323ae0ddd8b85e27f9d98b49bfbb2ae91c4d1b537292ff7b9c9a4afd2
Instruction Fuzzy Hash: B221C6B59002089FDB10CFAAD584AEEBFF8FB48324F14845AE915B7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015B8E80 Relevance: 1.6, APIs: 1, Instructions: 64
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015BA169,00000800,00000000,00000000), ref: 015BA37A

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 492d0ff1b36b0f92fe5e9a3c6be03c6b96652b00f2b8c2a23f82716b1cc4f231
Instruction ID: 5f5f3a4912bfc27af21c7a7f0b1c77f31c151c6d17267a70e4c8189e41bd5ffc
Opcode Fuzzy Hash: 492d0ff1b36b0f92fe5e9a3c6be03c6b96652b00f2b8c2a23f82716b1cc4f231
Instruction Fuzzy Hash: 3C2168B2C003488FDB10CFAAC884ADEBFF4AB49320F18846ED555AB650D3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015BA309 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015BA169,00000800,00000000,00000000), ref: 015BA37A

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51370cf4f49b216ea14919561f29c11da3d23a42f1bc5bdfaaf4ba2ba60297b2
Instruction ID: f2e6f6e67efb49802b67e3ed5057003f182c28a822e54ffba8ab655fbeae25a2
Opcode Fuzzy Hash: 51370cf4f49b216ea14919561f29c11da3d23a42f1bc5bdfaaf4ba2ba60297b2
Instruction Fuzzy Hash: 9E11D3B69003499FDB10CF9AC884ADEFBF8AB48324F18842AE519A7250D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015B8E98 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015BA169,00000800,00000000,00000000), ref: 015BA37A

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7c86731249638e0fcf01c10132595b37c02a0e5b9e03109ef9ac0ee93cf59e24
Instruction ID: 4141f4a22781d992b21c2fb00b177828f4306551d52427893ed21a117d37c050
Opcode Fuzzy Hash: 7c86731249638e0fcf01c10132595b37c02a0e5b9e03109ef9ac0ee93cf59e24
Instruction Fuzzy Hash: DF1103B69003089FDB10CF9AC484ADEFBF8EB49320F14842AE519BB200D3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015B8E34 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,015B9ABB), ref: 015B9CEE

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 129ed87780bc2cd194b09a4329dae136b62e5346f0539cc68aab5dbf3a539c3e
Instruction ID: 6a73cca2a852c3beabdaf1453b8e376f3985cc879f9d9c318cc0033418df611d
Opcode Fuzzy Hash: 129ed87780bc2cd194b09a4329dae136b62e5346f0539cc68aab5dbf3a539c3e
Instruction Fuzzy Hash: 631102B6D006498FDB10CF9AC484BDEFBF8EB88724F14845AD919B7600D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015BEC78 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e15b3d087c3c17588163467e5e0d789edd31d4fee1054da724f8697319bf25
Instruction ID: f2b4ef8c1a393949a7dd6857312d1fb18f8ced919b5901a9f9b8a9fc48316181
Opcode Fuzzy Hash: 12e15b3d087c3c17588163467e5e0d789edd31d4fee1054da724f8697319bf25
Instruction Fuzzy Hash: DE12C9F1821B4E8BE318CF65E99A1C93FB1F745328F504228E2656FAD0DBB4114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 015BC01C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2384db46f6b4c97762c1c4f8e3cd5f10fdc3d5e8dc4668750e09166965f0ae8b
Instruction ID: 4b48e0ccc5149e8581e043cd193cbe3bbf1ff8643fcc84f38a472af6150bda8d
Opcode Fuzzy Hash: 2384db46f6b4c97762c1c4f8e3cd5f10fdc3d5e8dc4668750e09166965f0ae8b
Instruction Fuzzy Hash: 36A17036E0021A8FCF15DFA5C8849DDBBF2FF84304B19856AE905AF261EB31A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015BEC68 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258300090.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15b0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e21cf35f8064ee494763c235f740a8b056a7e661064ef21223df893daf1563a
Instruction ID: e08c78cb75fbf88e814931272828ce883ceecc99ea7f97533129b006e0a3502e
Opcode Fuzzy Hash: 8e21cf35f8064ee494763c235f740a8b056a7e661064ef21223df893daf1563a
Instruction Fuzzy Hash: 9EC106B1821B4E8BE718DF65E88A1D97FB1FB85328F504228E1616F6D0DFB4104ACF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exePID: 2636, Parent PID: 5812COMMON

Executed Functions

Function 02FA9228 Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

]q, xrefs: 02FA9439

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: ]q
API String ID: 0-990192933
Opcode ID: 465134d153196bbe6ea8cdd30c8d2541111ec14b65cfb0d6179c08f0f343eb3b
Instruction ID: abff5089309df3207d1940777d6b921125a806058267a7abc0b68e6a8b5359f8
Opcode Fuzzy Hash: 465134d153196bbe6ea8cdd30c8d2541111ec14b65cfb0d6179c08f0f343eb3b
Instruction Fuzzy Hash: C632B174E01229CFDB65CF65C990ADDB7B2BF49300F1085EAD909AB260DB71AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E513C0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

fish, xrefs: 02E5144A

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: b2b4a8be68f9c1921fbccace4d15d019ce1ea66979cf7ff47153f05e29ffb6af
Instruction ID: ee7f9e7d438eabae349e4e19e0a592294d4690b4b3871eb6a0f7e3430f69ec4d
Opcode Fuzzy Hash: b2b4a8be68f9c1921fbccace4d15d019ce1ea66979cf7ff47153f05e29ffb6af
Instruction Fuzzy Hash: 1BB10474E00219CFCB14CFA9D884AEDFBB2FF88304F24956AD809AB255DB709945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA25C0 Relevance: 1.2, Instructions: 1206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c3b5141c244c3679d914a5c5e8281a927f29556d14dbccd2f33b9121719eab
Instruction ID: 5c2c9485829bdf577c5ebd17dbc8e825f0a36ccfa4d4f6bb8c7500af3008e37e
Opcode Fuzzy Hash: 03c3b5141c244c3679d914a5c5e8281a927f29556d14dbccd2f33b9121719eab
Instruction Fuzzy Hash: C7C2B276A00228DFCB56CFA4C954E99BBB2FF49314F1581D5E609AB232C732DA91DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1430 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51a0bfcd756d962c9386b7c6a5ec80f6a7866fcbd3c30ddd44889ac21eab48a
Instruction ID: 3887af0c380fb1c15e3c7c4e392ae02366c2131f97988691fb7c37026a779e7e
Opcode Fuzzy Hash: b51a0bfcd756d962c9386b7c6a5ec80f6a7866fcbd3c30ddd44889ac21eab48a
Instruction Fuzzy Hash: E862D574A05228CFCB65CF65C994BEABBB2BF49301F1580E9E949A7361D7309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CEB8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5037f7bfb844e28ad63a2409e5384631da18d965462a3c6bcb461728fcc89af8
Instruction ID: 25904df0135fc09f32421d594d403ecc3053a79eba7b1674883978644d18754b
Opcode Fuzzy Hash: 5037f7bfb844e28ad63a2409e5384631da18d965462a3c6bcb461728fcc89af8
Instruction Fuzzy Hash: C262A374A41229CFDB25CF69C994BE9BBB2BF49305F1490E9E849A7360D7309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5530 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5534297704d9493aa39dda2a6c88793b4867aa4f759bef3ca50ef19fccbb9acc
Instruction ID: ae83fcb2e149e16ab22f437df576e0bdf8d31dcd2f0f4a06ce6c54404143b127
Opcode Fuzzy Hash: 5534297704d9493aa39dda2a6c88793b4867aa4f759bef3ca50ef19fccbb9acc
Instruction Fuzzy Hash: 45428FB4E01219CFDB24CFA9C994B9DFBB2BF48340F5486A9D909A7355D730AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E53EE0 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f487f70dfa16d75511cc7c12359473cfe24ca6451df277edaa39c9e4a53f9be
Instruction ID: 1ceaf1010a25c5986e6d5b51e8a72a0e82ac02d6b3fc964ae435e2b839a20326
Opcode Fuzzy Hash: 5f487f70dfa16d75511cc7c12359473cfe24ca6451df277edaa39c9e4a53f9be
Instruction Fuzzy Hash: 8B12D474900229CFCB24CF69C884B9DFBB2FF49305F15D599E809AB261DB35AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E547F0 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d072d15e15e81626419badfd06c821ed5b784bc2bc858fb85077ad8a202a1259
Instruction ID: 0b7c7510605c90495fd50bdf96350aa1412c5207a2d7f1948c7cd788088981dc
Opcode Fuzzy Hash: d072d15e15e81626419badfd06c821ed5b784bc2bc858fb85077ad8a202a1259
Instruction Fuzzy Hash: 2CF13A74E11229CFDB54CF68C890BADBBB2BF49308F1090A9D909AB381DB759985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E53EF0 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907fc3365d96bedaf96987e0251f09c7b01934c6b376543cb3300e28cbd7ac6a
Instruction ID: 20c363b68aadfd1cfd71ba4ead6508aec773c88968333797ebec9eecce7100b0
Opcode Fuzzy Hash: 907fc3365d96bedaf96987e0251f09c7b01934c6b376543cb3300e28cbd7ac6a
Instruction Fuzzy Hash: D8F1F435A00229CFCB24CF65C884B9DBBB2FF49305F15D599E809AB261DB35AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1421 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4972f12ff0efb95691f814270c7bd5078b125f1e8aa7965e4eacfe41b9d07ffd
Instruction ID: 0217b88d7bdc329cacd246b47a60874e93b8e28d607860453ee4bd6d21318a9b
Opcode Fuzzy Hash: 4972f12ff0efb95691f814270c7bd5078b125f1e8aa7965e4eacfe41b9d07ffd
Instruction Fuzzy Hash: F5E1D575E01228CFCB65CF69C990AD9BBF2BF49300F1580E9E949A7265D7309E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E50B38 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a8bf9a08f65e23f3b09e05a6823a738644b4daee998890409277acbc50c8e1
Instruction ID: 46df8f7b4d6a9cf8db7e46bd38fffb6401464881630235178dbc13287c64b0e6
Opcode Fuzzy Hash: c6a8bf9a08f65e23f3b09e05a6823a738644b4daee998890409277acbc50c8e1
Instruction Fuzzy Hash: FEB1CC74D012298FCB14CFA9C5846EDBBF2BF49304F2490AAE815BB255D7359E45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02FA7A82 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bed1c8d16aaa9e7b507ffd765ab1aa710c1f4605a236236c8d74ba5b0d2081e
Instruction ID: 839d0a4941a02d9423252127eebacb4e8a94c5c32fdb30a79119dcb160000e78
Opcode Fuzzy Hash: 2bed1c8d16aaa9e7b507ffd765ab1aa710c1f4605a236236c8d74ba5b0d2081e
Instruction Fuzzy Hash: 9371E1B5E01218DFDB14EFA4D894AEDFBB1BF49354F10812AE905AB364DB309946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0040 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc353fe815e8858c6a9174c60a3632f66de885c33410dfbd873cb0624726790e
Instruction ID: 3320a9babed8875c24d9e82b715c42abfccbc7c7c035339b19c038a50b00acb6
Opcode Fuzzy Hash: cc353fe815e8858c6a9174c60a3632f66de885c33410dfbd873cb0624726790e
Instruction Fuzzy Hash: C471D375E01218DFCB04EFA9E494AECBBB2FF49314F148429E915AB354DB30A946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0006 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6593bbbe500165a6f6db70b9743fa7a371e4bbfb31f74d1cd20579a41c522564
Instruction ID: a6f24c7123513158a91e583887dc2c49564ec93bfc652d0dac077e2cdfdacbe8
Opcode Fuzzy Hash: 6593bbbe500165a6f6db70b9743fa7a371e4bbfb31f74d1cd20579a41c522564
Instruction Fuzzy Hash: 9A614775E012488FCB05DFA9D494AECBFB1BF4A314F18846AD805AB365CB30A90ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA3BD8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5583a4258c0c6249b0a052fee05700350ae5141c900acf9acdd7f28e5de726b7
Instruction ID: 69ed52a2a564bd546858b628abeae44bdeb3eb4f916ed95480c3eff21cdb27a5
Opcode Fuzzy Hash: 5583a4258c0c6249b0a052fee05700350ae5141c900acf9acdd7f28e5de726b7
Instruction Fuzzy Hash: 1B610F75E01218DFCB14EFA9C894ADCBBB1BF49314F148169E406BB364CB30A80ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E505E7 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af532e58464cd917ba744028fff6eb05617c5054239152b75efa82949c593e1
Instruction ID: ddb5c5d20f3227bb428267ed83978a02a0b8fbd326c920dcf0cc49b43b32ace1
Opcode Fuzzy Hash: 5af532e58464cd917ba744028fff6eb05617c5054239152b75efa82949c593e1
Instruction Fuzzy Hash: 6851F174E01218DFCB18DFA8D454AEEBBB2FF89308F10946AD405BB394CB75984ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA3BCA Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75afa89c2cde68611164b23f98f34596e0d118d94118c8aeb8a87e5d12332099
Instruction ID: 02392e2f66acfc6c84709517db14e92ef3e48b02ff131492620c11332c0a5199
Opcode Fuzzy Hash: 75afa89c2cde68611164b23f98f34596e0d118d94118c8aeb8a87e5d12332099
Instruction Fuzzy Hash: 9751EF75E01218DFCB14EFA9D894ADCBBB1BF49304F14816AE415BB364DB30A80ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E52008 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

d, xrefs: 02E521C9

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ee0f2ac5e94b52af0e839152c53e9f42f978cdabd1f60c36b90342653d3d0827
Instruction ID: 64bd9b669cd86cb29f8bb4b5c6bac2af69f237cc5a944f5aa05c1e669208e5ab
Opcode Fuzzy Hash: ee0f2ac5e94b52af0e839152c53e9f42f978cdabd1f60c36b90342653d3d0827
Instruction Fuzzy Hash: 33E18C74A0060ADFCB24CF59C4C09AABBF6FF84314B24C669D9599B295D730F856CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5CE8 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

r, xrefs: 02FA5E92

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: bf92e806ad419e26ce65cd5c52851736628cae7eddd7b9c3960c961598f68a07
Instruction ID: 46e18d4b33db61e8451bbb9899d0f10d7effb6dc65f4e2456698c76aa62f0abb
Opcode Fuzzy Hash: bf92e806ad419e26ce65cd5c52851736628cae7eddd7b9c3960c961598f68a07
Instruction Fuzzy Hash: B161B8B4D0010ADFC704DF99C9948AEFBB2FF48381B658694D9169B255DB30EE92CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E50930 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

<, xrefs: 02E50A25

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: fd0a905a1412a35e054c7e700a141f1f58953a36c4e4523b9db1a844fb110952
Instruction ID: 67474318d3584a797267bc1bdf019a1552e0b548201f9190eed3b353db9c8084
Opcode Fuzzy Hash: fd0a905a1412a35e054c7e700a141f1f58953a36c4e4523b9db1a844fb110952
Instruction Fuzzy Hash: 3D51FF74E012199FDB18DFA9D4546EDBBB2FF88304F10806AE415AB394DB345946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5CD8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

r, xrefs: 02FA5E92

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 8da989d232e879a57f63ef086bc5f5cf2290df1e6590cb576d75578e6e6ef1b5
Instruction ID: 8dd1d0a9745201f391b5f88c7819d4a3208d5c232de876d7c1a15e834360eb48
Opcode Fuzzy Hash: 8da989d232e879a57f63ef086bc5f5cf2290df1e6590cb576d75578e6e6ef1b5
Instruction Fuzzy Hash: 80310AB4E05209CFCB18CFA9C9944AEFBF2FF89341B5485A9D509AB221D7359A42CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02FB0310 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532ddce75271b51ed0f04b8c4be6bdc37a24947213d814c819dd8398a723ef08
Instruction ID: e4be52722c65e66c21e000d139dbdbe60ab2825e8aefe0c932778dea6dbc3e17
Opcode Fuzzy Hash: 532ddce75271b51ed0f04b8c4be6bdc37a24947213d814c819dd8398a723ef08
Instruction Fuzzy Hash: A7E18C75D042099FCB02DFA5C890CDEBBB2FF49340B20819AE255EB265DB31AD56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5DA48 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c753c395b249ef3a250ba6b7a92764b1619afc4dbf9cab424a6f273eb207e1b5
Instruction ID: 3be1979b6706c4ace5f19ce830a67847094ff8e68fb4c7ac0792a45f367a74ac
Opcode Fuzzy Hash: c753c395b249ef3a250ba6b7a92764b1619afc4dbf9cab424a6f273eb207e1b5
Instruction Fuzzy Hash: 91E19F74E04259CFCB24CFA9D880AADFBF5BF59304F24916AD819AB355DB30A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E547E2 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce83694495f1c1724df2f01c1562bfdbee5c2657c7befb1a694db59b1982400e
Instruction ID: 574f91c1b3f59ed543ba25c9e081ac750616c113f9ed27953cf1e55fbad85655
Opcode Fuzzy Hash: ce83694495f1c1724df2f01c1562bfdbee5c2657c7befb1a694db59b1982400e
Instruction Fuzzy Hash: 87B11874E11229CFDB58CF65C994BEDBBF2BF89304F1090A9D909A7280DB349A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0268 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6f92095f81377e3394302df09e310798cc14b93c68bd6b663e0442381d5440
Instruction ID: d2d3b7be5de06b88d5cd159c3ebbcfe570e2de286b74aa400b5557510cbac7f8
Opcode Fuzzy Hash: 0f6f92095f81377e3394302df09e310798cc14b93c68bd6b663e0442381d5440
Instruction Fuzzy Hash: 05C1C476A00208DFCB06DFA8C954EADBBB2FF49304F1580A9E605AB275DB32D951DF41

Uniqueness

Uniqueness Score: -1.00%

Function 02E5E590 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a750c567545cde61be0164b96ffca08797bfdcc07f623a17f09b79b1425093ab
Instruction ID: df086959c1caa72b5c8afdd5f28ca90a74fdfef20456e1fb4c72a2c911c373a8
Opcode Fuzzy Hash: a750c567545cde61be0164b96ffca08797bfdcc07f623a17f09b79b1425093ab
Instruction Fuzzy Hash: DFB1C274E00228CFCB14DFA5C494AEDFBB6BF49304F14816AD81AAB365DB30AA45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FB03F9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616937a3a2e1a7c2de0a2d5952f86c767259cb724d9c2499fe0a89843affdc34
Instruction ID: 35f2425198738cfd5f9147160f4dc67d477e549665224f2e765fbb0e92296a3a
Opcode Fuzzy Hash: 616937a3a2e1a7c2de0a2d5952f86c767259cb724d9c2499fe0a89843affdc34
Instruction Fuzzy Hash: 93A16975D00209AFCB16DFA5C890CDDBBB2FF49300B20819AE215EB625DB31AD56DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5AB88 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2992ee6fde0e8c26eb55ee5758ad8d7733633468ef5322583638963fcdf4c69
Instruction ID: 668b74b9a7aae608975fb475f5015ebd333ecf11f4e95ea6ea7bbe5060eb23b6
Opcode Fuzzy Hash: d2992ee6fde0e8c26eb55ee5758ad8d7733633468ef5322583638963fcdf4c69
Instruction Fuzzy Hash: 76B11934D01229CFCB25DF65C890ADDBBB2BF49300F54D1A9E849AB395DB34AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E54F80 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b208c9c408ff261b91e08983933acb8c28ab35e838670d041c172190e848c759
Instruction ID: 9cf94b95535fa8c3a3674e77921616e5fe2c4e88579df1076533e49da4ebb9e1
Opcode Fuzzy Hash: b208c9c408ff261b91e08983933acb8c28ab35e838670d041c172190e848c759
Instruction Fuzzy Hash: 61A1F074D50229CFDB20CFA5C944B9DBBF6BF49304F40A0A9D809BB255DB74AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8540 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503cb789ac0435aa16dab8781e6fdf66880ff177077a30c9f78efb8a254dfecd
Instruction ID: 2519d5addb02399a2d5e376770b145bec18a683d9dbf7fe23c0bfed2b23d909e
Opcode Fuzzy Hash: 503cb789ac0435aa16dab8781e6fdf66880ff177077a30c9f78efb8a254dfecd
Instruction Fuzzy Hash: 9A910774E00229CFCB24DFA5C854ADDBBB2BF89300F1585A9D909AB351DB706E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8530 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418a0b70870cf23ed383712c99fe946500b3772d3e6856cf8c77acb44b11b599
Instruction ID: c671c0e40fc5a704ca75224909b906f58682b9910ebcb3c069fca096d4ca7801
Opcode Fuzzy Hash: 418a0b70870cf23ed383712c99fe946500b3772d3e6856cf8c77acb44b11b599
Instruction Fuzzy Hash: 5D912870E10229CFCB25DFA5C850AEDBBB2FF89300F1585A9D949AB351DB706986CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E5AB78 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d075ea5c3269e22412c1dcda1829c556ab7be5ded347854968f3a36d115f54d
Instruction ID: 2335ac27599ce62c6aba63c5d8e01e213553c458c78b2170bc8fbcb67ba81b86
Opcode Fuzzy Hash: 1d075ea5c3269e22412c1dcda1829c556ab7be5ded347854968f3a36d115f54d
Instruction Fuzzy Hash: 6E913A30904229CFCB21DF65C850ADDBBB6BF49300F55C1A9E849AB365DB34AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA9638 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8e8ba5f4d10b96958bab2b82d7bee7f476c9ad64647e979bd4c2a7edcbb7f7
Instruction ID: 00029f3b1b977b2a342abc59f19712cdda2ffb0eba1822b2d97be8f8999ed858
Opcode Fuzzy Hash: 1d8e8ba5f4d10b96958bab2b82d7bee7f476c9ad64647e979bd4c2a7edcbb7f7
Instruction Fuzzy Hash: 64A19275D41229DFCB65DF64C880ADDBBB2BF49300F5195EAD909AB220DB31AE80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CCC0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc0618802e6f69c8c28ca5cd33848e80d908a9217f41fe935276ac9cf06f31b
Instruction ID: b04c7cfb9d36f51412ec69301cd91d8423523b742226850c09607fc8a577e2d5
Opcode Fuzzy Hash: cfc0618802e6f69c8c28ca5cd33848e80d908a9217f41fe935276ac9cf06f31b
Instruction Fuzzy Hash: 51610374E14219CFDB14CFA9C4546EDBBB2FF89304F24A06AD815AB260DB389A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05C8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0f4445d95174e142c308b130eb34db6cd9e47fb1596aa2bb7c37c0e8820c79
Instruction ID: b1413661c8562b498595efdc49584a48bf42afbc24ada07fd30f28ca05b66395
Opcode Fuzzy Hash: 9d0f4445d95174e142c308b130eb34db6cd9e47fb1596aa2bb7c37c0e8820c79
Instruction Fuzzy Hash: BC61D575E0125D9FCB14DFA9C890AADBBF2FF89304F248469D409AB364DB319942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A458 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691d5ebdf0049a7243982b51287ed24e9c75ca8d4fe7c2a19b1c76208fd22aef
Instruction ID: 47a4dd43c1e15e05c741eabd9d8d6451a782703bd574ae1ea0a02d2d998de2a4
Opcode Fuzzy Hash: 691d5ebdf0049a7243982b51287ed24e9c75ca8d4fe7c2a19b1c76208fd22aef
Instruction Fuzzy Hash: 03612274E11229DFCB01DFA4D9808EDFBB2BF89300F15966AE805AB364DB70A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05D8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e05fd7fb8697c1ab38a2d16314fac7fe0c9f286d1b977d57146d53c2f2c82a
Instruction ID: 1f4b15bd3e2cf0849a746fbae740cd8bd2cd4fcc8dffb702051b641648917cae
Opcode Fuzzy Hash: 25e05fd7fb8697c1ab38a2d16314fac7fe0c9f286d1b977d57146d53c2f2c82a
Instruction Fuzzy Hash: 5661C475E0021D9FCB14DFA9C890AAEBBF2FF88304F248469D409AB354DB319942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E5C9E8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586ae5c0bc388aca68408cf450d3a5af7a750140d5c003c455f5c645281d5db2
Instruction ID: af6edb9aa0a510e44b96d581f48f8bc20bfc4780854705d3fa069e6242172959
Opcode Fuzzy Hash: 586ae5c0bc388aca68408cf450d3a5af7a750140d5c003c455f5c645281d5db2
Instruction Fuzzy Hash: AF51CD74E002289FCB04CFA9C954AEDBBF2FF49305F24952AE815BB254D735AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BC18 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01987b515aa6238316176323cbb530bed8c2f7ba1674f433a75ab18c57068587
Instruction ID: 65c26c69cff7090a188c83505104c882ef59c6e3c60a647494a2a8afc92ba655
Opcode Fuzzy Hash: 01987b515aa6238316176323cbb530bed8c2f7ba1674f433a75ab18c57068587
Instruction Fuzzy Hash: D751D074E00219DFCB14DFA9C4809DEFBB2FF8A300F119529E814AB265DB30A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA49A0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0f1f55ff88238c107ac3e4495915e2de156a15d9abb2b27c0caf9bda69b72b
Instruction ID: b4606a7a7815a902c95a6464135dbb7bd9457133e48ac18510f5d11f18d1f8fa
Opcode Fuzzy Hash: ff0f1f55ff88238c107ac3e4495915e2de156a15d9abb2b27c0caf9bda69b72b
Instruction Fuzzy Hash: DE517174E002199FDB08DFE9D994AAEFBF2BF88300F10852AD915AB364DB715946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5C9D9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0d4c5d4efa6ed0c6041c2a2731019da0c135e0b6ba034132e2b18d75800260
Instruction ID: 45c3b56d6505a85e1b2803edc8eb93491f05c2e51802f1e048b2f6900024514b
Opcode Fuzzy Hash: ae0d4c5d4efa6ed0c6041c2a2731019da0c135e0b6ba034132e2b18d75800260
Instruction Fuzzy Hash: 7551F070D002688FCB04CFA9C554AEDBBF2AF49301F24956AE815BB295D7399A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A448 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89d7954bdf44e462f1f681281620a35c34b5102125a7450c0165bb81baf8dee
Instruction ID: 8508928ee8bb8d449231df0b0e5a0bf906c95b8de287b835ab3c969dc7a4d116
Opcode Fuzzy Hash: e89d7954bdf44e462f1f681281620a35c34b5102125a7450c0165bb81baf8dee
Instruction Fuzzy Hash: 00516874A11229CFCB05CFA4D8808EDFBF2BF89300F15956AE805AB365CB74A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BC08 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630e89624caa0db3745f9e416d07745446f3344796f6b532501b9178554aae4e
Instruction ID: 8ac12180ca064efdaff6a750a958eec78c8b75690d21256545cfac2607c61ca4
Opcode Fuzzy Hash: 630e89624caa0db3745f9e416d07745446f3344796f6b532501b9178554aae4e
Instruction Fuzzy Hash: CC510274E002598FCB15DFA9C4809EDBBB2FF8A300F15C569E854AB265DB31A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA3810 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebdbb8f00174024578b1922d1302ca832216b184924e7c00f32c0d3d7d51a78
Instruction ID: 6fd23d4d2bd5c9b0111e9d560844a6ed1a44cdb0364dfad1ccb24e10a22009fd
Opcode Fuzzy Hash: 3ebdbb8f00174024578b1922d1302ca832216b184924e7c00f32c0d3d7d51a78
Instruction Fuzzy Hash: 5151E474D01219DFCB04DFA9D5A4AEEFBB2FF89344F108569E805AB254DB34AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FA4990 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1043ede841778ac27afd89229588c8add6a4e8edefdb069b3c8370764362c84f
Instruction ID: ccd1332fc2ef02b2b4afc079864a637f8f7e089672e7849060541e8c30a6f00e
Opcode Fuzzy Hash: 1043ede841778ac27afd89229588c8add6a4e8edefdb069b3c8370764362c84f
Instruction Fuzzy Hash: D551A274E002199FDB08CFE9D9946AEFBB2FF88300F14852AE519AB364DB715906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E55630 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f3590f9e3c0b5d976d7cab81fa5607a8c3339a6aba062ed45b1cfea5519920
Instruction ID: 786c87a46c9db8860e8d3646ac6b46dc551b31cf6194d4058b347205fc95147b
Opcode Fuzzy Hash: c3f3590f9e3c0b5d976d7cab81fa5607a8c3339a6aba062ed45b1cfea5519920
Instruction Fuzzy Hash: F251C074D01208DFCB14DFA9D494AAEBBF2FF89304F14916AD906A7264DB31AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FB009A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1c32bce92a255315e66304b07a00abe1bda5127fcf7fad3927858e7763c63d
Instruction ID: 019212e71fd29f1c96e14d509c39d15512cc077363f3de326e8527bda8490f31
Opcode Fuzzy Hash: 2f1c32bce92a255315e66304b07a00abe1bda5127fcf7fad3927858e7763c63d
Instruction Fuzzy Hash: 90411A31A04359CFC702CFA9C8949AEFFB2FF4A310B158196E545EB261CB319C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E52298 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7c7791d299e0cc5f3874302d156a788c09bf2bd35868476b58d33c93f6000d
Instruction ID: ab57a03f64278a19029ca21979e90e661dbb5f4f4c66f4bb6246b3f2c60776ab
Opcode Fuzzy Hash: ba7c7791d299e0cc5f3874302d156a788c09bf2bd35868476b58d33c93f6000d
Instruction Fuzzy Hash: 35417D74A1061ACFCB20CF58C4C4AAABBF5FF44318F20D669DA55972A4D730E996CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E55302 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9990f7f79c338341baaaa1128a028b0c68bacda9c4441a5d2bc5df9595aad7
Instruction ID: ac253386256663698fb1197e677467a61824b0c3e977bc4f671c2b866b22235b
Opcode Fuzzy Hash: 1f9990f7f79c338341baaaa1128a028b0c68bacda9c4441a5d2bc5df9595aad7
Instruction Fuzzy Hash: CF415470D05229CFCB14CFA8D4947EEBBB1FF48305F10902AE805A7290DB799944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E507D8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f0f3dec3832843135c18826e8c1efedd4d9460f93a30204d401efd1e6213c0
Instruction ID: 3ee03a70f3927cf4c1f380d7c3b6650c6001ef42261f40ea9741bc2d88d89a37
Opcode Fuzzy Hash: 70f0f3dec3832843135c18826e8c1efedd4d9460f93a30204d401efd1e6213c0
Instruction Fuzzy Hash: FB414534E02218EFCB58DFA8E894AEDBBF2BF49314F14806AE404B7290DB355941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E54F6F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6445c2cfe948335421bf5549490e0e02fdb7368b37e2be43ff86ee53c2a863b
Instruction ID: 03dc330cf7287622264571ec99eba7547683187984a92bf5d79cb9a8c8ccc326
Opcode Fuzzy Hash: d6445c2cfe948335421bf5549490e0e02fdb7368b37e2be43ff86ee53c2a863b
Instruction Fuzzy Hash: 8A314370D952688FEB18CFAAC9097EDFBF6AF8A304F14A06AC409B7255DB740945CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02E54F38 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ccf4cd25c40a6a195bcbc561532d71c353501d561245be175eac4639c1eb3f
Instruction ID: 93e75e32a9f47474ef9497a490f2d0006dcfd52f6277b7769f4193e858ee11cd
Opcode Fuzzy Hash: c6ccf4cd25c40a6a195bcbc561532d71c353501d561245be175eac4639c1eb3f
Instruction Fuzzy Hash: 183105B0D552688FDB14CFAAC9047EDBBF6AF49304F14A06AC809BB254D7750945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02FB00F8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056a0a63ad233307ae943a73944602d1be0b6d95b96c8b59d6df393bd0b4ec10
Instruction ID: b81e70fa34260f1b7e27f17c21987e130744ee940675b09431f2470f1ea1546a
Opcode Fuzzy Hash: 056a0a63ad233307ae943a73944602d1be0b6d95b96c8b59d6df393bd0b4ec10
Instruction Fuzzy Hash: 6241E370A0030ADFCB02DFA9CC949AEFFB5FF49300B15809AE585AB261CB359905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E5D930 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba90e407e98839ea14779a1faaf6a0abe4ec37906df610fe5c9cd9ecd9505e60
Instruction ID: a292af86e31feac423076d936ad18c943df77bf2a7019238f67b5864ec96a34d
Opcode Fuzzy Hash: ba90e407e98839ea14779a1faaf6a0abe4ec37906df610fe5c9cd9ecd9505e60
Instruction Fuzzy Hash: 0D41CE75D10219DFCF14DFA9D880AEEBBB2BF49311F10942AE805AB254DB746A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E555CA Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46adf892c6cbc0682eee1b5ae28a1c4a8290270b16239f00ab11cc2e47e6e5a5
Instruction ID: 8279ab16ca0a4ea80cca9b21501f486d6ef04157c0ae141f7a89d591b70383c5
Opcode Fuzzy Hash: 46adf892c6cbc0682eee1b5ae28a1c4a8290270b16239f00ab11cc2e47e6e5a5
Instruction Fuzzy Hash: 5431E074E41208EFCB04DFA9D494ADDBBF2FF89314F1491AAE905AB360EB305946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BEE8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dd2251aee4886d336367c8b912416c45b02d1d0143f5e703c93df97bceb634
Instruction ID: 6529d0b3bcede05b39034215aa1ebd99d15a9a29df16bf6cdd175c5922825174
Opcode Fuzzy Hash: 24dd2251aee4886d336367c8b912416c45b02d1d0143f5e703c93df97bceb634
Instruction Fuzzy Hash: D2311674E112299FCB14DFA9D8908EDFBB2FF89310B059569E804AB365DB30A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA4FF1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969cf32857c1f150a2cb94749335d839fc1adfd57301c47ba9a210dab1c13643
Instruction ID: 59b735881c694cc6a89821da9701138d2e3d7afd21dcae5af5402f976580d056
Opcode Fuzzy Hash: 969cf32857c1f150a2cb94749335d839fc1adfd57301c47ba9a210dab1c13643
Instruction Fuzzy Hash: B6313AB5E0424A8FDB08CFAAC8656AEFBF2FF88341F14C16AD519A7251D7344941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E524F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2c5052df847c729388084d329ee9937312784d2129d92c724189f742ff9a72
Instruction ID: bec33c4fa73e042287076ed942682dc045744b5f2b09126b4ef8180f7bc49a13
Opcode Fuzzy Hash: 0a2c5052df847c729388084d329ee9937312784d2129d92c724189f742ff9a72
Instruction Fuzzy Hash: ED31FE75D012199FCB15CFA8E484AEEBBB2FF49320F10802AE805AB354CB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5E8F8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3811af1ba72257a944a25e8670718d07ad60a4a90d30666615214251914f54f7
Instruction ID: e79f72c8ee9fd57627b27b7611707ffb39d5777bbc22e0ccc37f897e62e1b58d
Opcode Fuzzy Hash: 3811af1ba72257a944a25e8670718d07ad60a4a90d30666615214251914f54f7
Instruction Fuzzy Hash: AD312675E002099FCB04DFA9D891AEEBBF2FF88314F14816AD505B7350DB355942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E57918 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a125f2a47fd7deb0abf85efa09532ca229f06af25d34eb6f1aa85e23b14734d
Instruction ID: 5ef8689e7d597bff0dff19e73b39df184d3246ce190f401eda622f8a40f411ee
Opcode Fuzzy Hash: 7a125f2a47fd7deb0abf85efa09532ca229f06af25d34eb6f1aa85e23b14734d
Instruction Fuzzy Hash: 26310571A106568FCB11CF25C88096AFBF2FF80314B19C669E8658B246D730F955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BEF8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034819c96a3eb17a508a10ec68258d975d1c1bc64d76741cb681423da7a29d90
Instruction ID: 721f5c0907094dba95627e1219142b75ed4fe3a3d0b3082fcf0c6195f5d5de85
Opcode Fuzzy Hash: 034819c96a3eb17a508a10ec68258d975d1c1bc64d76741cb681423da7a29d90
Instruction Fuzzy Hash: 0A311574E11229DFCB14DFA9E8808ADFBB2FF89310F018569E814AB364DB30A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E59F19 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f30785728a527d7029840cd2418186d7e1ea50afd866ca25998fbbe34ed395
Instruction ID: b2d48e43dfeb789c55a5b6f8a8a27664fbd3f6fec63ea243fd4deb8e38d36ab8
Opcode Fuzzy Hash: 16f30785728a527d7029840cd2418186d7e1ea50afd866ca25998fbbe34ed395
Instruction Fuzzy Hash: EC313631A106619FC711DB28D44096DFBF2BF86314B09D6A5D869DB782C734ED41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02E51FF9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9845c892594c2b204b8835c49686e2b91f71a65c4874f2bbb3be2dce71969f11
Instruction ID: f0be93236074143e3f7580543ee570277f80d40c4f96a9734639897788da7511
Opcode Fuzzy Hash: 9845c892594c2b204b8835c49686e2b91f71a65c4874f2bbb3be2dce71969f11
Instruction Fuzzy Hash: 7631C074A1060ADFCB14CF55C8C09AAFBB5FF44324B24C56AED199B254D731F851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FB02F4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d54a617571b85e211e05d1b6be8e3b40c7cd25f0dd1403b505a2c64fdbe4a5
Instruction ID: a5a27daf3462087a27b0e259f053233e6062f7be66f05497b9b195d54fa7cfcd
Opcode Fuzzy Hash: 19d54a617571b85e211e05d1b6be8e3b40c7cd25f0dd1403b505a2c64fdbe4a5
Instruction Fuzzy Hash: CF31C071904209DFCB02DFA8C8949EEBFF1FF49350B04819AE559EB221C735A909CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E52508 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df35c11079dba31b2642b22220b8b671624e707f08ad19104b218a8ef078b27
Instruction ID: c504f912c20e6023c9a1839bef6fb3d5fa0eed9d51b5ac736527536c87529747
Opcode Fuzzy Hash: 1df35c11079dba31b2642b22220b8b671624e707f08ad19104b218a8ef078b27
Instruction Fuzzy Hash: 8231ECB4D002199FCB15CFA8E494AEEBBB6FF48310F14802AE905B7354DB716A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E54513 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc56619e26900fade0ae089e0dc04acd9b825b09977a4c2838e531e145ea14fe
Instruction ID: 8d7afae30a02e0218c68148d3f73775f413c7aafd0e74910a53347a204f91b21
Opcode Fuzzy Hash: bc56619e26900fade0ae089e0dc04acd9b825b09977a4c2838e531e145ea14fe
Instruction Fuzzy Hash: ED313C30E0024A9FCB44DFA8D4509EEFBB1FF85304F14856AD454AB295DB356D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A371 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd54bf4e1796f969fa261a31e18e2f59f936f90dfebade1361ea2df1a35c1433
Instruction ID: 2ad4e06c4dea0a920de91deec3e3c2832452bcd5475f60f69c94896cc0a6c4be
Opcode Fuzzy Hash: dd54bf4e1796f969fa261a31e18e2f59f936f90dfebade1361ea2df1a35c1433
Instruction Fuzzy Hash: 9C31D070D10219EFCF05DFA4D841AEEBBB2FF49314F10856AE904AB260DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E50838 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b7cfa23266b9a344aa878259808a1fabfd342b57257c270694f76a5d4b81f9
Instruction ID: 17808d1c15b6a0f082ce2d242b4277e29f5f58742d09e571513520fdeca9d621
Opcode Fuzzy Hash: d3b7cfa23266b9a344aa878259808a1fabfd342b57257c270694f76a5d4b81f9
Instruction Fuzzy Hash: BC211574E12218EFDB18DFA9D984ADDBBF2BF88304F10902AE801B3350DB346945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02E55620 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619970a49170c52e85e05e51fd3e55f35a1836e5af68cdd9373c3d260c19f699
Instruction ID: 75f639c6697053411bd006c2f967d9d0a0ecf7e6b5c82fcd55c849853dbec74a
Opcode Fuzzy Hash: 619970a49170c52e85e05e51fd3e55f35a1836e5af68cdd9373c3d260c19f699
Instruction Fuzzy Hash: 73212574E002489FCB04DFA9D884ADDBFF2FF89314F1590AAE905AB261EB305945CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02E54528 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e155ec1528d28ba105db082b8b3db558f27c272338cbd7f589fc074a54a309c1
Instruction ID: 42eb1e98ccca9308e87cff6e89390f0344720a4ac2feae2372e83a624af431f1
Opcode Fuzzy Hash: e155ec1528d28ba105db082b8b3db558f27c272338cbd7f589fc074a54a309c1
Instruction Fuzzy Hash: B421F430E0010A9BCB44DFA8D5509EEFBB2FF88304F148A69D515AB394DB31AE49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FAB3F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1e30daacd80e07fdcdf0422f8372d9e39100b557deae131dba4e341123fef4
Instruction ID: b1c8bf73e79e04c549c3c60b37bdb45f62e1bb23f1639bc0a27d47ed8cb08c1d
Opcode Fuzzy Hash: 4a1e30daacd80e07fdcdf0422f8372d9e39100b557deae131dba4e341123fef4
Instruction Fuzzy Hash: 27215674E002098FCB05DFA8D8546EEBBB2FF89305F10846AD911B3390CB365A46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E552B7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ca31fb2b6edc6fb748b4e87898949e333e3a0f606f88bd12ebcaf877ecdba8
Instruction ID: 14d55bc1cdf0c750cbd164cc8425af073f87a100a26337aa3765a29e44da4bd2
Opcode Fuzzy Hash: 33ca31fb2b6edc6fb748b4e87898949e333e3a0f606f88bd12ebcaf877ecdba8
Instruction Fuzzy Hash: 0311BF78D95228CFDF10CFA4D948AEDBBF5BB4A315F50A02AD80AB7200D3745984CF68

Uniqueness

Uniqueness Score: -1.00%

Function 02E51DD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d5a1ab2c6e64bac21a3abe674e2855d97846f0c235b55568a7711891271abd
Instruction ID: 873d7c4540b48e9532029069e9b5e1595963aa057cb068d13f5217ae193e5fdd
Opcode Fuzzy Hash: d4d5a1ab2c6e64bac21a3abe674e2855d97846f0c235b55568a7711891271abd
Instruction Fuzzy Hash: 5221E374A01208DFCB01CFA8C484AAEBBF1FF4A314F1481AAD815AB361D370AA84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA39B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bf6104662b0e411f432a41d06a6a690cc1c83be14f84b548d600b16d34f5b1
Instruction ID: 89c32e06a1080e154cf2c11161f482b10616a233496b494b379ce6f902e5f039
Opcode Fuzzy Hash: 20bf6104662b0e411f432a41d06a6a690cc1c83be14f84b548d600b16d34f5b1
Instruction Fuzzy Hash: AE21E2B4E0121ADFCB00DFA9C495AAEFBF5BF49344F2080A9D905A7350D7349A80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FA39A0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e98b0e1ac8df9ef8de261f2e69ea966a9e2dcdcac89c41663c35eb00e0c54b
Instruction ID: 1b12e0137ce74ab1f6327cf1eca64c1baeb8b86f8363f2f62181fd7bd1cd853a
Opcode Fuzzy Hash: 69e98b0e1ac8df9ef8de261f2e69ea966a9e2dcdcac89c41663c35eb00e0c54b
Instruction Fuzzy Hash: 0911BCB4D0424A9FCB01CFB8C0656AEBFF1FF0A390F1480EAC905A7251D7304A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02E504D8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4fbea8c9b0e8edb669c12141f52da13c2507336dea06309b790a0abf1bd088
Instruction ID: 7b039476d626d3584eaf657eb6e03d9166c094d41418765f3d32dc9a0023a03e
Opcode Fuzzy Hash: 1c4fbea8c9b0e8edb669c12141f52da13c2507336dea06309b790a0abf1bd088
Instruction Fuzzy Hash: 362198B4D05219DFCB58CFA9D8819EEBBF1FF49310F1081AAD805A7220EB395A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FA50F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9add871b8d3362ef69cb90c77fa7b5e051917c7648df7a1c859f4b729733764e
Instruction ID: f614613ead64b1a3d9567bb903c4bce450c92d4719cbaf119c9062abc441209f
Opcode Fuzzy Hash: 9add871b8d3362ef69cb90c77fa7b5e051917c7648df7a1c859f4b729733764e
Instruction Fuzzy Hash: BD21C4B4E002099FCB44CFA9C590AAEBBF1FF49300F6085AAD818E7751D7349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5108 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60c649858e1382a0ce6ce558770cf5fb1eef657153fee6922603d5972683812
Instruction ID: 7e653d51566147856c5494ac11ea583c0bdb4b14a003931294e89ecddea36eec
Opcode Fuzzy Hash: f60c649858e1382a0ce6ce558770cf5fb1eef657153fee6922603d5972683812
Instruction Fuzzy Hash: 021164B4E00209DFCB44DFA9C581AAEBBF1FF48300F6085A9D818A7755D774AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E504E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9397f2920ec69abbbb320ca239c41a53ef860a048ffc0388300a5fab028ee6
Instruction ID: 4b0e7b24c4f95a3830ddeffbeeb69272e54ce50dd3368be67dff6912604aa5dc
Opcode Fuzzy Hash: cc9397f2920ec69abbbb320ca239c41a53ef860a048ffc0388300a5fab028ee6
Instruction Fuzzy Hash: 0511ACB4D00209DFCB54DFA9D8406AEBBF5FF48300F10916AE815A7320E7345A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5197 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05290e32f460c131a8837b88e47d76eff0c50813378f266d35b01c2ed2ddbb55
Instruction ID: 1599e702a1acde305f23309c62d8c770bbb7446685bc0c66157bf6392b932d54
Opcode Fuzzy Hash: 05290e32f460c131a8837b88e47d76eff0c50813378f266d35b01c2ed2ddbb55
Instruction Fuzzy Hash: F011E570E00249AFCB04DFA9C5919ADBFF2FF49314F1585EAC458AB251D771AA46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FA7BC6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0440d6ce5ff4f776c0ac990a34758f2f14f6dc01dd802a412f779ffa1bee2c2
Instruction ID: 4ffc39e21621a48f04c6f5baf58f44e50b20f45d56c186388557190c692f6036
Opcode Fuzzy Hash: f0440d6ce5ff4f776c0ac990a34758f2f14f6dc01dd802a412f779ffa1bee2c2
Instruction Fuzzy Hash: C60112B6E05208DFDB10EFD0C490AEDFBB1AF89394F109116D5017B250D731AA86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5EA48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624cc9bc562c767fa8c40d436d946c51560ad282820cd0070ea1deb2a6e461fc
Instruction ID: 49523dd36c599ab1ae2732560623a5fb62596b0bee6c911ef31d9aabfc7f5f40
Opcode Fuzzy Hash: 624cc9bc562c767fa8c40d436d946c51560ad282820cd0070ea1deb2a6e461fc
Instruction Fuzzy Hash: 09012874E04218DFCF04EFF9D4042AEBBB9BB48304F0495AAD955A3381EB354A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E5EA38 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49153d2a19e88c32d6276b599e935ee10dcf08541bd712e4f9a4f8176aa51dab
Instruction ID: 684fcd2dd3a9ca09e5c03b1ac764e0f83c3a599750863317d20ca56569def844
Opcode Fuzzy Hash: 49153d2a19e88c32d6276b599e935ee10dcf08541bd712e4f9a4f8176aa51dab
Instruction Fuzzy Hash: 2C015670E15218AFCF14EFB994453EEBFB5BB08304F0485AAD954A3292EB354A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5FD0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed770a44d9d853059383084d67f97536d5e105febacea4e3ffd6c46a95787a4
Instruction ID: abc7f437d752ad9282df79ecfc3a1138b28563fa62a3d18e952d80ceffa03e47
Opcode Fuzzy Hash: 6ed770a44d9d853059383084d67f97536d5e105febacea4e3ffd6c46a95787a4
Instruction Fuzzy Hash: A1011634A04108EFCB05CFA8CA95A9DBFF2EF49200F29C1E9D9089B2A1D730DE45DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02FA37B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf747855d5bd595cc5081ddc82451f21044f391c038e027317a41863fe996934
Instruction ID: 61b0e2a2d812206744ea8289b34aebe53e1faf7fc1306bd9ee37310fcb9064c1
Opcode Fuzzy Hash: cf747855d5bd595cc5081ddc82451f21044f391c038e027317a41863fe996934
Instruction Fuzzy Hash: 06014B70D092499FCB15DFB8D8519ADBFB1FF06310F0485EAD494A7251C3315952CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02FAA858 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ce6ebdf7828df6e4ce09200a7bc5cc1998018fb87927450db2ee4afa3ee18d
Instruction ID: 5272de47655be29179c587c0be5c5c7957082951553e7dee0f37c974dba2e66a
Opcode Fuzzy Hash: d7ce6ebdf7828df6e4ce09200a7bc5cc1998018fb87927450db2ee4afa3ee18d
Instruction Fuzzy Hash: 05011471D002489FCB55EFF898616EEBFF2EF8A300F1485EAC545A7251EB751606DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8450 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddabb12b6768c935d9fb4c81f8423620f3ed3d3b2951b7563ad03470f3951b1
Instruction ID: 1d9b65839b10a302b63757425b25c48278033f95a4d91c1c1c12b047cebd4b70
Opcode Fuzzy Hash: 3ddabb12b6768c935d9fb4c81f8423620f3ed3d3b2951b7563ad03470f3951b1
Instruction Fuzzy Hash: AAF08770C04248AFCF50EFB889612AEBFF1FB0A300F0085AAC184A7251EB710602CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5F70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23493539735c31559122dbc55aa39a88908ae7c888dcc8370d5b3114fa9c9b80
Instruction ID: 5ab559c652ad8f2b43b20f28c46c1be4868cc22113397c3bcffae97d2b085fcf
Opcode Fuzzy Hash: 23493539735c31559122dbc55aa39a88908ae7c888dcc8370d5b3114fa9c9b80
Instruction Fuzzy Hash: C4F08C70A04288DFC705CFA9D855A9DBFB1EF8A341B08C6F6D4449B265D3309A06DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02E5AF17 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48d64c05542c7f5e84b881458da82345bbb6ef190b6638e61e35e367b51a72f
Instruction ID: 8fd15c8870844a5d3d71ae2d281e9a80847a0111077b93dbbb302dab856abc4b
Opcode Fuzzy Hash: e48d64c05542c7f5e84b881458da82345bbb6ef190b6638e61e35e367b51a72f
Instruction Fuzzy Hash: 7D016D70D442599FCB04EFA8D4506ADBFB1BF45304F1493AAD528BB391CB311A02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02E50469 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314c3a5b780048a4444449ddfc155316281924d054f8ffc59bfc469790d00f8a
Instruction ID: f1501e7951d36e9c793fc6c1c56740791de34339943a34bc9f73ce8bd71cd0ca
Opcode Fuzzy Hash: 314c3a5b780048a4444449ddfc155316281924d054f8ffc59bfc469790d00f8a
Instruction Fuzzy Hash: 3DF049B4D10208EFCB50EFB8D5442AEBFF1FB49304F1086AAC401AB350E7714A04DB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E59EC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1d92cab1634247d401aebcd21a0573adbd23d47d7b17fea398a3c1374d4506
Instruction ID: 43901236387030798081bfb3495cd30c13e6b43ef8f03f4f0deff194e7607731
Opcode Fuzzy Hash: 6d1d92cab1634247d401aebcd21a0573adbd23d47d7b17fea398a3c1374d4506
Instruction Fuzzy Hash: 0EF04438D08348EFCB54CFB9A0465DCBFB1EB4A320F1081AAD844A7345DB394A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5FE0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032709960516809d7aefe86925aee49cadfe15977e62de897ad4b564055e04a
Instruction ID: 988d3a15ff496521b791d3ff681b237f9d637ba1be5f2a435860408e8e27b0f8
Opcode Fuzzy Hash: 6032709960516809d7aefe86925aee49cadfe15977e62de897ad4b564055e04a
Instruction Fuzzy Hash: 1CF0B238A00108EFCB04DFA8DA98A9DBBF2EF48300F25C1A5D9099B365D731EE41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02FA7A2A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56184b3493292340bd0faa4c4463f688f2eecefcbc7eee1d9b41191d9d708aec
Instruction ID: c95d20feac7db5ece1909af443567c0e252a3c59d191c3d6a3a0ffc884138903
Opcode Fuzzy Hash: 56184b3493292340bd0faa4c4463f688f2eecefcbc7eee1d9b41191d9d708aec
Instruction Fuzzy Hash: B1F0F434D09288AFCB11DFB8E9969ACFFB0EF0A300F0481EAD844A7221C3315A55DB00

Uniqueness

Uniqueness Score: -1.00%

Function 02E5AF28 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936e8fee777de0d5b2428bf7cd859918d59cdf39dc20355d7d36c3a954a4f82d
Instruction ID: 3bcfe96d947f9ed5f88927c49f012d02016da57b11d98bb8bdee9359cd6a9a1b
Opcode Fuzzy Hash: 936e8fee777de0d5b2428bf7cd859918d59cdf39dc20355d7d36c3a954a4f82d
Instruction Fuzzy Hash: BFF0F9B4D052199FCB44EFA9D9416AEBBF5FF48304F5092B9D818B3340DB301A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FB09DC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261086335.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fb0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea50384a1186efbdadb07811338955d092f34a14c04f8220b07431853e85fee
Instruction ID: 84988bd6138151ec1716d9a33b2baa22c582de53b8c615e9092713e6ef3d72da
Opcode Fuzzy Hash: 1ea50384a1186efbdadb07811338955d092f34a14c04f8220b07431853e85fee
Instruction Fuzzy Hash: 25F0E276A005169FD712DB65D8208EEFBB2FF94350B048959D342AB3D4CF31A915CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FAA868 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e1a7e78d86c70bb3424836d9066afd23ccda2d22e7b7fb74f36ac0bd671b66
Instruction ID: 2c7f043b082e83ce2309c5c111700fb02adec72df76cc0bf1b1e1602d2e847b5
Opcode Fuzzy Hash: e5e1a7e78d86c70bb3424836d9066afd23ccda2d22e7b7fb74f36ac0bd671b66
Instruction Fuzzy Hash: D7F03FB4D0020CEFCB54EFF9D8506AEBBF2FB48300F1086AAC905A7250EB715A00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8460 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0636cd3d2686d62887f1d63abcce921277a54e2019da4f8ffc831c7edcd267f
Instruction ID: f4b3b05e8cefe0a913154869ce8bdacda4bfe3147c5c7a2677185da01c0251ec
Opcode Fuzzy Hash: d0636cd3d2686d62887f1d63abcce921277a54e2019da4f8ffc831c7edcd267f
Instruction Fuzzy Hash: AEF03474D0020CEFCB54EFB8D9506AEBBF6FB48300F1086AAC515A7240EB704A009B81

Uniqueness

Uniqueness Score: -1.00%

Function 02FA37C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da31bd0310b5204fb9f58bb5e2756a2992a06ee4d57bd1f6c296ee10a20c17c0
Instruction ID: a0133cdc727cdeb5941537a30d1e03bc33d8cad3365f13ff901d21af7810b931
Opcode Fuzzy Hash: da31bd0310b5204fb9f58bb5e2756a2992a06ee4d57bd1f6c296ee10a20c17c0
Instruction Fuzzy Hash: AFF01C74D0021CEFCB54EFA8D845AAEBBB5FF09310F0096AAE814A7314D7319A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0259 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b032a85005c543e75983103bca82bb01423beea1a117b83e7e6b4fdf59f06d
Instruction ID: 9f4933c58e1de76784219b149d71bfbbc54bab503cb114cfdbf5bb1bfa033e39
Opcode Fuzzy Hash: 35b032a85005c543e75983103bca82bb01423beea1a117b83e7e6b4fdf59f06d
Instruction Fuzzy Hash: 8AF07F76E04218EBCF14CEC4E890BBDF7B1FB88355F10909AEA216B261CB319956CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA7A38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17119ee1344344fe2ba643a2fdeb7045508d6f77012d34186ab748b9e67ee9de
Instruction ID: cfbfb3e5507fa56d81749c86bae3af89410590023fd7470653b7c26d16844065
Opcode Fuzzy Hash: 17119ee1344344fe2ba643a2fdeb7045508d6f77012d34186ab748b9e67ee9de
Instruction Fuzzy Hash: F7F09274D01208EFCB50DFA8D949A9DFBF5FB49300F1081A9A908A3210D7319A54EF45

Uniqueness

Uniqueness Score: -1.00%

Function 02E59ED0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ace3ed8d9374c5354d07f98e20eb07367a115a82401e7c0e8bd6eb8430379e
Instruction ID: 395fd34dfe5e9fac65800623732d4d8e60dd7717934d5856ef2c460a055df348
Opcode Fuzzy Hash: 29ace3ed8d9374c5354d07f98e20eb07367a115a82401e7c0e8bd6eb8430379e
Instruction Fuzzy Hash: 8CF01538D14208EBCB54DFBAE04469DBBF9AB49304F00D0AAD804A3344EB345A40DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02E59F28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81eb2e145539cfaa76bac33242119fe980295907bf1ee9639bbe44f5218bc4cc
Instruction ID: 5c579e7a07c861487c9d6be00f9ce0b8bbc8eb20e047faa77e642d98b8313206
Opcode Fuzzy Hash: 81eb2e145539cfaa76bac33242119fe980295907bf1ee9639bbe44f5218bc4cc
Instruction Fuzzy Hash: C3D0C2353406228BD310970AD0409A573EBEB80314B04D175E819C761ADB30EC00C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 02E51FC9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4219ce30f0981863cbe3035ba4c2b8759def27ac17839ee109baa3517eada7d
Instruction ID: b38a5bbe6fff1991e98150bbf9778a9456a0b606a158d65bc640305e7f6e396a
Opcode Fuzzy Hash: f4219ce30f0981863cbe3035ba4c2b8759def27ac17839ee109baa3517eada7d
Instruction Fuzzy Hash: 18E0EC36088345EFD7464F90D805EC4BFF9EF56320B15809BE1448B0B2C7798865DB21

Uniqueness

Uniqueness Score: -1.00%

Function 02E50439 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180cb27e069a1f8c5b2a18ee470d6b81b32d673017a86ff1a2880b343840dab1
Instruction ID: 88661f963fcd46bb027e7fc5da66af7ead66dbc5ce4d73dff2b1a19e8d8a2b06
Opcode Fuzzy Hash: 180cb27e069a1f8c5b2a18ee470d6b81b32d673017a86ff1a2880b343840dab1
Instruction Fuzzy Hash: 8FD0A9320923019FCBA60BA8B4083D83BB8AB23325F062177E80881020D3A80842EB10

Uniqueness

Uniqueness Score: -1.00%

Function 02E50448 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc72c982b77453b07a89e609b7dddfebadd0299498d5166bb8fadfd4f1f8e4bc
Instruction ID: 41f2bc8b7213a87a7f63a339a47003f3f21a4272710dd244552344c8fe6e3196
Opcode Fuzzy Hash: bc72c982b77453b07a89e609b7dddfebadd0299498d5166bb8fadfd4f1f8e4bc
Instruction Fuzzy Hash: 09B012300527088BCA3427D8F40D33EBBACF70533FF486228EA0C01858CB716490DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02E57928 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.260860506.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221fb79b39c5c81adea50683e76f395ca3a5bc07c35228a96485d766ec99e7c4
Instruction ID: aacdb0aa1e6377b8277d523dbc2cc307f54a2ab52f82c532c68e50f2d62a5083
Opcode Fuzzy Hash: 221fb79b39c5c81adea50683e76f395ca3a5bc07c35228a96485d766ec99e7c4
Instruction Fuzzy Hash: F8B01276440701AADA204640C904F15B6519BE0703F058430A200444C981304050E711

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02FA0F38 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c841ee25ca0249159051c9bb7f48bb1727f1e195e414f163fba1ed73968fd80
Instruction ID: 4b17a292de364e176bdf892c355c7e8b9de6cfdd6385a92b197911de2be994d1
Opcode Fuzzy Hash: 0c841ee25ca0249159051c9bb7f48bb1727f1e195e414f163fba1ed73968fd80
Instruction Fuzzy Hash: 10B1C275D00229CFDB25DF64C850BDEBBB2BF49300F1195A9E909AB261DB31AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0F28 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda077e463989a3bf317790695becb41b4759fe516447254539d0e9580291b37
Instruction ID: 7c74f0f9f2e85327ff3dfd134cc6cafcc85ebf9085e7dad956b620ec628f4bf4
Opcode Fuzzy Hash: eda077e463989a3bf317790695becb41b4759fe516447254539d0e9580291b37
Instruction Fuzzy Hash: 1581D375D00229CFDB25DF64C850BEDBBB2BF49300F1185A9E909AB261DB31AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FA44B1 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dc31025bd0e3b50c075a5dda727491e17926cf29be8d53d244e04335df16a1
Instruction ID: eac31a21789bba2c4cda55d10a8a8df02ce57ba5aec152ff8f44131263329451
Opcode Fuzzy Hash: a8dc31025bd0e3b50c075a5dda727491e17926cf29be8d53d244e04335df16a1
Instruction Fuzzy Hash: E551E2B9E01218DFCB04DFA8E594AEDBBB2FF49350F244069E505A7360DB719945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02FAB4C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139abdeed9e2749cf9b07ec49f2c5d854200f32d4a0590dee9e5a63665bf8a04
Instruction ID: 58d2ee94c61b1eb21d3e19f9ae9048b90d26a61835fe8e37966eb48628d4fa33
Opcode Fuzzy Hash: 139abdeed9e2749cf9b07ec49f2c5d854200f32d4a0590dee9e5a63665bf8a04
Instruction Fuzzy Hash: AA410479E01218EFCB04DFA8E998AEDFBB1FF49354F104169E901A7394C730A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02FAB4B2 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261063545.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548a3526ca14b35345d541eb90ca5895114e948d318cbcffbdbb8e5bf12b4641
Instruction ID: 17332f35415f92052d6a11c6d8ebbc48e81fe915157d69646b44baaf6bc1457a
Opcode Fuzzy Hash: 548a3526ca14b35345d541eb90ca5895114e948d318cbcffbdbb8e5bf12b4641
Instruction Fuzzy Hash: 8331F575E11218DFDB04DFA8E998AEDBBB2FF49354F148169E801A73A0C7309945CF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vector Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Function 015B9AA8 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Function 015B5369 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 015B3CAC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 015BC47A Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 015B8EA8 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 015BC3B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 015BBCEC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 015B8E80 Relevance: 1.6, APIs: 1, Instructions: 64
libraryCOMMON

Function 015BA309 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 015B8E98 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 015B8E34 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON