Edit tour

Windows Analysis Report
QUOTE - FE7191PO154.exe

Overview

General Information

Sample name:	QUOTE - FE7191PO154.exe
Analysis ID:	1467839
MD5:	5898fd19077369ca6c8f80ddc009a433
SHA1:	970a6ffcc89ddfddccff95010c499f5e83473800
SHA256:	bb6c1c855a768f76b9d130976331ab87f18a2f38190de1fae466da8c8b292fbb
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QUOTE - FE7191PO154.exe (PID: 2356 cmdline: "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe" MD5: 5898FD19077369CA6C8F80DDC009A433)

QUOTE - FE7191PO154.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe" MD5: 5898FD19077369CA6C8F80DDC009A433)

WerFault.exe (PID: 6284 cmdline: C:\Windows\system32\WerFault.exe -u -p 6672 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: QUOTE - FE7191PO154.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: QUOTE - FE7191PO154.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Code function: 0_2_00007FFD3463D7C7	0_2_00007FFD3463D7C7
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Code function: 0_2_00007FFD3463FC59	0_2_00007FFD3463FC59
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Code function: 0_2_00007FFD34633A45	0_2_00007FFD34633A45

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6672 -s 12

Source: QUOTE - FE7191PO154.exe

Static PE information: No import functions for PE file found

Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2306908475.0000000013691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiom.dll@ vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2306045362.0000000003681000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2308710837.000000001C6A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2309027196.000000001DEB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2306908475.00000000139B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe, 00000000.00000002.2309508686.000000001F820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiom.dll@ vs QUOTE - FE7191PO154.exe
Source: QUOTE - FE7191PO154.exe	Binary or memory string: OriginalFilenameCPim.exe: vs QUOTE - FE7191PO154.exe

Source: QUOTE - FE7191PO154.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal56.evad.winEXE@4/1@0/0

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QUOTE - FE7191PO154.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Mutant created: \Sessions\1\BaseNamedObjects\HgCSbKrEobptZG

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1596fe26-fb56-41aa-942f-03edf58d2228

Jump to behavior

Source: QUOTE - FE7191PO154.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTE - FE7191PO154.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTE - FE7191PO154.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process created: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6672 -s 12
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process created: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTE - FE7191PO154.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTE - FE7191PO154.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: QUOTE - FE7191PO154.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Code function: 0_2_00007FFD3463D1C8 push E9605589h; ret		0_2_00007FFD3463D1CE
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Code function: 0_2_00007FFD34639279 push E9FFFFFFh; iretd		0_2_00007FFD3463927F

Source: QUOTE - FE7191PO154.exe

Static PE information: section name: .text entropy: 7.910968298141551

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Memory allocated: 31D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Memory allocated: 1B680000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe TID: 4396

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Thread register set: target process: 6672

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Process created: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe "C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Queries volume information: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\QUOTE - FE7191PO154.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTE - FE7191PO154.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467839
Start date and time:	2024-07-04 21:37:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTE - FE7191PO154.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@4/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 56% Number of executed functions: 64 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTE - FE7191PO154.exe, PID 2356 because it is empty
VT rate limit hit for: QUOTE - FE7191PO154.exe

Simulations

Behavior and APIs

Time	Type	Description
15:38:15	API Interceptor	1x Sleep call for process: QUOTE - FE7191PO154.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QUOTE - FE7191PO154.exe.log

Download File

Process:	C:\Users\user\Desktop\QUOTE - FE7191PO154.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
MD5:	3C7E5782E6C100B90932CBDED08ADE42
SHA1:	D498EE0833BB8C85592FB3B1E482267362DB3F74
SHA-256:	361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
SHA-512:	3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.907088620073485
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTE - FE7191PO154.exe
File size:	844'288 bytes
MD5:	5898fd19077369ca6c8f80ddc009a433
SHA1:	970a6ffcc89ddfddccff95010c499f5e83473800
SHA256:	bb6c1c855a768f76b9d130976331ab87f18a2f38190de1fae466da8c8b292fbb
SHA512:	fbc1996d0e87a2a64dff96fd5a60551222766497de8e2c2c6d7f05716cb44d300c9173dfe81563db0d1f9e49d9b5d100f52cc6668491e24d12e46f614fb23ac0
SSDEEP:	24576:GKk5kYOPu2hnx2kgLpZdj9RMhmrax7lvi:GKC66vLpamux5v
TLSH:	E505120033FD4B26E07F67F9A83486259BF17DAA64B5E34E0EE160DE1971B404E6076B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0......,........... .....@..... ....................... ............@...@......@............... .....

File Icon


Icon Hash:	a1c6d08eaad06986

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66860286 [Thu Jul 4 02:01:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x2b6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb2b8	0xcb400	244081348a7f7e57c0dfd13b022bf4be	False	0.9319060866389914	data	7.910968298141551	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x2b6c	0x2c00	def321050fcf98af32ee85526eaa081d	False	0.9058948863636364	data	7.642288717282626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xce100	0x253b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9887734760256006
RT_GROUP_ICON	0xd064c	0x14	data	1.05
RT_VERSION	0xd0670	0x2fc	data	0.43324607329842935
RT_MANIFEST	0xd097c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: QUOTE - FE7191PO154.exePID: 2356, Parent PID: 4004

General

Target ID:	0
Start time:	15:38:15
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\QUOTE - FE7191PO154.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"
Imagebase:	0x810000
File size:	844'288 bytes
MD5 hash:	5898FD19077369CA6C8F80DDC009A433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: QUOTE - FE7191PO154.exePID: 6672, Parent PID: 2356

General

Target ID:	3
Start time:	15:38:16
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\QUOTE - FE7191PO154.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTE - FE7191PO154.exe"
Imagebase:	0xc30000
File size:	844'288 bytes
MD5 hash:	5898FD19077369CA6C8F80DDC009A433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6284, Parent PID: 6672

General

Target ID:	6
Start time:	15:38:16
Start date:	04/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6672 -s 12
Imagebase:	0x7ff66aa10000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: QUOTE - FE7191PO154.exePID: 2356, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD3463FC59 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f518ec11a74ad92ae8af7b1ed238a52510aa9c07e019ebfbd8afdb3345af5e33
Instruction ID: 4aa33dbe5316e13b123b61b268bcd5011e5001416b6c00a415180751e5ca1418
Opcode Fuzzy Hash: f518ec11a74ad92ae8af7b1ed238a52510aa9c07e019ebfbd8afdb3345af5e33
Instruction Fuzzy Hash: D5F1186190D7D64FEB1ADF6488A12A53FA0EF17304F1845BFC589CB2A3EA2C640AD751

Function 00007FFD3463D7C7 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1ea68ccff7fdfa4496b1914fdc8a65d52ed4ba8b21ebb1008f9125a7032e41
Instruction ID: fcac1265fc1b0df4ee6d5de73584ae4c238c8730dea89d2c545ea24f6ca69932
Opcode Fuzzy Hash: 0c1ea68ccff7fdfa4496b1914fdc8a65d52ed4ba8b21ebb1008f9125a7032e41
Instruction Fuzzy Hash: 16C1FA70A1862A8FDBA8DF14C4A0BE9B7B2FF59304F1041ADD11ED7696DB386985DF00

Function 00007FFD34637E92 Relevance: 5.9, Strings: 4, Instructions: 925COMMON

Download Yara Rule

Strings

(@m4, xrefs: 00007FFD346388E6
@1m4, xrefs: 00007FFD34638644
{z}, xrefs: 00007FFD346384D4
@1m4, xrefs: 00007FFD346383C9

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: (@m4$@1m4$@1m4${z}
API String ID: 0-2395262164
Opcode ID: 0e21a405ee4a23b52989766104bf605fded4b75e42dc5afaf6f95addc068c866
Instruction ID: 108b0d2578611d1495e21eb0d6b93a715b49c057d12580cf4377d967ec6a36b8
Opcode Fuzzy Hash: 0e21a405ee4a23b52989766104bf605fded4b75e42dc5afaf6f95addc068c866
Instruction Fuzzy Hash: 96721974619A8D8FEBB9DF18C8A4BE937E1FF5A310F504169D84DCB2A1DE386941CB40

Function 00007FFD34636A9A Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD34636D69

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 7e1f1358ef1ad94772740ef5a31ff2e7726d7c73340af429e016889363f78e16
Instruction ID: f56a06da685ab84ddeeade89c1cd8b18cc69caacabe268559e205b84d53a75c0
Opcode Fuzzy Hash: 7e1f1358ef1ad94772740ef5a31ff2e7726d7c73340af429e016889363f78e16
Instruction Fuzzy Hash: 6342B974A1856D8FDBA4EF58C8A4BE9B3B1FF59301F5041E9D00DE72A5DA39A981CF00

Function 00007FFD3463AE6A Relevance: 1.8, Strings: 1, Instructions: 512COMMON

Download Yara Rule

Strings

X4m4, xrefs: 00007FFD3463B16C

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: X4m4
API String ID: 0-4252521538
Opcode ID: 6a63e28d3075d0df45ddc342f287e38290b3dc0265f707ddeb490e4ad5926d29
Instruction ID: 08395e176d0f69124359194bc01361278514de794cec56a3e9b44c6d5e439afb
Opcode Fuzzy Hash: 6a63e28d3075d0df45ddc342f287e38290b3dc0265f707ddeb490e4ad5926d29
Instruction Fuzzy Hash: D222FC74A1466D8FDB99DF14C8A0BEAB3B2FF99300F1041E9C50DD7296CA35A982DF40

Function 00007FFD3463A210 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

Sm, xrefs: 00007FFD3463A22B, 00007FFD3463A2A1

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: Sm
API String ID: 0-1185187822
Opcode ID: 6918c4e501cd692f20e6ba1a7a7c002f127aaf36a9bf32b40f6a409d410f3ee2
Instruction ID: a886fad7b8ed49f92f423bae498d2151e43b87f4fd0b0eb01436286f98dbbb2f
Opcode Fuzzy Hash: 6918c4e501cd692f20e6ba1a7a7c002f127aaf36a9bf32b40f6a409d410f3ee2
Instruction Fuzzy Hash: 8251073461468C8FDBA8DF09C8A0BE977A1FF59305F10416DC94DCB3A1CB79A981DB00

Function 00007FFD3463A0B2 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

Sm, xrefs: 00007FFD3463A570

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: Sm
API String ID: 0-1185187822
Opcode ID: 9bb1efbd8378dba2ae2788dc8fc078ae07deb53fff0399684614ddae5f68a271
Instruction ID: bb803cec4e5daca03be0e9df759127cebe7ba54a7b4f0959760118f4fb3b5404
Opcode Fuzzy Hash: 9bb1efbd8378dba2ae2788dc8fc078ae07deb53fff0399684614ddae5f68a271
Instruction Fuzzy Hash: AD412C7460869D8FDB78CF04D9A07E837A1FF59345F50416DDA0ECB2A1CB79AA84EB40

Function 00007FFD346409C3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD346409E7

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 7ca46f7b73add5c8b24b7e14ff8344aa3b5e2300dcf360187bf6924b064a9f95
Instruction ID: aa120b490c59687e6c71e00204bd8f2a9c8a7a2d440b9a0aa72f794499d47dc0
Opcode Fuzzy Hash: 7ca46f7b73add5c8b24b7e14ff8344aa3b5e2300dcf360187bf6924b064a9f95
Instruction Fuzzy Hash: CA118230718A654AEF1C992984A15BC73D7EB8A710B14943DD587C62D2CD2CE8425280

Function 00007FFD34640A38 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD34640A4A

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 9527304dc9f09e77af6448412e460483cba8c56d888b6d10bc22a95c8e4ef8d3
Instruction ID: b66dc1f3305e07d659f65d95beb5599014179a836a8411ef5636791e82ae92d5
Opcode Fuzzy Hash: 9527304dc9f09e77af6448412e460483cba8c56d888b6d10bc22a95c8e4ef8d3
Instruction Fuzzy Hash: 1F114230B18A754AEF2D5E2884B02FD76E6EB46701F24543DD5DBC22C2DD3CE542A540

Function 00007FFD3463460B Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

o+, xrefs: 00007FFD34634657

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: o+
API String ID: 0-251698391
Opcode ID: 13f601f8d13c317e00238d3914acbb5ec0e8370d6ec18f574aaafa878dc985ee
Instruction ID: 3e2c4f23cc75450560d5f5a07ecbb40448f24d06dc382670b36a6bfddd5a922f
Opcode Fuzzy Hash: 13f601f8d13c317e00238d3914acbb5ec0e8370d6ec18f574aaafa878dc985ee
Instruction Fuzzy Hash: B511BB70F185A99FDB98DF54D4E4BA8B7B1EF5A315F5000ADD14ED22A1CA38A980DF01

Function 00007FFD346409A9 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD346409AD

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 7f2226407e23029f552ae7128a920cb5feea730c5af178848706fe2648aed2d9
Instruction ID: 664c49ad2067c1b633f6e4f7e8e0761bb3f66e31197780e47ea5dcc6d14d9b3e
Opcode Fuzzy Hash: 7f2226407e23029f552ae7128a920cb5feea730c5af178848706fe2648aed2d9
Instruction Fuzzy Hash: E1018F30B1CA654AEB2C9E2884A05FC73E6EB46711F24543DD59BC22C2CE3CE842A280

Function 00007FFD3463A03E Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

Sm, xrefs: 00007FFD3463A570

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: Sm
API String ID: 0-1185187822
Opcode ID: 7450f5eec610a5eed5e14cf419ff14686eb73b7d96168903e5da605e750dd465
Instruction ID: 9115b2518affe71817621961edb236a4b0512ada8287aa89b1c23b471048b94a
Opcode Fuzzy Hash: 7450f5eec610a5eed5e14cf419ff14686eb73b7d96168903e5da605e750dd465
Instruction Fuzzy Hash: E7F0B77490968D8FDB64DF04C8A0BE83BA1FF59344F20812AD94DCB3A1DB34A544EB40

Function 00007FFD3463BBA2 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0bc8c9e5468c7b187786edcac1c0b06b0ff74ab00936f32f25b0a10da1a607
Instruction ID: 6545d32369f263ca42458e35cb42e17f9115461ec4d06eb2665767183b850f06
Opcode Fuzzy Hash: eb0bc8c9e5468c7b187786edcac1c0b06b0ff74ab00936f32f25b0a10da1a607
Instruction Fuzzy Hash: 69425B7462098E8FE769DF08C4A5BE433A1FB5D304F6444BCC95ECB795CA79A982CB10

Function 00007FFD346346EC Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0438a21afb91598b284556be4cb88c5df14a393051a7ead364347bb6064107ab
Instruction ID: c7ce6a4a5fdec2cff5d3fb8d08f2b889eca9cb4fa86b7bbfd6945bc7c0e8d139
Opcode Fuzzy Hash: 0438a21afb91598b284556be4cb88c5df14a393051a7ead364347bb6064107ab
Instruction Fuzzy Hash: 75229875A0895D8FDF99EF18C8A9BE8B7F1EB69301F5401E9D00DE7291CA35A981CF40

Function 00007FFD346312F9 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9263a26001e47708baf427e74188912eb7c5583fcd774ca44791ea2cea684b98
Instruction ID: 5af8004cdc0ee55b28020796a631b757e9b081a6fafd62f3d4353de5c020a96e
Opcode Fuzzy Hash: 9263a26001e47708baf427e74188912eb7c5583fcd774ca44791ea2cea684b98
Instruction Fuzzy Hash: A2E10874A0461A8FDB55EF98C4A4AFDB7B1FF59300F2044A9D10EE7256CB39AA81CF50

Function 00007FFD3463171D Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fef51f902e922f1503661027581249ed6765445edb71288cb09a5b089659f1
Instruction ID: ea0b62569e48d0b05b9602ef08752f71c05168ca2e3d9ef0f92fb6bf4bbf41f2
Opcode Fuzzy Hash: 33fef51f902e922f1503661027581249ed6765445edb71288cb09a5b089659f1
Instruction Fuzzy Hash: 18D1B534A09A5D8FDB99EF18C4A4BE973B1FF69300F5005A9D40ED72A6CA75AD81CF40

Function 00007FFD3463495F Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1966d00052f41afe0665c45e8cf51e164a4fe145c408f79f068eb4de1c87b45
Instruction ID: a447b710a9113ebe813ef360ba6bab9c8e6ebfb7d3f39cce2b2affe1784b50e7
Opcode Fuzzy Hash: f1966d00052f41afe0665c45e8cf51e164a4fe145c408f79f068eb4de1c87b45
Instruction Fuzzy Hash: 82D18871A0895D8FDFA4EF58C8A9BE8B7F1EB69301F1401E9D00DE7291CA35A981CF41

Function 00007FFD34631C88 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da727cd832d66b6e2dc1df628dc2dac6937e2341469a1b2fd02b4417a6bdfd66
Instruction ID: ea80503d7f307f01949ce0f0c74fbb166c11105e661e854add43f74984abbf45
Opcode Fuzzy Hash: da727cd832d66b6e2dc1df628dc2dac6937e2341469a1b2fd02b4417a6bdfd66
Instruction Fuzzy Hash: 99B16874A08A5D8FDBA4EF18C899BA9B7F1FB59301F5041E9D04DE7265CA35AD81CF00

Function 00007FFD34634D92 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28167b3c4621f25e767fbf026f18b745aba7cb8fea6d93d4fcb9ae71f910e5dc
Instruction ID: 5266aef1c35a0e2aea403400c5881bb501eee37bf8019f7e3b3d5abf0357df3a
Opcode Fuzzy Hash: 28167b3c4621f25e767fbf026f18b745aba7cb8fea6d93d4fcb9ae71f910e5dc
Instruction Fuzzy Hash: 6FA19975A0995D8FDBA5EF58C8A9BE8B7F1EB69300F5401E9D00DE3291CE35A981CF40

Function 00007FFD34635FE9 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65e5e31f54c4fa7e92448a5b75f62179c6e3f091014bc3ba27eaabd059e70b0
Instruction ID: 80d582aa3d6a91b63951547334bd1a152a44bccd7953f4c2d806df7b88b05e95
Opcode Fuzzy Hash: d65e5e31f54c4fa7e92448a5b75f62179c6e3f091014bc3ba27eaabd059e70b0
Instruction Fuzzy Hash: 45618D30A0C6AD8FDBA5DF6888A5AE97BB1FF56314F1441BAD10DD71A2CB399841DB00

Function 00007FFD346402C0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749c3bde9e830147cd6a82598e1fb35a4b4d44aa59c5955e0165b0189d387710
Instruction ID: e97070896d53ecc4ab5648e17391d832bb470db11569f45c80081dc08c91c2ff
Opcode Fuzzy Hash: 749c3bde9e830147cd6a82598e1fb35a4b4d44aa59c5955e0165b0189d387710
Instruction Fuzzy Hash: 4A61F821A0D7E14FE7169B248CA57A53FB1EF57310F1981FAC189CB2E7D91C680AD391

Function 00007FFD34640644 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dc8192ec05ea305dc4041687b471a044941cd298ca9a873a829de2f0664d21
Instruction ID: c0b97be1688491ff512d1106c9eb5af80e8c935b71dc5b859d7e65aa4488409f
Opcode Fuzzy Hash: 14dc8192ec05ea305dc4041687b471a044941cd298ca9a873a829de2f0664d21
Instruction Fuzzy Hash: 17610630A0D7D54FDB1A9F2488A56A53FB1EF57310B1941FEC08ACB1E3D92CA846C792

Function 00007FFD3463601D Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a4e5ab4bc9b3eb447a002bb3e7f079a68dd8444391394f336512316ac9faaa
Instruction ID: fd0ea2b88e384a3fb11dbe107c266d1ee776801383ea1e4ece343b2c1914f733
Opcode Fuzzy Hash: d3a4e5ab4bc9b3eb447a002bb3e7f079a68dd8444391394f336512316ac9faaa
Instruction Fuzzy Hash: 7A51A330A0D6AA4FDBE6DB6888B5AE87BB1EF56310F1440BAD14DD71A2CA295842D700

Function 00007FFD346406C3 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928ca9baa8d332aa2fb0cc52ce0d39d18e12155ee6ed1609062f3bfad883131e
Instruction ID: 87b969654ee54b3b635dc5a96e90c629e7f71b5a9db5c2943e2ef1c393efe7c0
Opcode Fuzzy Hash: 928ca9baa8d332aa2fb0cc52ce0d39d18e12155ee6ed1609062f3bfad883131e
Instruction Fuzzy Hash: A561D631A0D6954FDB1ADF2489A59A53FB1EF6731071941FAC08ACB2A3D918EC06C792

Function 00007FFD346318DB Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05a1e8119aa9b11c199075a73bf833064630daaf6c2874c1d8d52177f531123
Instruction ID: b8645b2acae584b7d248c6c646a102776af31c977823c27acd186703fd605dd0
Opcode Fuzzy Hash: e05a1e8119aa9b11c199075a73bf833064630daaf6c2874c1d8d52177f531123
Instruction Fuzzy Hash: 6261A134A08A5D8FDBD5EF18C4A8BA973E1FF69305F5001E9A01DD72A6CA75AD81CB40

Function 00007FFD3463FBB8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668d177d8ce1d82630de3a66ce10e0becf78621c03e8c670ad652956d3d4c7b0
Instruction ID: 3ecae47ce012f14ebf1643c0fe7a400276752abb7ab8397f167d73f330ed0e70
Opcode Fuzzy Hash: 668d177d8ce1d82630de3a66ce10e0becf78621c03e8c670ad652956d3d4c7b0
Instruction Fuzzy Hash: 9751F134A0CA1A8FEF18EF58C4A17FE77A5FF5A300F101679D509E7292CA3CA9459781

Function 00007FFD34649EB0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62bca0b9e47cd1cf30dda663a874121ee24c60fabfb368c719c66e09d044f4b
Instruction ID: 00758fdf4c81e0c34b48c25e82220e97d09e596c182dca78c81cf01a5c739786
Opcode Fuzzy Hash: e62bca0b9e47cd1cf30dda663a874121ee24c60fabfb368c719c66e09d044f4b
Instruction Fuzzy Hash: F251C030A4861DCFDF88DFA8C4A5AEE7BB1FF59340F100069E509E7281C628E955DF90

Function 00007FFD34638E0C Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1977e6f0c6f8ebd8daf84c9da7930ccbd486e7b6eee73f69ca70774eb3891e2
Instruction ID: 8fac8b612265baacba84c8314168b2fe4a1d6048a55ece7ae9497a5b71e83e74
Opcode Fuzzy Hash: a1977e6f0c6f8ebd8daf84c9da7930ccbd486e7b6eee73f69ca70774eb3891e2
Instruction Fuzzy Hash: 8F518770A19A6D8FDF98DF58C8A4BEC77F1FB59301F1051A9D10EE7291DA38A980DB00

Function 00007FFD3463D79F Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ca30010bcb5ff21020ceb7e22f77e6724014830efe0252816eef9965758462
Instruction ID: c70221d199daa3569ba01d0771d1265244aac1c77cd738ac693e8430aef4abc2
Opcode Fuzzy Hash: 84ca30010bcb5ff21020ceb7e22f77e6724014830efe0252816eef9965758462
Instruction Fuzzy Hash: 9351ED70A1852A8FDBA8DF54C8A0BECB7B1FF55304F5040A9C51ED7695DB386985DF00

Function 00007FFD34640795 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02980204ba9224951eba60ddc5e928123d410023daeb4715f34ec808e45bc4f
Instruction ID: 839f3dbd6a305072113ef08219e47c15024cc35e8ce5c1acd9f963f13831f858
Opcode Fuzzy Hash: a02980204ba9224951eba60ddc5e928123d410023daeb4715f34ec808e45bc4f
Instruction Fuzzy Hash: 9741DF6190E7D54FDB239B748CB51A57FB4EF13210B1941EBD0CACB1A3D91CA84AD362

Function 00007FFD346407DF Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63dc237c9567941fd934284c01de0c531f5ba6967bca57da49341f2f122e402
Instruction ID: dc1af70eb6437fdf270c006edb59a45913f71188c2385fe7efa302abfec686ee
Opcode Fuzzy Hash: b63dc237c9567941fd934284c01de0c531f5ba6967bca57da49341f2f122e402
Instruction Fuzzy Hash: 5641DE7190E7D54FDB239B748CB52A53FB4EF13210B0941EBD48ACB1A3D95C984AD3A2

Function 00007FFD346407BF Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540057875ded779c498a49dad57401178371b03bb3b1d3582d76f6504d0af35d
Instruction ID: 9a832aec4d04f3ec59a46c6e65053cdf64953f26b50aa83a5f3fe5dcb6de7fdf
Opcode Fuzzy Hash: 540057875ded779c498a49dad57401178371b03bb3b1d3582d76f6504d0af35d
Instruction Fuzzy Hash: 2441CB6190E7D54FD7279B748C651A53FB4EF53210B0941EBD4CACB1A3E918A84AC3A2

Function 00007FFD34637C24 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eaecac896eacd755ca1e7594c8b7175e0646db6bd7d730262915b3c47247c8
Instruction ID: 0636ebe0d331ce85d72d9678aff99192e57b58b6cb18c2a54f5aa424f795848d
Opcode Fuzzy Hash: e8eaecac896eacd755ca1e7594c8b7175e0646db6bd7d730262915b3c47247c8
Instruction Fuzzy Hash: 6F41F3B0E0822A8FDB59DFA8D4A05FDB7F1EF49316F20447AD50AE3291DA386840DF54

Function 00007FFD3463F115 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a031a52093575767958317b6c9b19a6678bae7892605023d655b190e2a235f3d
Instruction ID: 6d7148f3405390c3858f9653cb18c7147b0da47046303c42770406d155476ddf
Opcode Fuzzy Hash: a031a52093575767958317b6c9b19a6678bae7892605023d655b190e2a235f3d
Instruction Fuzzy Hash: 3F310931E08A5D8FDF98DF98D4A0AEDBBF5FB59300F10006AD10DE7291DA28A840DB40

Function 00007FFD3463113D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b4d482c5031c280e1017d2726b22911568bc71d25523310f4f23de5f0018e5
Instruction ID: 78146f6b0467144430023ae8aaad7b72580fe34ed3d726058bc4dac8661b6ef8
Opcode Fuzzy Hash: b6b4d482c5031c280e1017d2726b22911568bc71d25523310f4f23de5f0018e5
Instruction Fuzzy Hash: 1131F572F0DAEA4FE766DA2888755E87BA0EF56350F0401B7C54CDB1A3DF286C068740

Function 00007FFD34640828 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b03ccfaf6f8f49e311b227d0cf2934174626770757a66474d079f3a41f0d461
Instruction ID: 9984562dd60faaf54b04b78237ea5e995504a7fd5e77defc460cb5aa4205a17c
Opcode Fuzzy Hash: 6b03ccfaf6f8f49e311b227d0cf2934174626770757a66474d079f3a41f0d461
Instruction Fuzzy Hash: 8E31DC7180E7C45FDB239B748C655A17FB4EF63210B0902EFC089CB1A3DA5C580AC3A2

Function 00007FFD346365C1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2c4c8ca9ad357df5a56654c9f4f48a62d75bfa181749455634569788bc53ad
Instruction ID: 268e4974c0dfccf892e78cfc174bb9643ffa4e6708b989a5a9949e8f01710541
Opcode Fuzzy Hash: 9a2c4c8ca9ad357df5a56654c9f4f48a62d75bfa181749455634569788bc53ad
Instruction Fuzzy Hash: 6941DE74E0856D8FDBE8DF5884A4BB8B7B1FB6A300F5441BEC10EE72A1CA385944DB01

Function 00007FFD34633808 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a80a0cce9e8702d5a2e65c67beb7d032c2437a2080ef6e8b763074479ed0fe4
Instruction ID: 4728848162eece413723421c598aed76fb836cf554f14830c372a4259e25bb0f
Opcode Fuzzy Hash: 0a80a0cce9e8702d5a2e65c67beb7d032c2437a2080ef6e8b763074479ed0fe4
Instruction Fuzzy Hash: 2B31A731E1895D9FDF98DF98D4A4AEDBBF5FB59300F10012AD10DE7290DA29A840DB40

Function 00007FFD34639856 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40849b41dda77b410c0b768d85007af78b4a036954ff5e1add8bd6bd0024baa
Instruction ID: 156cd57238afbea91b7c58d74f3b85550106f66b7140bf72fba187ba8eef3e8f
Opcode Fuzzy Hash: d40849b41dda77b410c0b768d85007af78b4a036954ff5e1add8bd6bd0024baa
Instruction Fuzzy Hash: 8B31DD34A10A2DCFDBA0DF58D490BD9B7F0FF59321F5045A5DA09E7261DB38A9848F10

Function 00007FFD34638C09 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5493b37c7e0ef153fbc691fd8ac87a2eaecfc16167b17cf5ed8fb2e04b82b18e
Instruction ID: d33aa6ece8eae486a90a38b309917c3e5c0ff20f981e060424e7b325c9a3272a
Opcode Fuzzy Hash: 5493b37c7e0ef153fbc691fd8ac87a2eaecfc16167b17cf5ed8fb2e04b82b18e
Instruction Fuzzy Hash: 7631E5B0E196AE8FDB54DF98C4A05EDBBF0FF49700F14047AD509E7291DA386904DB50

Function 00007FFD3463A3C4 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c982cc9d644b67af7fdcaf077e464d384c5a1f4dfad32d57e4969ba72be3c00
Instruction ID: 317f0d7c4bb9a059c36d5b6e71081d4344d388d910355a6bfb96c5d676dfecca
Opcode Fuzzy Hash: 1c982cc9d644b67af7fdcaf077e464d384c5a1f4dfad32d57e4969ba72be3c00
Instruction Fuzzy Hash: 3E311E7061859D8FDFA9DF09C8A0BE937A1FF68301F10016AD90DCB2A1CA39E981DB40

Function 00007FFD346338C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac41669d8217c1fdc93c1d7bd394b35fa6b97a3bef31f8e2d4c3b68f1fbab9c
Instruction ID: b8e2319361eced57e7a88033ea60ac3a41c79c8d4e489d954e3c5138f6375ab0
Opcode Fuzzy Hash: 8ac41669d8217c1fdc93c1d7bd394b35fa6b97a3bef31f8e2d4c3b68f1fbab9c
Instruction Fuzzy Hash: BE21C3B0E1966E9FDF54DF98C4A0AEDB7F1FB89701F10143AD51AE3290DA386904AB50

Function 00007FFD34631248 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047388359fc063e84ccc10084091d8dce7add2040a841e1852dcb24b89319e3f
Instruction ID: 4854f3e154bea4a707372a3426cd9f54f3482b1ba139e53ef42395cd4ecc7791
Opcode Fuzzy Hash: 047388359fc063e84ccc10084091d8dce7add2040a841e1852dcb24b89319e3f
Instruction Fuzzy Hash: C6115171A1899E5FDB94EF04C8A16EAB3B1FF68300F4082F6D51DD31A6CE346E818B40

Function 00007FFD34637B5B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf55524431188c89b7513c0ca53ca963cf2b5574010697fc8732a85503a4844c
Instruction ID: bc3b1a35b299e6c86f497bd810a602e356d473c8d4fd8ab36f88e6807ffe7649
Opcode Fuzzy Hash: cf55524431188c89b7513c0ca53ca963cf2b5574010697fc8732a85503a4844c
Instruction Fuzzy Hash: 6C21E270A1866D8FDBE4EF18C8A4BA877B1FF59301F5040F5810ED3265CB38A9809F41

Function 00007FFD3463C521 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fba68ecb1da75f5cd515049d37ac38e1eb4a88edfe298c40945c4880ec7aee5
Instruction ID: 68801bd60f3b940b6486fa60f3c6307fbbb93de6e1fd553c43019d80daf0238e
Opcode Fuzzy Hash: 8fba68ecb1da75f5cd515049d37ac38e1eb4a88edfe298c40945c4880ec7aee5
Instruction Fuzzy Hash: AF11C272B1D79D8FE7659F6488752E977A0FF06310F0401BAE048D3292CE686D15D751

Function 00007FFD3463976A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1644a5ae346acf5b4c13b5defe35e2ea08ceaa0ffe76de0369a59eed8b0799a4
Instruction ID: 7f5ac660a9c8dc3db45c34c8c14a39f0b9ddd966f87690768f1349fcd3853752
Opcode Fuzzy Hash: 1644a5ae346acf5b4c13b5defe35e2ea08ceaa0ffe76de0369a59eed8b0799a4
Instruction Fuzzy Hash: 6A11B230E18969CFDBA4DF58D8A0AECB3B0FF49305F5400A5D50DE76A1DB38A9449F00

Function 00007FFD34635031 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c90fa4f377f0f419b0b9285fbb170d11727ed8a978075f0f1f5992ec13d9b85
Instruction ID: 3dd45a21cb16143fb87671e4d349b83a577bec9087699c56f4c1789e67f5107e
Opcode Fuzzy Hash: 3c90fa4f377f0f419b0b9285fbb170d11727ed8a978075f0f1f5992ec13d9b85
Instruction Fuzzy Hash: CA118E2188E3D55FE7634B7059725E53F649F43210F0901E7E588CB4E3CA1D2A9AD392

Function 00007FFD34640A0B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbf9cb9fe53357f3fb02b150e2aeb5fe99beacc6dfd3bc60208041ba4649a4b
Instruction ID: 6a43c0c10e1cb17b91bb1c7fe4ebf6b720c688059153e91765b6474dc3e28681
Opcode Fuzzy Hash: 4dbf9cb9fe53357f3fb02b150e2aeb5fe99beacc6dfd3bc60208041ba4649a4b
Instruction Fuzzy Hash: 600152307589654AEF2C9E2884A16F833E6EB4A311F24903DD59BC62D2DE3CE9429680

Function 00007FFD346308ED Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3cf26b563f14b478ff49044e958be00459bbaf76522df4c8f2dda5d7b1ab3c
Instruction ID: 2130a89724a605719376f4e783b1e539e3ed1c0e039ebb224db01573aba30d29
Opcode Fuzzy Hash: 4b3cf26b563f14b478ff49044e958be00459bbaf76522df4c8f2dda5d7b1ab3c
Instruction Fuzzy Hash: 6901A130658B8D8FDB95EF14C8A56EA37A0FF5A304F4101BAD449C71D7DE39A955C700

Function 00007FFD3463B91E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72edfe3030d65dd9ab654c171656c8da3a0bc76c0bdb750879db9de49b493b62
Instruction ID: 8f92d13b77fbec030ebc82449393f38c93623b3acf3222b3e1af7de5ad26c68a
Opcode Fuzzy Hash: 72edfe3030d65dd9ab654c171656c8da3a0bc76c0bdb750879db9de49b493b62
Instruction Fuzzy Hash: 4C0171319086CA8FD7559F6488A66E57BE0FF46304F0401BAE548C31E3CA28A955D781

Function 00007FFD3464096D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f881af3369c5cdc38de875a3e0f7901addcaf68dc8183a242eb0a576b2de80e
Instruction ID: ede4d32744667f390b5018da1849669693e6dc0a792dd5ad8aa8f7bafab6e62f
Opcode Fuzzy Hash: 6f881af3369c5cdc38de875a3e0f7901addcaf68dc8183a242eb0a576b2de80e
Instruction Fuzzy Hash: C701A230B68A694AFF289E2884F46FC33D7EB46311F24513DD59BC62C2DE3CE5429240

Function 00007FFD3463086A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c355acc60fead68961dcb9b6fe8f14444ebb127c819b2b4057eee7ac7339ba
Instruction ID: d1bf702f2764d4940b57a52d58106214771fefa7352109a17ba88dd9bff5e5eb
Opcode Fuzzy Hash: 04c355acc60fead68961dcb9b6fe8f14444ebb127c819b2b4057eee7ac7339ba
Instruction Fuzzy Hash: C0F0F652E1EBDB0EEB12AB3848B91E63BB09F23344F4555B3C1C4DA0E7DC2C6809C251

Function 00007FFD3463C550 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac4822f97def53b8fe53004f699ec1ec8f43e07ff9791906183efa1c161cbf9
Instruction ID: dcd69d61505ef90358f44b86158ec4fd7dcbdfab9e3dd5e95ede5c82a36f7db3
Opcode Fuzzy Hash: 6ac4822f97def53b8fe53004f699ec1ec8f43e07ff9791906183efa1c161cbf9
Instruction Fuzzy Hash: D4F08171B19AAD8FEB64DF5488647E9B6A1FB49310F00057EE009D3281CE786854D741

Function 00007FFD3463B940 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12e33fedd933b759d36ca190fe2027894efa7949b7d84ad90a8eb346699a2cb
Instruction ID: f91d165b5fdfbc2a302db88bc71f42df1f7e1b40d6d68ab3c4a133c1c10e9b01
Opcode Fuzzy Hash: a12e33fedd933b759d36ca190fe2027894efa7949b7d84ad90a8eb346699a2cb
Instruction Fuzzy Hash: 86F08931A0898E8FDB54EF5498A62FAB6D0FF59305F04057AE45CC21D3DE38A564C781

Function 00007FFD3463675B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
Instruction ID: e60daf9a34f34a3642ba4b83ee90230502033779bb72e3fc0017dc46f6207fd8
Opcode Fuzzy Hash: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
Instruction Fuzzy Hash: 94F0F470A0496D8FCFA4EE18C894FA9B7B1EB65301F5081D9804EE7251DE31A9C5CF41

Function 00007FFD3463F5B5 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2255af03e3716246a8722fc733bacf4ed637bebb643b2c06e5527a641d641cf0
Instruction ID: 0394b97a026e367a327d9d7d6eb0b68d81d0960659028f4ad793a86a09f1143c
Opcode Fuzzy Hash: 2255af03e3716246a8722fc733bacf4ed637bebb643b2c06e5527a641d641cf0
Instruction Fuzzy Hash: 88E04F3280E3D85FD7139B608C615E6BFF4BF53210F0A42D7E588CA0A3DA5C5A18C792

Function 00007FFD3463ECF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72d570bc1cc9321e96e7b773fc465829c39c92da99655056b4be7ca3968914e
Instruction ID: fbcb23f8777b8bb3de1fb020f389ba10eb2ba3ce241d1c7978f5fd77afc65110
Opcode Fuzzy Hash: c72d570bc1cc9321e96e7b773fc465829c39c92da99655056b4be7ca3968914e
Instruction Fuzzy Hash: 90E0EC75A1989E8EEBB4DF18C8F57EC2391FB56300F400239880DC6292DE3825429711

Function 00007FFD34636A38 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d895274f7d8a972aff347fa17ea2a4f895eae459d27ef2be6fdb478c50f15288
Instruction ID: ecdd1f5459e80e27d850738430d9c954aca99b651ec00c85aeba2528551e0d4e
Opcode Fuzzy Hash: d895274f7d8a972aff347fa17ea2a4f895eae459d27ef2be6fdb478c50f15288
Instruction Fuzzy Hash: 77E09A70D0862DCFDBA5DF54C8A16EDB7B0FB19300F5041A9900EE3250DE345A80DF00

Function 00007FFD34636A13 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75339c8d7b8b37f3d6dd4fa4d3350b8d3aefec1aae2884520aa2fdbb133cc22
Instruction ID: c8ec57f89a6e7afb025d0aa2932b43efa1ce755a293782119200938dd78499fe
Opcode Fuzzy Hash: f75339c8d7b8b37f3d6dd4fa4d3350b8d3aefec1aae2884520aa2fdbb133cc22
Instruction Fuzzy Hash: A9E09A30A189AD8EDBA5DB048CB4BE977B1AF9A302F1400E9C00DE7261CA356D809F00

Function 00007FFD3463EE04 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cdd2db6492be570f6b925eb89a3d0a104c26020391619eb04124d20b206b00
Instruction ID: f907ac08480e9596a7ef4a1bacf92511a19bcca9d237fa63a66a93c3300f75cd
Opcode Fuzzy Hash: 22cdd2db6492be570f6b925eb89a3d0a104c26020391619eb04124d20b206b00
Instruction Fuzzy Hash: F6E086B1D0D5C94EE771CF2488A67EC3BA1FF15200F0442BEC40D86663DD3815478700

Function 00007FFD346308CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e150e378cf6ad4a7833eb23d2ace99e74177c8567a69caea08b228da893ce0
Instruction ID: e8aed891e665c542a71734873b97f9343c89a3a42fe741ab92abb0c2ad446d1f
Opcode Fuzzy Hash: e8e150e378cf6ad4a7833eb23d2ace99e74177c8567a69caea08b228da893ce0
Instruction Fuzzy Hash: FAD0C971E0880C9FDB50EF98E9655FCB774EF45210F0052B6D50DD3192DE346A518640

Function 00007FFD3463D716 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b73f1c07c1d14b8c1d36de0702274c424889db77b8377e9cf2a6f11e73681d3
Instruction ID: b16fa803d20afa4229524d8211b27e35ce2318d4eb7dd0303a88a0abe09138b7
Opcode Fuzzy Hash: 2b73f1c07c1d14b8c1d36de0702274c424889db77b8377e9cf2a6f11e73681d3
Instruction Fuzzy Hash: 3CE042B0E1956D8FDBA4DF58C4A0BECB7B1FF49700F2000A9C10EE7291DB3869829B10

Function 00007FFD346402A8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbaf07e7bf0756338e58b62a108afa7c99aefa243a5f4e526e5a8fa792d2625
Instruction ID: bb86adb459d4f6a1b921376c4f84fbec81470dfe147f1a330707248fcb6726b4
Opcode Fuzzy Hash: 7fbaf07e7bf0756338e58b62a108afa7c99aefa243a5f4e526e5a8fa792d2625
Instruction Fuzzy Hash: A3C09B2278951D09D6945D5C7C911E4B344D745131B8011B7DD09C515AD85F485547C1

Function 00007FFD34637277 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a253a2b686068a50f50841a9f669e079ea4de2c63237cef9801dd4a932edce
Instruction ID: 5a0f9135d5138bb25695b0e6a0987bfda5d643d8329c380ddb8da6e820c1b555
Opcode Fuzzy Hash: e6a253a2b686068a50f50841a9f669e079ea4de2c63237cef9801dd4a932edce
Instruction Fuzzy Hash: C3D0C93051A01A8EC620AF54C8555D97330FF86334F2053A6CA2A2B1F6963A2956EB80

Non-executed Functions

Function 00007FFD34633A45 Relevance: 1.7, Strings: 1, Instructions: 450COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34633B01

Memory Dump Source

Source File: 00000000.00000002.2310055586.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_QUOTE - FE7191PO154.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-2487015770
Opcode ID: fc3c1e8207f2fdf5a833d198093577c6433d18fbf734e1ff269ff5ccff647281
Instruction ID: a73c0338ed56e38fd36496e8cb430d12ecb3bd18c0e07785bc67382604d4aa5e
Opcode Fuzzy Hash: fc3c1e8207f2fdf5a833d198093577c6433d18fbf734e1ff269ff5ccff647281
Instruction Fuzzy Hash: B4D1AE13B0D7E257E711B7ADA8B64E73F94DF5326570C02B7D2C8AD0B39D0DA4898246

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTE - FE7191PO154.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QUOTE - FE7191PO154.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: QUOTE - FE7191PO154.exePID: 2356, Parent PID: 4004

General

Chronological Activities

Analysis Process: QUOTE - FE7191PO154.exePID: 6672, Parent PID: 2356

General

Chronological Activities

Analysis Process: WerFault.exePID: 6284, Parent PID: 6672

General

Chronological Activities

Disassembly

Windows Analysis Report
QUOTE - FE7191PO154.exe