Edit tour

Windows Analysis Report
RegAsm.exe

Overview

General Information

Sample name:	RegAsm.exe
Analysis ID:	1578199
MD5:	68ca89f542a3e864fe99e2391b178e22
SHA1:	0ee003ff3b991f0c18e6b3d00f5e7f146ad2b746
SHA256:	8b2c157588514f8e5210a12c54e5e723cc3d92b0c5b7a30e8343aec6d33837d8
Tags:	exepalegreen-cheetah-217044user-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RegAsm.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\RegAsm.exe" MD5: 68CA89F542A3E864FE99E2391B178E22)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "3cedc6f6-6ab5-4aba-8d7d-5cda1b7ffa72", "StartupKey": "Quasar Client Startup", "Tag": "SenshiPepe", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3636	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.RegAsm.exe.1d6f5bf0000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.RegAsm.exe.1d6f5bf0000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d7:$x1: Quasar.Common.Messages 0x29d400:$x1: Quasar.Common.Messages 0x2a9a2e:$x4: Uninstalling... good bye :-( 0x2ab223:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.RegAsm.exe.1d6f5bf0000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fe0:$f1: FileZilla\recentservers.xml 0x2a9020:$f2: FileZilla\sitemanager.xml 0x2a9062:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ae:$b1: Chrome\User Data\ 0x2a9304:$b1: Chrome\User Data\ 0x2a95dc:$b2: Mozilla\Firefox\Profiles 0x2a96d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb65c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9830:$b4: Opera Software\Opera Stable\Login Data 0x2a98ea:$b5: YandexBrowser\User Data\ 0x2a9958:$b5: YandexBrowser\User Data\ 0x2a962c:$s4: logins.json 0x2a9362:$a1: username_value 0x2a9380:$a2: password_value 0x2a966c:$a3: encryptedUsername 0x2fb5a0:$a3: encryptedUsername 0x2a9690:$a4: encryptedPassword 0x2fb5be:$a4: encryptedPassword 0x2fb53c:$a5: httpRealm
0.2.RegAsm.exe.1d6f5bf0000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b18:$s3: Process already elevated. 0x28cdd6:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb5f:$s5: GetKeyloggerLogsDirectory 0x28cdf9:$s6: set_PotentiallyVulnerablePasswords 0x2fcc8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.RegAsm.exe.1d6ed009ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.RegAsm.exe.1d6ed009ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d7:$x1: Quasar.Common.Messages 0x29d400:$x1: Quasar.Common.Messages 0x2a9a2e:$x4: Uninstalling... good bye :-( 0x2ab223:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.RegAsm.exe.1d6ed009ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fe0:$f1: FileZilla\recentservers.xml 0x2a9020:$f2: FileZilla\sitemanager.xml 0x2a9062:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ae:$b1: Chrome\User Data\ 0x2a9304:$b1: Chrome\User Data\ 0x2a95dc:$b2: Mozilla\Firefox\Profiles 0x2a96d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb65c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9830:$b4: Opera Software\Opera Stable\Login Data 0x2a98ea:$b5: YandexBrowser\User Data\ 0x2a9958:$b5: YandexBrowser\User Data\ 0x2a962c:$s4: logins.json 0x2a9362:$a1: username_value 0x2a9380:$a2: password_value 0x2a966c:$a3: encryptedUsername 0x2fb5a0:$a3: encryptedUsername 0x2a9690:$a4: encryptedPassword 0x2fb5be:$a4: encryptedPassword 0x2fb53c:$a5: httpRealm
0.2.RegAsm.exe.1d6ed009ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b18:$s3: Process already elevated. 0x28cdd6:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb5f:$s5: GetKeyloggerLogsDirectory 0x28cdf9:$s6: set_PotentiallyVulnerablePasswords 0x2fcc8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:19:17.093369+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.8	49708	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:19:17.093369+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.8	49708	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "3cedc6f6-6ab5-4aba-8d7d-5cda1b7ffa72", "StartupKey": "Quasar Client Startup", "Tag": "SenshiPepe", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: RegAsm.exe	Virustotal: Detection: 45%			Perma Link
Source: RegAsm.exe	ReversingLabs: Detection: 39%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3636, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: RegAsm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.8:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 51.15.17.193:4782

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: RegAsm.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: RegAsm.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: RegAsm.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: RegAsm.exe, 00000000.00000002.2672394322.000001D6F5B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000000.00000002.2666278175.000001D6DB1A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000000.00000002.2667313654.000001D6DD184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: RegAsm.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: RegAsm.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: RegAsm.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: RegAsm.exe, 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegAsm.exe, 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegAsm.exe, 00000000.00000002.2667313654.000001D6DD16A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2667313654.000001D6DD16A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2667313654.000001D6DD041000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: RegAsm.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.8:49709 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3636, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B39295E	0_2_00007FFB4B39295E
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B62E399	0_2_00007FFB4B62E399
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B627336	0_2_00007FFB4B627336
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B62C1CB	0_2_00007FFB4B62C1CB
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B61AA4D	0_2_00007FFB4B61AA4D
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B6280E2	0_2_00007FFB4B6280E2
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B6176AE	0_2_00007FFB4B6176AE
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B62AF99	0_2_00007FFB4B62AF99
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B62EF79	0_2_00007FFB4B62EF79
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B619621	0_2_00007FFB4B619621
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B614D78	0_2_00007FFB4B614D78
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B6111F2	0_2_00007FFB4B6111F2
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B6110D1	0_2_00007FFB4B6110D1
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B620EFA	0_2_00007FFB4B620EFA
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B620E0F	0_2_00007FFB4B620E0F
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B61BDA5	0_2_00007FFB4B61BDA5
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B615D35	0_2_00007FFB4B615D35
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B6D23F1	0_2_00007FFB4B6D23F1

Source: RegAsm.exe

Static PE information: invalid certificate

Source: RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs RegAsm.exe
Source: RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs RegAsm.exe
Source: RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs RegAsm.exe

Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\RegAsm.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3cedc6f6-6ab5-4aba-8d7d-5cda1b7ffa72
Source: C:\Users\user\Desktop\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Index_aKVlIRy
Source: C:\Users\user\Desktop\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ficha_JlfqVmNJR

Source: RegAsm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RegAsm.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe	Virustotal: Detection: 45%
Source: RegAsm.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: RegAsm.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RegAsm.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: RegAsm.exe

Static file information: File size 5806944 > 1048576

Source: RegAsm.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x233600
Source: RegAsm.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e200

Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RegAsm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RegAsm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: RegAsm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: RegAsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RegAsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RegAsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RegAsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RegAsm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: RegAsm.exe

Static PE information: real checksum: 0x58a914 should be: 0x593d12

Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B27D2A5 pushad ; iretd	0_2_00007FFB4B27D2A6
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B612BA0 push eax; ret	0_2_00007FFB4B612C0C
Source: C:\Users\user\Desktop\RegAsm.exe	Code function: 0_2_00007FFB4B632DFA push esp; iretd	0_2_00007FFB4B632DFB

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\RegAsm.exe

File opened: C:\Users\user\Desktop\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe	Memory allocated: 1D6DCAF0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Memory allocated: 1D6F5000000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe	Window / User API: threadDelayed 956			Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Window / User API: threadDelayed 1091			Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RegAsm.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RegAsm.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: RegAsm.exe, 00000000.00000002.2672394322.000001D6F5B8F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\

Source: C:\Users\user\Desktop\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\RegAsm.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\RegAsm.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3636, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6f5bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RegAsm.exe.1d6ed009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3636, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RegAsm.exe	46%	Virustotal		Browse
RegAsm.exe	39%	ReversingLabs	Win64.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2667313654.000001D6DD041000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	RegAsm.exe, 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	RegAsm.exe, 00000000.00000002.2667313654.000001D6DD184000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RegAsm.exe, 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipwho.is	RegAsm.exe, 00000000.00000002.2667313654.000001D6DD16A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578199
Start date and time:	2024-12-19 12:18:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RegAsm.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 172 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	207.34.214.194
OnlineSASFR	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138
	https://antiphishing.vadesecure.com/v4?f=M2FwZHlGNnU1aUlkc09ZNMiasRwGBdZehRVCQSRcBe4&i=WjB4M1dJWGJJMnNGTHV5MsMuKUIodncDHGeRU4kVkuY&k=CXOq&r=Skk2OVhvdXl2cm1uOWJtRKZOD61t44mSShExmLHL82awntC61WSfAdSPd_A2w4Sr0ol-2lJuHE1y6ZnIh9tzeQ&s=c0986918e90c31f67e295092df95ad67b5167b30a053715360f0707a34067922&u=https%3A%2F%2Fgeomesure-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fjeason_geomesure_fr%2FEjezfvLh_FRNp0BDRFgaob0B5QrN_MFtVHWEoF2b4R1bRw%3Fe%3DomoERY	Get hash	malicious	Unknown	Browse	163.172.240.109
	801.ps1	Get hash	malicious	AsyncRAT	Browse	163.172.125.253
	BA9qyj2c9G.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.159.4.50
	pbnpvwfhco.elf	Get hash	malicious	Unknown	Browse	151.115.178.130
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	108.181.61.49
	4089137200.exe	Get hash	malicious	AgentTesla	Browse	108.181.61.49
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.298505123749983
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RegAsm.exe
File size:	5'806'944 bytes
MD5:	68ca89f542a3e864fe99e2391b178e22
SHA1:	0ee003ff3b991f0c18e6b3d00f5e7f146ad2b746
SHA256:	8b2c157588514f8e5210a12c54e5e723cc3d92b0c5b7a30e8343aec6d33837d8
SHA512:	c411060d308d6294687e8590f303e9b2401f881410ff6051cb5d38ade8522ec99975bd8f123705c441021c6932dc2e95a0393e15b44254a738ebfbad8882997a
SSDEEP:	98304:Xa03e2tcjbdKWam/b5y1SR8sqnTa0gotgEQQZ/307P6JJeokf65KGmI84:tttcjpKWzY1SR8Tn2gg3Mf0z6CoCsB84
TLSH:	9D46CF25670D81A4CEE6353060892363DA70FD08913CE7168FF45B6659FFB60ADAE63C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x1402230e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6763654B [Thu Dec 19 00:14:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F8B1CB74034h
dec eax
add esp, 28h
jmp 00007F8B1CB737F7h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F8B1CB73992h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F8B1CB73995h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F8B1CB7398Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F8B1CB73366h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25ea7c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x583000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x580000	0x195c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x585400	0x4760	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x582000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25c4f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25c3b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x235000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2335e0	0x233600	48e2f3243765aa70cb2a67d0ffc01f04	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x235000	0x2a5de	0x2a600	773752ad41c50afd1a1c38be67c19e38	False	0.5415111080383481	data	6.904497058612685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x260000	0x31f3b0	0x31e200	20c018825db01b6a0bc863dcddd08d7c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x580000	0x195c	0x1a00	02ade02eacf0dd35ea867e9f44449b14	False	0.4792668269230769	data	5.481951375464756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x582000	0x68c	0x800	350095ec4e0e20dc2842c5cfd99ef631	False	0.5048828125	data	4.93935992683497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x583000	0x6f58	0x7000	241d039120e4fd4748260a8f206f669f	False	0.38570731026785715	data	6.01773921348429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x583328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x583990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x583c78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x583da0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x584c48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x5854f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x585a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x588000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x5890a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x589510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x5897f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x589ae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x589b64	0x14	data			1.25
RT_GROUP_ICON	0x589b78	0x14	data			1.25
RT_VERSION	0x589b8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:19:17.093369+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.8	49708	TCP
2024-12-19T12:19:17.093369+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.8	49708	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:19:15.602694035 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:15.722588062 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:15.724678993 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:15.742933989 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:15.863367081 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:16.970335960 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:16.970376015 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:16.970465899 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:16.973463058 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:17.093369007 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:17.366136074 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:17.416707039 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:17.670658112 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:17.670702934 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:17.670784950 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:17.671880007 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:17.671900034 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.090553045 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.090751886 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:20.093880892 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:20.093895912 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.094337940 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.103801966 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:20.151338100 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.709928989 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.710007906 CET	443	49709	108.181.61.49	192.168.2.8
Dec 19, 2024 12:19:20.710099936 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:20.813564062 CET	49709	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:19:21.062194109 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:21.182003975 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:21.182126045 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:21.301778078 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:21.572737932 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:21.619736910 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:21.765597105 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:19:21.807293892 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:46.776174068 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:19:46.895956993 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:20:11.901110888 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:20:12.021091938 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:20:37.026201010 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:20:37.145884037 CET	4782	49708	51.15.17.193	192.168.2.8
Dec 19, 2024 12:21:02.151407003 CET	49708	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:21:02.271212101 CET	4782	49708	51.15.17.193	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:19:17.522881985 CET	55774	53	192.168.2.8	1.1.1.1
Dec 19, 2024 12:19:17.663624048 CET	53	55774	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:19:17.522881985 CET	192.168.2.8	1.1.1.1	0x5ffb	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:19:17.663624048 CET	1.1.1.1	192.168.2.8	0x5ffb	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	108.181.61.49	443	3636	C:\Users\user\Desktop\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:19:20 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:19:20 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:19:20 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:19:20 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:19:10
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RegAsm.exe"
Imagebase:	0x7ff6bdd50000
File size:	5'806'944 bytes
MD5 hash:	68CA89F542A3E864FE99E2391B178E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2667313654.000001D6DD1D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2667313654.000001D6DD001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2669340758.000001D6ED001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.2673499921.000001D6F5BF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2670852732.000001D6F56CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4B6D23F1 Relevance: 71.1, Strings: 52, Instructions: 6061COMMON

Download Yara Rule

Strings

h4PK, xrefs: 00007FFB4B6D4F09
APK, xrefs: 00007FFB4B6D55A4
80PK, xrefs: 00007FFB4B6D4B62
APK, xrefs: 00007FFB4B6D5559
8 PK, xrefs: 00007FFB4B6D3FF7
8 PK, xrefs: 00007FFB4B6D4091
8,PK, xrefs: 00007FFB4B6D47AB
80PK, xrefs: 00007FFB4B6D4B03
0!PK, xrefs: 00007FFB4B6D4120
P'PK, xrefs: 00007FFB4B6D43E9
80PK, xrefs: 00007FFB4B6D4B9D
P'PK, xrefs: 00007FFB4B6D43FD
8 PK, xrefs: 00007FFB4B6D4056
0!PK, xrefs: 00007FFB4B6D415B
8 PK, xrefs: 00007FFB4B6D400B
,PK, xrefs: 00007FFB4B6D47EF
APK, xrefs: 00007FFB4B6D55DF
p3PK, xrefs: 00007FFB4B6D4E2B
@$PK, xrefs: 00007FFB4B6D42B4
h4PK, xrefs: 00007FFB4B6D4EF5
8,PK, xrefs: 00007FFB4B6D4711
P'PK, xrefs: 00007FFB4B6D4483
`9PK, xrefs: 00007FFB4B6D51ED
p3PK, xrefs: 00007FFB4B6D4E3F
8,PK, xrefs: 00007FFB4B6D4770
@$PK, xrefs: 00007FFB4B6D4269
@$PK, xrefs: 00007FFB4B6D4255
-PK, xrefs: 00007FFB4B6D48A5
0!PK, xrefs: 00007FFB4B6D40C1
,PK, xrefs: 00007FFB4B6D47DB
`9PK, xrefs: 00007FFB4B6D5153
80PK, xrefs: 00007FFB4B6D4B17
CPK, xrefs: 00007FFB4B6D56ED
p3PK, xrefs: 00007FFB4B6D4EC5
,PK, xrefs: 00007FFB4B6D483A
APK, xrefs: 00007FFB4B6D5545
0!PK, xrefs: 00007FFB4B6D40D5
P'PK, xrefs: 00007FFB4B6D4448
-PK, xrefs: 00007FFB4B6D493F
h4PK, xrefs: 00007FFB4B6D4F54
,PK, xrefs: 00007FFB4B6D4875
`9PK, xrefs: 00007FFB4B6D51B2
H, xrefs: 00007FFB4B6D3759
CPK, xrefs: 00007FFB4B6D56D9
@$PK, xrefs: 00007FFB4B6D42EF
p3PK, xrefs: 00007FFB4B6D4E8A
-PK, xrefs: 00007FFB4B6D48B9
CPK, xrefs: 00007FFB4B6D5773
CPK, xrefs: 00007FFB4B6D5738
-PK, xrefs: 00007FFB4B6D4904
8,PK, xrefs: 00007FFB4B6D4725
h4PK, xrefs: 00007FFB4B6D4F8F

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0!PK$0!PK$0!PK$0!PK$8 PK$8 PK$8 PK$8 PK$8,PK$8,PK$8,PK$8,PK$80PK$80PK$80PK$80PK$@$PK$@$PK$@$PK$@$PK$H$P'PK$P'PK$P'PK$P'PK$`9PK$`9PK$`9PK$h4PK$h4PK$h4PK$h4PK$p3PK$p3PK$p3PK$p3PK$,PK$,PK$,PK$,PK$-PK$-PK$-PK$-PK$APK$APK$APK$APK$CPK$CPK$CPK$CPK
API String ID: 0-3305417084
Opcode ID: 6a80ae933c59506811563ae9889eb0906731b25e3287b0c4464a6bf9e56a1237
Instruction ID: 078a4cf92c114121b7bf8de8037e231cebc72acfd466c86ae9d1b8156aea5427
Opcode Fuzzy Hash: 6a80ae933c59506811563ae9889eb0906731b25e3287b0c4464a6bf9e56a1237
Instruction Fuzzy Hash: DE73B992B1DE4F0BF7A5BA3C896523596C7EFD8640B5881BAD54DC32E6ED38EC025340

Function 00007FFB4B614D78 Relevance: 16.1, Strings: 11, Instructions: 2361COMMON

Download Yara Rule

Strings

:lK, xrefs: 00007FFB4B6161BC
hs2, xrefs: 00007FFB4B615BB2
hs2, xrefs: 00007FFB4B6153AF
`9NK, xrefs: 00007FFB4B6164C0
`9NK, xrefs: 00007FFB4B614DA0
(~MK, xrefs: 00007FFB4B616565
HA(K, xrefs: 00007FFB4B616417
(iK, xrefs: 00007FFB4B6161FD
hs2, xrefs: 00007FFB4B61530D
HA(K, xrefs: 00007FFB4B616372
xMNK, xrefs: 00007FFB4B614E0D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (~MK$(iK$:lK$HA(K$HA(K$`9NK$`9NK$hs2$hs2$hs2$xMNK
API String ID: 0-3850716285
Opcode ID: 72a47a53d69fb579f8b029666b994ba7fec6af7d13f5ef61d272827b8000d2bb
Instruction ID: d6ef4f9f608e4ad9260e18dc6e3005aa2d91f10bb64640d5a0e8c15c2e7005df
Opcode Fuzzy Hash: 72a47a53d69fb579f8b029666b994ba7fec6af7d13f5ef61d272827b8000d2bb
Instruction Fuzzy Hash: 5703A3B0A1CA498FEB95EF28C8557B9B7E2FF59300F1481B9D44DD72A2DA34AC41CB41

Function 00007FFB4B62E399 Relevance: 11.1, Strings: 8, Instructions: 1119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B62E8CE
>._L, xrefs: 00007FFB4B62E5D2
HA(K, xrefs: 00007FFB4B62E907
=#_L, xrefs: 00007FFB4B62E770
8#_L, xrefs: 00007FFB4B62EC72
HA(K, xrefs: 00007FFB4B62E999
HA(K, xrefs: 00007FFB4B62E960
0MK, xrefs: 00007FFB4B62E5C8

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: 0MK$8#_L$=#_L$>._L$HA(K$HA(K$HA(K$HA(K
API String ID: 0-2538770648
Opcode ID: 2f84ce2c382c98b906ab074331c14ef716cbae3132aff17b66d1d56f19400ccf
Instruction ID: abb9b4116ff4f0ef35f97d8d2878b7f0e1ea71ffcdd16a7a896261c2e9c3d595
Opcode Fuzzy Hash: 2f84ce2c382c98b906ab074331c14ef716cbae3132aff17b66d1d56f19400ccf
Instruction Fuzzy Hash: 037294B1A1CA4A8FEB98EF2CC89577977D1FF98700F144579E45EC7292CE34A8428742

Function 00007FFB4B62AF99 Relevance: 11.0, Strings: 8, Instructions: 1035
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^NK, xrefs: 00007FFB4B62B486
hs2, xrefs: 00007FFB4B62B59D
pNK, xrefs: 00007FFB4B62B2AE
HA(K, xrefs: 00007FFB4B62B6D5
^NK, xrefs: 00007FFB4B62B12B
ps2, xrefs: 00007FFB4B62B3B1
HA(K, xrefs: 00007FFB4B62B70E
ps2, xrefs: 00007FFB4B62AFED

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: ^NK$ ^NK$HA(K$HA(K$hs2$pNK$ps2$ps2
API String ID: 0-627680985
Opcode ID: 4ad41d0512180ac6672909c3d9f73ae6ab54c3dddbf1fb8bac98164a45ab1777
Instruction ID: 9f83984f2eafd29597a02b9f4f28e681233bafa6431a0c453b0419ca2bfc0f94
Opcode Fuzzy Hash: 4ad41d0512180ac6672909c3d9f73ae6ab54c3dddbf1fb8bac98164a45ab1777
Instruction Fuzzy Hash: A962C4B1A1CA494FE798FE28C895675B7D1FF58310F0841BDD54EC76A2DE34B8428782

Function 00007FFB4B39295E Relevance: 10.3, Strings: 8, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8r2, xrefs: 00007FFB4B392B90
(r2, xrefs: 00007FFB4B392B44
q2, xrefs: 00007FFB4B392A5A
r2, xrefs: 00007FFB4B392B1D
q2, xrefs: 00007FFB4B392A45
0r2, xrefs: 00007FFB4B392B68
r2, xrefs: 00007FFB4B392B08
(r2, xrefs: 00007FFB4B392B2F

Memory Dump Source

Source File: 00000000.00000002.2678120500.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b390000_RegAsm.jbxd

Similarity

API ID:
String ID: r2$ r2$(r2$(r2$0r2$8r2$q2$q2
API String ID: 0-3693269875
Opcode ID: dd1a9e1b3af41a92a073f89a6317d4ece5cca7b6aa700bb43ece7419eba0e683
Instruction ID: 36e61b0059c908ef9830ed0955cb8138e765cdc7409874cdf2b58d0b8e2441ec
Opcode Fuzzy Hash: dd1a9e1b3af41a92a073f89a6317d4ece5cca7b6aa700bb43ece7419eba0e683
Instruction Fuzzy Hash: 878180A050EBC62FE783B7B889675A67FE0EF4616074985FAD0C9CB1A3D91C1807C352

Function 00007FFB4B62C1CB Relevance: 8.9, Strings: 6, Instructions: 1426COMMON

Download Yara Rule

Strings

hs2, xrefs: 00007FFB4B62C547
HA(K, xrefs: 00007FFB4B62C485
^._L, xrefs: 00007FFB4B62C5D0
xhNK, xrefs: 00007FFB4B62C2FD
HA(K, xrefs: 00007FFB4B62C76D
(`GK, xrefs: 00007FFB4B62C65E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (`GK$HA(K$HA(K$^._L$hs2$xhNK
API String ID: 0-630455966
Opcode ID: 18a64faf9203f7e907c98410622ae12198db54e9741cf51b1c22594c6e625bdf
Instruction ID: 04b5c016938452f2706928bab0878b7457a495bb20dd4b49e93a3d69c588c208
Opcode Fuzzy Hash: 18a64faf9203f7e907c98410622ae12198db54e9741cf51b1c22594c6e625bdf
Instruction Fuzzy Hash: 6AA238A690DA864FF36DBA38CD561A4BBD0EF55310B0481FAD58DC71F3D938680A8743

Function 00007FFB4B619621 Relevance: 8.7, Strings: 6, Instructions: 1223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hs2, xrefs: 00007FFB4B619AD8
HA(K, xrefs: 00007FFB4B61A270
HA(K, xrefs: 00007FFB4B61A3B1
HA(K, xrefs: 00007FFB4B61A237
HA(K, xrefs: 00007FFB4B6199B0
HA(K, xrefs: 00007FFB4B61A1FD

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K$HA(K$hs2
API String ID: 0-3427996456
Opcode ID: 6e4fbb55e34f2544ca3b9028d76ae2577e13d8816004ffd65136d189b6a86f68
Instruction ID: ea0c46f4094dbba73ae5cc5de1002d15dacaff14e089659e413f7c453373dd3d
Opcode Fuzzy Hash: 6e4fbb55e34f2544ca3b9028d76ae2577e13d8816004ffd65136d189b6a86f68
Instruction Fuzzy Hash: 3272E370A1CA494FEB99EF2CC8556B577D1FF99310F0481BAE54EC72A6DE38AC028741

Function 00007FFB4B62EF79 Relevance: 5.5, Strings: 4, Instructions: 465
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B62F18B
HA(K, xrefs: 00007FFB4B62F1A2
HA(K, xrefs: 00007FFB4B62F135
HA(K, xrefs: 00007FFB4B62F0FB

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K
API String ID: 0-1955787288
Opcode ID: 2a5ff9e8c1561b3df38e77d9895f88f177e65dc56648a8e81d30363b7e904fad
Instruction ID: 2d229f941dec3132f9a526c692cc9b41c594c1094dd16b0d152a27bc99d7ecba
Opcode Fuzzy Hash: 2a5ff9e8c1561b3df38e77d9895f88f177e65dc56648a8e81d30363b7e904fad
Instruction Fuzzy Hash: 59D1D4B1B0D9494FEB98FA3CD85967877D1EF99341B0440BEE58DC72A2DD389C428382

Function 00007FFB4B6176AE Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B61792F
HA(K, xrefs: 00007FFB4B617918
(~MK, xrefs: 00007FFB4B617901

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (~MK$HA(K$HA(K
API String ID: 0-3437044329
Opcode ID: 437763f4bef715b4b258ef5ec32beae5ed87e1ff6c61159bf310195220723512
Instruction ID: e1eb315543e3579f9ea75b86cbffb058a30e290d314ab98546e53e8b530ab780
Opcode Fuzzy Hash: 437763f4bef715b4b258ef5ec32beae5ed87e1ff6c61159bf310195220723512
Instruction Fuzzy Hash: 0DC158B1A0DA4D0FE799EB7CD859674BBD1EF49310B0541FAD48DC72A3DD28AC428381

Function 00007FFB4B615D35 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

:lK, xrefs: 00007FFB4B6161BC
(iK, xrefs: 00007FFB4B6161FD

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (iK$:lK
API String ID: 0-2063779709
Opcode ID: 89535126fefaa926476cac39ddaf8892e127f982fe4428045ee6d2d4dacbefdb
Instruction ID: 48b230f87eeeaa2dd192c3bdd6353e5c0f9ab40cd08db6c1e1acbbd1551fb1e6
Opcode Fuzzy Hash: 89535126fefaa926476cac39ddaf8892e127f982fe4428045ee6d2d4dacbefdb
Instruction Fuzzy Hash: 48C14F74E1CA198FEB54EF29C9457B9B3E2FB98301F108579D54ED3292DA34AC828B41

Function 00007FFB4B61AA4D Relevance: 1.0, Instructions: 977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90771a6ad659e693d28397ec88e86e5f9e65c2e1596541d8baabcde39ade254b
Instruction ID: 008d96c3d6c953e58afd5c1d6ca902d782fdde120191cea4e822a3000a9a65b4
Opcode Fuzzy Hash: 90771a6ad659e693d28397ec88e86e5f9e65c2e1596541d8baabcde39ade254b
Instruction Fuzzy Hash: 77625E7061CA498FEB95EB38C459779B7E1FF99300F1985BDD48DC72A2DE34A8428B01

Function 00007FFB4B627336 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0a8a0bc6eae5f74e34813e099b18d28568d89dcd3d29019772758d08afbddb
Instruction ID: 342c018c20d984f5846fd5a16a28fc421215309922d2976aeaa405632c634ef1
Opcode Fuzzy Hash: dd0a8a0bc6eae5f74e34813e099b18d28568d89dcd3d29019772758d08afbddb
Instruction Fuzzy Hash: F5F1837090CA8D8FEBA9EF28CC55BF977D1FB55310F04826AD84DC7291DE3899458782

Function 00007FFB4B6280E2 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6523a177fcf2b29ddbc14cf25b44d4e6d1078aa8b3c342a827047daa8f55fe33
Instruction ID: 874bde3ece9d3dd0da11f6abe05ffe8cd9fdc91ad1e44b43a249dda978d17dba
Opcode Fuzzy Hash: 6523a177fcf2b29ddbc14cf25b44d4e6d1078aa8b3c342a827047daa8f55fe33
Instruction Fuzzy Hash: B1F1B47090CA4E8FEBA9EF28CC557E977D1FF54310F04826ED84DC7291DA78A9458782

Function 00007FFB4B62B9F7 Relevance: 13.3, Strings: 10, Instructions: 757
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B62BF38
HA(K, xrefs: 00007FFB4B62BF74
HA(K, xrefs: 00007FFB4B62BFDF
@s2, xrefs: 00007FFB4B62BD06
HA(K, xrefs: 00007FFB4B62BE40
HA(K, xrefs: 00007FFB4B62BE29
@s2, xrefs: 00007FFB4B62BA5D
HA(K, xrefs: 00007FFB4B62BFAD
HA(K, xrefs: 00007FFB4B62BF21
HA(K, xrefs: 00007FFB4B62BECA

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: @s2$@s2$HA(K$HA(K$HA(K$HA(K$HA(K$HA(K$HA(K$HA(K
API String ID: 0-3076701787
Opcode ID: 8afe98067b871a0b964db8c8605d9e9915a8648144aeba25897fe89c1346b9eb
Instruction ID: 5a582fb4e5f0565326a92db72d3e666e72af015c7ab5cfc3c7406be51d30b0ca
Opcode Fuzzy Hash: 8afe98067b871a0b964db8c8605d9e9915a8648144aeba25897fe89c1346b9eb
Instruction Fuzzy Hash: 393206B1A1DA4A4FF75ABE38C9852B9B7D1FF55300F4441B9D58EC3196DE38B8028782

Function 00007FFB4B62F6F0 Relevance: 11.3, Strings: 8, Instructions: 1256COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B62FDDB
HA(K, xrefs: 00007FFB4B62FE9A
HA(K, xrefs: 00007FFB4B62FE00
, xrefs: 00007FFB4B62FAD0
HA(K, xrefs: 00007FFB4B62FEF4
@#_H, xrefs: 00007FFB4B62FC60
H2NK, xrefs: 00007FFB4B62FA86
HA(K, xrefs: 00007FFB4B62FE83

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: $ $@#_H$H2NK$HA(K$HA(K$HA(K$HA(K
API String ID: 0-1911477889
Opcode ID: 8888f0feeb3d4cc945d78e023ad661171e78abacf8bdcd0bf78aa306d58bb589
Instruction ID: 55b4206e3d0148df22e1b6d4a0776e29a7f0d4e2b9811ea07daf48f80178813d
Opcode Fuzzy Hash: 8888f0feeb3d4cc945d78e023ad661171e78abacf8bdcd0bf78aa306d58bb589
Instruction Fuzzy Hash: DC82BFB1A1CA494FEBA9FE3CC855A6877D1EF58300B1540BDD58EC72B2DA38EC458742

Function 00007FFB4B629FBC Relevance: 10.5, Strings: 8, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B62A152
HA(K, xrefs: 00007FFB4B62A0DF
HA(K, xrefs: 00007FFB4B62A0A6
HA(K, xrefs: 00007FFB4B62A24B
(~MK, xrefs: 00007FFB4B62A13B
(~MK, xrefs: 00007FFB4B62A08F
(~MK, xrefs: 00007FFB4B62A102
HA(K, xrefs: 00007FFB4B62A119

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (~MK$(~MK$(~MK$HA(K$HA(K$HA(K$HA(K$HA(K
API String ID: 0-575455262
Opcode ID: 444b948a4ed5fd2fcb912684fc78714d753721a4c86998cc35e706e73bbbd047
Instruction ID: 007b25130af926d13a061bf9d189b20a75579d269a0eec5bdb26289b118ae724
Opcode Fuzzy Hash: 444b948a4ed5fd2fcb912684fc78714d753721a4c86998cc35e706e73bbbd047
Instruction Fuzzy Hash: 6DF1E771A0CA4E4FEB99FF7CD8556A9B7E1FF99310F0441B6D409C3292DE38A8428781

Function 00007FFB4B621B28 Relevance: 9.2, Strings: 7, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xCoK, xrefs: 00007FFB4B621F1A
pY5, xrefs: 00007FFB4B621CC5
xCoK, xrefs: 00007FFB4B62201D
xY5, xrefs: 00007FFB4B621D79
hY5, xrefs: 00007FFB4B621CB4
hY5, xrefs: 00007FFB4B621C98
pY5, xrefs: 00007FFB4B621DB2

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: hY5$hY5$pY5$pY5$xCoK$xCoK$xY5
API String ID: 0-216790736
Opcode ID: d7086f032fddce456e209505d0f81490dd93325944456594b93b46df20eac75e
Instruction ID: d0442068adcedead2d4e462dbe2a360ffa8b00a4ac241610ce32080ea0a110f3
Opcode Fuzzy Hash: d7086f032fddce456e209505d0f81490dd93325944456594b93b46df20eac75e
Instruction Fuzzy Hash: 59F13AE290E7864FF359BBB8DC521E8BBD0EF4262070845FAD58DCB1A3D93C58168752

Function 00007FFB4B61FFA7 Relevance: 8.0, Strings: 6, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq2, xrefs: 00007FFB4B61FFF3
@8oK, xrefs: 00007FFB4B620363
Pq2, xrefs: 00007FFB4B61FFB7
Hq2, xrefs: 00007FFB4B61FFDD
p!MK, xrefs: 00007FFB4B620375
=$_H, xrefs: 00007FFB4B620170

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: =$_H$@8oK$Hq2$Pq2$Xq2$p!MK
API String ID: 0-706728505
Opcode ID: 263135a3e863ee4b30b266c5cb28d2298268935e3011c038891a3cf419ab5cb8
Instruction ID: 5f7a91bba604aa53fc6d3c902b856e58f886f3e5092935a741870e1a7c8c6d93
Opcode Fuzzy Hash: 263135a3e863ee4b30b266c5cb28d2298268935e3011c038891a3cf419ab5cb8
Instruction Fuzzy Hash: 1DF1D3B091DA4A8FF799FB38C5556A5B7E1FF54310B1481BAC04DC71A6DA38EC828782

Function 00007FFB4B616D81 Relevance: 7.8, Strings: 6, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B616F2B
HA(K, xrefs: 00007FFB4B616FAD
hs2, xrefs: 00007FFB4B616E91
HA(K, xrefs: 00007FFB4B616EF1
HA(K, xrefs: 00007FFB4B616FE3
HA(K, xrefs: 00007FFB4B616F64

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K$HA(K$hs2
API String ID: 0-3427996456
Opcode ID: 5c0843dcb677260979116390afd743955ca135abba8bd73012de602cf31076bd
Instruction ID: 2c4f680da87cb2acc815290a1f5aa9a2392f81cea00d45a75090e8904359f0ad
Opcode Fuzzy Hash: 5c0843dcb677260979116390afd743955ca135abba8bd73012de602cf31076bd
Instruction Fuzzy Hash: DB91E1A1B1DA4A4FE7A5EF3CD85967577D2EF99340B0581B9D04EC72A3DE38AC028740

Function 00007FFB4B6354C9 Relevance: 5.6, Strings: 4, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA(K, xrefs: 00007FFB4B6359D0
HA(K, xrefs: 00007FFB4B635611
(~MK, xrefs: 00007FFB4B6355FA
(~MK, xrefs: 00007FFB4B63568B

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (~MK$(~MK$HA(K$HA(K
API String ID: 0-32128973
Opcode ID: 8226c74cc82f313108d4a4f46cf9a85e814a2cfdb8305b7966b34864cd20c87a
Instruction ID: b1778b830b862df9ed4c08b5b125d7b1d61a2d10ae6ef45070d206229f37de05
Opcode Fuzzy Hash: 8226c74cc82f313108d4a4f46cf9a85e814a2cfdb8305b7966b34864cd20c87a
Instruction Fuzzy Hash: 9BF1D672A1DA594FE759FB38C8552B9B7E2FF89310B1441B9D14EC31A2DE38AC42C781

Function 00007FFB4B6D01BA Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

0'MK, xrefs: 00007FFB4B6D01C8
0'MK, xrefs: 00007FFB4B6D021F
"$_L, xrefs: 00007FFB4B6D01D2
0%MK, xrefs: 00007FFB4B6D024B

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID: "$_L$0%MK$0'MK$0'MK
API String ID: 0-21142969
Opcode ID: af269a4f58b3984dfc94a640ec332151d0f1151c4d167d4ff55310fe9b2bf51e
Instruction ID: ca8c077c6022c13ae6753eff7f5fba754126ec941ea0c11908ab214843e1582e
Opcode Fuzzy Hash: af269a4f58b3984dfc94a640ec332151d0f1151c4d167d4ff55310fe9b2bf51e
Instruction Fuzzy Hash: E6312CB2A1EA890FF75AAA7C9C372B4B7C5EB55310B0441FED48AC71E2DD185C428392

Function 00007FFB4B630BA3 Relevance: 4.3, Strings: 3, Instructions: 530COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B630F18
HA(K, xrefs: 00007FFB4B630DFB
HA(K, xrefs: 00007FFB4B630F3A

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K
API String ID: 0-3505950274
Opcode ID: de6b3a7b4082d4f9e8b66a9ea1885cb841bbffd437159c6de83db7c3bc49ffce
Instruction ID: 321dbf8ddc879be9396a1130a5ab87f5403b882b886c3c6d94239eed3ba60f64
Opcode Fuzzy Hash: de6b3a7b4082d4f9e8b66a9ea1885cb841bbffd437159c6de83db7c3bc49ffce
Instruction Fuzzy Hash: 8AF128B2A0DA494FE795EF3CC855664BBD1EF99310B0940FAD18DC72A2DE38AC46C741

Function 00007FFB4B6214BE Relevance: 4.2, Strings: 3, Instructions: 482COMMON

Download Yara Rule

Strings

0UoK, xrefs: 00007FFB4B62180C
+$_^, xrefs: 00007FFB4B621901
pY5, xrefs: 00007FFB4B621820

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: +$_^$0UoK$pY5
API String ID: 0-206384423
Opcode ID: a9ca031720d64052ba83cdcfea7276e7ddab078a1a4a0014c4119f3e24fbed14
Instruction ID: 050c0fcbf054bba3e08a3512d59624b1fc55ae64e83e11f4b35cc5deb57fd964
Opcode Fuzzy Hash: a9ca031720d64052ba83cdcfea7276e7ddab078a1a4a0014c4119f3e24fbed14
Instruction Fuzzy Hash: AFE15DA290E6954FF716BB78D8522E47BE0EF46220B0841F6D4CDCB0A3DD3C6456C792

Function 00007FFB4B62E401 Relevance: 4.2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

Strings

>._L, xrefs: 00007FFB4B62E5D2
=#_L, xrefs: 00007FFB4B62E770
0MK, xrefs: 00007FFB4B62E5C8

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: 0MK$=#_L$>._L
API String ID: 0-2535486575
Opcode ID: d60742b9284b4e21088270cb2e7b78b114e7b6da73441ec0d160387f05e1b18a
Instruction ID: dcfdbdf7c59059d53ca099c66122d0daf2cde42e9941fe02556a9ad07b3df739
Opcode Fuzzy Hash: d60742b9284b4e21088270cb2e7b78b114e7b6da73441ec0d160387f05e1b18a
Instruction Fuzzy Hash: 81E172B1A1CA4A8FEB48EF28D855669B7D2FF98700F1445BDE44DC7292DE34AC42C742

Function 00007FFB4B63335B Relevance: 4.2, Strings: 3, Instructions: 450COMMON

Download Yara Rule

Strings

xBMK, xrefs: 00007FFB4B633497
HA(K, xrefs: 00007FFB4B633759
H2NK, xrefs: 00007FFB4B633534

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: H2NK$HA(K$xBMK
API String ID: 0-4199452410
Opcode ID: f46fd1c6943c7fc8c8bda738b817a5880ed456620120cc041596cccf343a4af5
Instruction ID: a0317ea7e0842ac1ad8d6e90c082838c3032e02c318c8a3844c6fde5914b19dc
Opcode Fuzzy Hash: f46fd1c6943c7fc8c8bda738b817a5880ed456620120cc041596cccf343a4af5
Instruction Fuzzy Hash: CCD1E1B1A1CA4A4FE798EF3CC945675B7E1FF98310B1485B9D14EC72A2CE39A842C741

Function 00007FFB4B61E3A9 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

h^KK, xrefs: 00007FFB4B61E43D
(r2, xrefs: 00007FFB4B61E4E0
X7oK, xrefs: 00007FFB4B61E504

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (r2$X7oK$h^KK
API String ID: 0-828251241
Opcode ID: 580ed80ebbf1a16550660e0215083ecc4ca45921dbafa98e573244091ebe37fd
Instruction ID: 80c97918f2ecb960d0788440c872ae898724461b6b87aaefe2a54e01f6b31f32
Opcode Fuzzy Hash: 580ed80ebbf1a16550660e0215083ecc4ca45921dbafa98e573244091ebe37fd
Instruction Fuzzy Hash: 6541F4E192EACA5FFB86BB78C8561E57BE0EF19210B0445F6E449C7197DD38D8038391

Function 00007FFB4B61CA76 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

pt2, xrefs: 00007FFB4B61CB80
Y$_H, xrefs: 00007FFB4B61CB6E
ht2, xrefs: 00007FFB4B61CB51

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: Y$_H$ht2$pt2
API String ID: 0-3430569625
Opcode ID: 6d6b9cc09093479144c4b9a90ff960577cf0667a3b4a50da728adb22647caa84
Instruction ID: 4f5035c07bc8dc7f5609283e04a5c134f33d29cf6e7885d7994214772b9830fc
Opcode Fuzzy Hash: 6d6b9cc09093479144c4b9a90ff960577cf0667a3b4a50da728adb22647caa84
Instruction Fuzzy Hash: F93107F1D29A8E4FE785FB78C8461BDBBE1FF98300B0084BAD459C7192DE3868468751

Function 00007FFB4B6D5160 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

`9PK, xrefs: 00007FFB4B6D51ED
`9PK, xrefs: 00007FFB4B6D5167
`9PK, xrefs: 00007FFB4B6D51B2

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID: `9PK$`9PK$`9PK
API String ID: 0-2918041946
Opcode ID: 6dec97bc05964cfda94c3c229df303b4da22557ee8197e8ae03bbc9d98f8f8ed
Instruction ID: 1666284421430dbcd170c9957bbf0539696cd1fae1933d61900b58cce9da1dc4
Opcode Fuzzy Hash: 6dec97bc05964cfda94c3c229df303b4da22557ee8197e8ae03bbc9d98f8f8ed
Instruction Fuzzy Hash: BD21F692B0DE4B0BF7A6BA3C8D6523596C7DFD868075841BAD60DC77A6ED28DC025340

Function 00007FFB4B61E521 Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

Hq2, xrefs: 00007FFB4B61E5B4
X#MK, xrefs: 00007FFB4B61E551
Pq2, xrefs: 00007FFB4B61E56D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: Hq2$Pq2$X#MK
API String ID: 0-1831106988
Opcode ID: 06f2fadae9978572a3b7137d834f7291e1deed2db1883aedcf10b21f075bee33
Instruction ID: 1774a1d19acea0e28f4061345dc42ab9baaff77b91a124149cef3d64444167e8
Opcode Fuzzy Hash: 06f2fadae9978572a3b7137d834f7291e1deed2db1883aedcf10b21f075bee33
Instruction Fuzzy Hash: 8D219FB080D7C95FE745AF7888662A9BFF0FF59300F0405AEE08AC72A3DA785545C742

Function 00007FFB4B3936A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFB4B393787

Strings

H%9K, xrefs: 00007FFB4B3936DA

Memory Dump Source

Source File: 00000000.00000002.2678120500.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b390000_RegAsm.jbxd

Similarity

API ID: DeleteFile
String ID: H%9K
API String ID: 4033686569-2934455911
Opcode ID: 1d4437fa515e040918979dae61a5ddacb8a0842c42edb8b8f6ad3382e00ecbd5
Instruction ID: e68898fbd30e9afec1285d0ec02b17f7d97998ad9c95a68ba39c2ef940774ef3
Opcode Fuzzy Hash: 1d4437fa515e040918979dae61a5ddacb8a0842c42edb8b8f6ad3382e00ecbd5
Instruction Fuzzy Hash: 494117B180CA4C9FDB19EF68C8496E97FF0EF55320F0482AFD049C72A2DA346805C791

Function 00007FFB4B62D38D Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB4B62D76B
H2NK, xrefs: 00007FFB4B62D98D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: H2NK$_
API String ID: 0-2215649960
Opcode ID: edc72f6d67bcf534885e64335749c18c2dc0283356a022e29117169f068bb30e
Instruction ID: a1e0084afbbffd06edad01075ad598d6ee152712c9808b36b86afddd970df66e
Opcode Fuzzy Hash: edc72f6d67bcf534885e64335749c18c2dc0283356a022e29117169f068bb30e
Instruction Fuzzy Hash: F3428F71A0C9498FEB89FF28C895AA977E1FF59304F1041A9E54DC72E6CA34EC42C781

Function 00007FFB4B62D411 Relevance: 3.2, Strings: 2, Instructions: 727COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB4B62D76B
H2NK, xrefs: 00007FFB4B62D98D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: H2NK$_
API String ID: 0-2215649960
Opcode ID: ee7f5eb1330b0722a6423b2682bc62eae13717b3b40c2d3a3140107d03cb205f
Instruction ID: 32f058bd82d385bd1e74d5a478959e1a7546146da7ccb546df717ec967820d78
Opcode Fuzzy Hash: ee7f5eb1330b0722a6423b2682bc62eae13717b3b40c2d3a3140107d03cb205f
Instruction Fuzzy Hash: D9324F71A1C9498FEB99FF28C895AA977E1FF58304F1041A9E54DC72E6CA34EC42C781

Function 00007FFB4B62D446 Relevance: 3.2, Strings: 2, Instructions: 724COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB4B62D76B
H2NK, xrefs: 00007FFB4B62D98D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: H2NK$_
API String ID: 0-2215649960
Opcode ID: e6b4c1a38841ee306aa86f21dff33e3f58874b8f462a3935c6126cc8cc55441f
Instruction ID: 85c08092a939e93f1ae85c26572cca284f8de8c37059f38df961d7ad15237784
Opcode Fuzzy Hash: e6b4c1a38841ee306aa86f21dff33e3f58874b8f462a3935c6126cc8cc55441f
Instruction Fuzzy Hash: BC324F71A1C9498FEB99FF28C895AA977E1FF58304F1041A9E54DC72E6CA34EC42C781

Function 00007FFB4B61C325 Relevance: 3.0, Strings: 2, Instructions: 508COMMON

Download Yara Rule

Strings

`$_H, xrefs: 00007FFB4B61C46D
X!oK, xrefs: 00007FFB4B61C71B

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: X!oK$`$_H
API String ID: 0-2000243561
Opcode ID: 73eb4bbcd38ffb92cfe8f19aa420c39b2564eba80d199e868f31b1197a3b2df8
Instruction ID: b2acf595d19c6a66f082aad34212d7f78f68c350a68d0482ef60dfb3845e9552
Opcode Fuzzy Hash: 73eb4bbcd38ffb92cfe8f19aa420c39b2564eba80d199e868f31b1197a3b2df8
Instruction Fuzzy Hash: E9E119B2B0DF8A0FE395FA7CC4956B9B7D2EF98250B5441BAC44DC7297DD24AC428740

Function 00007FFB4B61A609 Relevance: 2.9, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B61A69A
HA(K, xrefs: 00007FFB4B61A98E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K
API String ID: 0-1481888453
Opcode ID: bb42f373a3d06b1260ef189f4384d90d85c52c7e2fe5e3ac1ff2b3c271558ce1
Instruction ID: 9806a6ec8c32c5abb12abd11d1aaa8ab7208cdd87dcd2a7874626d846915fe50
Opcode Fuzzy Hash: bb42f373a3d06b1260ef189f4384d90d85c52c7e2fe5e3ac1ff2b3c271558ce1
Instruction Fuzzy Hash: EAD1A771A1CA098FDB94EF38C8557B9B7E1FF98310F0581B9D55EC32A2DE34A8428B41

Function 00007FFB4B6320A8 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

@lNK, xrefs: 00007FFB4B632310
@lNK, xrefs: 00007FFB4B632337

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: @lNK$@lNK
API String ID: 0-2937606136
Opcode ID: 2bca3b0866d0f5e66c24df6e2118fc8a34068ad6d0cd484a5ee121f3a702a662
Instruction ID: da287594cc43be653dd36fc307d77cf8374d9930eafddc15627fe7df7677827a
Opcode Fuzzy Hash: 2bca3b0866d0f5e66c24df6e2118fc8a34068ad6d0cd484a5ee121f3a702a662
Instruction Fuzzy Hash: 35716D71A0DA194FEF94FE38CD51BA8B7A1EF55310F0481B9D14DC32A6CA34AD85CB81

Function 00007FFB4B628965 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

pq2, xrefs: 00007FFB4B6289A0
pq2, xrefs: 00007FFB4B628986

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: pq2$pq2
API String ID: 0-3168640070
Opcode ID: d43be60450d631eea5e1c7847c87c8b065c4799ca6bdfb4d46680b76ff19f116
Instruction ID: 9e78f65cb150eb40cb7bfb4f9834dcc81a6ffe24027d9aa94056c17f3df59b5e
Opcode Fuzzy Hash: d43be60450d631eea5e1c7847c87c8b065c4799ca6bdfb4d46680b76ff19f116
Instruction Fuzzy Hash: 4B51C3B090DA4A5FFB59FB78CC1A2A9BBE0EF05201B0445FAD14DC71E2DA3C9841C752

Function 00007FFB4B61CDE9 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

CPK, xrefs: 00007FFB4B61CEBC
CPK, xrefs: 00007FFB4B61CEF7

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: CPK$CPK
API String ID: 0-4023841038
Opcode ID: 0181171aaa260ca53c436d85fc00fd7d4a258e49c0870396240eaf5d5e68fa67
Instruction ID: 90ee3e83526c58411a04aeb58dc7ea1abd593a749f15c38689d3c750c5fcb758
Opcode Fuzzy Hash: 0181171aaa260ca53c436d85fc00fd7d4a258e49c0870396240eaf5d5e68fa67
Instruction Fuzzy Hash: 58412AB290DF8A0FD3A6DF3CD9551B8BBE1EF55250B0441AAD189CB1A3DE28A84583C1

Function 00007FFB4B61D9F4 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

PTPK, xrefs: 00007FFB4B61DA4B
PTPK, xrefs: 00007FFB4B61DA1A

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: PTPK$PTPK
API String ID: 0-3425795770
Opcode ID: af4c318e03e7e35a5ae4df6f7fbb855c340f92d3175d788a660571b65e1a5aac
Instruction ID: 8fe75a68b58ecc21a11a53ed9d930b18791bbe478673fc3f30e718bdaa2a8880
Opcode Fuzzy Hash: af4c318e03e7e35a5ae4df6f7fbb855c340f92d3175d788a660571b65e1a5aac
Instruction Fuzzy Hash: 7631E7A160E7850FE31A9A38D8561B4BFD1EF8662171942BFD48DCB2A3DC2D9C438391

Function 00007FFB4B6D5566 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

APK, xrefs: 00007FFB4B6D55A4
APK, xrefs: 00007FFB4B6D55DF

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID: APK$APK
API String ID: 0-3903321437
Opcode ID: 3ae167a7e55a3d6255842d1f57ba8cec7dc258fabf4c6d4bbe087a7c3f23974e
Instruction ID: 1d8588e04b06c59f04fae8ba2b1384c59638edeac0b659ee8d3dee2da2884ef9
Opcode Fuzzy Hash: 3ae167a7e55a3d6255842d1f57ba8cec7dc258fabf4c6d4bbe087a7c3f23974e
Instruction Fuzzy Hash: 16212591B0DE4B0BF7A6BA3C886523996C7DFD824075881BAD20DC36A6EC38DC024340

Function 00007FFB4B6D48CD Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

-PK, xrefs: 00007FFB4B6D493F
-PK, xrefs: 00007FFB4B6D4904

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID: -PK$-PK
API String ID: 0-1655776231
Opcode ID: bda3288911d81e081434840fadd4cb2761b184632fbe8f0ca4d2aa6eb0c9ac1a
Instruction ID: 7491a08752eb9d00971429168dee20c1fb2bf332727a489c7809ba5a7e60a6fc
Opcode Fuzzy Hash: bda3288911d81e081434840fadd4cb2761b184632fbe8f0ca4d2aa6eb0c9ac1a
Instruction Fuzzy Hash: CA212992B0DE8B0BF7A5BA3D88A123596C3DFC865076941BAD60DC72E7ED39DC024340

Function 00007FFB4B6288C5 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

hq2, xrefs: 00007FFB4B628947
hq2, xrefs: 00007FFB4B628907

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: hq2$hq2
API String ID: 0-3176950023
Opcode ID: 7f22d314a162c9145fc4173be01c747f74a3d12502a0602b7f3eb8c3b2aa0305
Instruction ID: d1da8adeb0948b0edce5369a80e57028781e4f6f124a45af19e48dba5cf579f7
Opcode Fuzzy Hash: 7f22d314a162c9145fc4173be01c747f74a3d12502a0602b7f3eb8c3b2aa0305
Instruction Fuzzy Hash: 9311CB90A4EBC60FE35376788C260A5BFE0EF0652074901FBC088CB0A3D81C4C46C363

Function 00007FFB4B632356 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B632960

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K
API String ID: 0-3002039947
Opcode ID: 93055c4b0c6e9275de15e8e9effde71f98cde3f3b79c0cb9dc1ddd323cf028d1
Instruction ID: 680c11245a4b6345b4b51e6ff9b2f8e7997e0b2ab00d971811a7ea3f424f9594
Opcode Fuzzy Hash: 93055c4b0c6e9275de15e8e9effde71f98cde3f3b79c0cb9dc1ddd323cf028d1
Instruction Fuzzy Hash: 82227F71A1CA598FEB98EF38C9556A9B7E1FF58300F1481B9D14DC32A6DE34AC41CB81

Function 00007FFB4B612440 Relevance: 1.8, Strings: 1, Instructions: 526COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B62AC99

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 52d99a325f98ea8537bec6122412062d7e9c78572a73c9554790ea897a5ca54e
Instruction ID: 99230ba397f533226253eb5ee955928bc76f0fd8812e2f6980669b39a55ddc17
Opcode Fuzzy Hash: 52d99a325f98ea8537bec6122412062d7e9c78572a73c9554790ea897a5ca54e
Instruction Fuzzy Hash: 63F1D270A1CA0A8FE75DEF28C885575B3E1EF98301B1485B9D949C72A6DE74EC43CB81

Function 00007FFB4B618C79 Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

^NK, xrefs: 00007FFB4B61909A

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: ^NK
API String ID: 0-1755351307
Opcode ID: f6ec6cc2b6f2a311019f6a1c3305c9cd1607f50a1c25217c878c8957b57de045
Instruction ID: d4a0ab654b260fe137e774ba2b0bf84a90c318c72bfe02eae3f9fdbf2f7656b3
Opcode Fuzzy Hash: f6ec6cc2b6f2a311019f6a1c3305c9cd1607f50a1c25217c878c8957b57de045
Instruction Fuzzy Hash: 8CF1B370A0CA494FEB58EE28C9457B9B7E1FF59311F1481BDD58EC32E2CE38A8468741

Function 00007FFB4B6301FC Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B630475

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K
API String ID: 0-3002039947
Opcode ID: ca7cca869825e4bd0f95524019be73a57dc1c0461bc7870c65103eeee78e7c8a
Instruction ID: c203d56dcd8db705290d4bc329b48708b9b66bfde030cd98dc47d4c59c6d45b8
Opcode Fuzzy Hash: ca7cca869825e4bd0f95524019be73a57dc1c0461bc7870c65103eeee78e7c8a
Instruction Fuzzy Hash: 28D117A390DA864FE3A9AF38CD16364BBE0EF55210F0545FAC18DC75B3D92C690AC342

Function 00007FFB4B6337A1 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B63385C

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K
API String ID: 0-3002039947
Opcode ID: 9b1908b59d1e5581259f031a22500e7bd4fd557e1077beb9cc0c5d811ad62038
Instruction ID: 74dabbb15aaf446dcfa96c03bef85b1aa08ebce96915f795210ad59b27e714b9
Opcode Fuzzy Hash: 9b1908b59d1e5581259f031a22500e7bd4fd557e1077beb9cc0c5d811ad62038
Instruction Fuzzy Hash: 2FC18371A1CA494FEB99FF3CC855668B7E1EF99700B0441B9D14EC76A6CE38AC42C781

Function 00007FFB4B3936ED Relevance: 1.6, APIs: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFB4B393787

Memory Dump Source

Source File: 00000000.00000002.2678120500.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b390000_RegAsm.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1d07ddf2f37b810cab6abb2f9f8e6c41df1d0284e6b7293767271254f81627d4
Instruction ID: 330cf02a1967bfcfbf03590576717bce44a1b9db8ce64c8a09f8be7da19a42ef
Opcode Fuzzy Hash: 1d07ddf2f37b810cab6abb2f9f8e6c41df1d0284e6b7293767271254f81627d4
Instruction Fuzzy Hash: 3B31D27180CA5C8FDB59DF68C4496E9BBF0FF65321F04826FD049D32A2DB34A8568B91

Function 00007FFB4B62A9C1 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B62AC99

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5411ca50a27736e2a4e100c911a2d2323a5570f0d168cedf400583711bd08af9
Instruction ID: e43d1acc535006818e15650775b10879a10ac1fe15062213bb94a6d88ab35232
Opcode Fuzzy Hash: 5411ca50a27736e2a4e100c911a2d2323a5570f0d168cedf400583711bd08af9
Instruction Fuzzy Hash: E0A1BF70A1CA498FE74CEF28C885575B3E1FF98301B2485BDD949C7296DA75E843CB82

Function 00007FFB4B619000 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

^NK, xrefs: 00007FFB4B61909A

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: ^NK
API String ID: 0-1755351307
Opcode ID: 957015d234cbb074785acf3d0778ebee1907e07d5fe70dcd378007a1f574627d
Instruction ID: 1383d4b1053aeee0ea439ab4f1856154f2103698c9e1d65e0ac383eed0b1e061
Opcode Fuzzy Hash: 957015d234cbb074785acf3d0778ebee1907e07d5fe70dcd378007a1f574627d
Instruction Fuzzy Hash: 0BA18070A0C6494FEB54EE29C9457B9B7E1EF68305F1481BDD58EC32E6CE38A8868741

Function 00007FFB4B613FA6 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFB4B6144B7

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3f45c201282195e5ea982fdfdb8080bc1bfcbd57fb99ae43caf7e72bd876c0ae
Instruction ID: 88e2211b473a81ba74b6d68698a27bb27b12fb74792cc1a7dddb15ad8d2f6ff5
Opcode Fuzzy Hash: 3f45c201282195e5ea982fdfdb8080bc1bfcbd57fb99ae43caf7e72bd876c0ae
Instruction Fuzzy Hash: A581D8B1A0D64A4FE7A4EE2CD955379B7C1EF85310F14427DD98EC72E1DE3898428B82

Function 00007FFB4B6176BB Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B6176F0

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K
API String ID: 0-3002039947
Opcode ID: 5bd428a099308dc686cdf5c11945476bfc5c5c619a37362824d945c71de68061
Instruction ID: dfa55f8eda003631ac7110f03be9163d3a17faac4e6dd0ce1565c2a77d072802
Opcode Fuzzy Hash: 5bd428a099308dc686cdf5c11945476bfc5c5c619a37362824d945c71de68061
Instruction Fuzzy Hash: 64615CE1A0DA4D0FE795AA7CDC4A5B5BBC1EF99310B0541FAD58DC31A3ED24AC438391

Function 00007FFB4B62D8DF Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

H2NK, xrefs: 00007FFB4B62D98D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: H2NK
API String ID: 0-3623838883
Opcode ID: 90a572b22f22ea074a1f71ef040d19c33e2e0366fc0f1e02f58480d9e0334ab7
Instruction ID: 9f12aaa916fd181371f0d01135313041a7dbbc7f8ff44d92789ccd2a7979009d
Opcode Fuzzy Hash: 90a572b22f22ea074a1f71ef040d19c33e2e0366fc0f1e02f58480d9e0334ab7
Instruction Fuzzy Hash: DE91627061C94D8FEB89FF2CC895AA977E1FF59344B1141A8E14DC72A6CA35EC82C781

Function 00007FFB4B634825 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

`@cK, xrefs: 00007FFB4B63483E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: `@cK
API String ID: 0-3307603363
Opcode ID: 1067f05eb2c343407d3360a88ef748702430013104ffa3ddcf9180916c1a2cf9
Instruction ID: 9df7668b62bc04980d0cd9e84bb47e10f6b6a11b1f44b4950005fc3c983b0c9c
Opcode Fuzzy Hash: 1067f05eb2c343407d3360a88ef748702430013104ffa3ddcf9180916c1a2cf9
Instruction Fuzzy Hash: E461E1A1A1CA854FE749EB7CC865A64BBE1EF5A310B0441FEE549C72E3CD28EC42C741

Function 00007FFB4B622139 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFB4B622201

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: 3469e5b88c5d30d22a4a835024a71fc7fda88315b908447d93019e5b93975be2
Instruction ID: 484aaec5b13c6faf42a1a29025a1e4e696ae4ea8877b3d41eb2bec1ba88323c1
Opcode Fuzzy Hash: 3469e5b88c5d30d22a4a835024a71fc7fda88315b908447d93019e5b93975be2
Instruction Fuzzy Hash: 1061D5B281E6558FE706FF78E8821E97760FF06724B0445F6D449CF0A7D938A446C791

Function 00007FFB4B61D3F5 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0nGK, xrefs: 00007FFB4B61D4D3

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: 0nGK
API String ID: 0-3440410701
Opcode ID: 46192516b04e1dc486ad264a412f8cf2ebf1219086b8b4609f101711325ae164
Instruction ID: c9e28a6beb959b03301dc9164d6637380a7c4a542789653ddcc0e8b8c27ef958
Opcode Fuzzy Hash: 46192516b04e1dc486ad264a412f8cf2ebf1219086b8b4609f101711325ae164
Instruction Fuzzy Hash: 965126B254DA861FE356EB38CC646B5BFE0EF86210B0941FAD18DC75A3DD2CA842C351

Function 00007FFB4B622150 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFB4B622201

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: 80fe3b93f43b6bd5870022c2f268b6614d037060839e21a67f8f450581bd5483
Instruction ID: a7741f1b7519325b3b367a4e54acbd9045225d9525114802592fde781ed10005
Opcode Fuzzy Hash: 80fe3b93f43b6bd5870022c2f268b6614d037060839e21a67f8f450581bd5483
Instruction Fuzzy Hash: 0C51F6F281E6598FEB05FF7CE8821E977A0FF05B24B0445B6D44D8B0A7DD34A4428791

Function 00007FFB4B6210F2 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFB4B62116E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 51f79269308746b02052b880eca3df9bf885a06102a80a605f69694acfa5215d
Instruction ID: 820aa5ae33b77495d0f20bbf88172802040b49c9bfe603326eff9e2a27f5fc75
Opcode Fuzzy Hash: 51f79269308746b02052b880eca3df9bf885a06102a80a605f69694acfa5215d
Instruction Fuzzy Hash: 0E4102A280E6A94BEB06BB78F8421E97B60FF06730B0411F2D48C8B0A3D934685687D1

Function 00007FFB4B621148 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFB4B62116E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 50e248b8d2512fab021cb99d47392fc375c213d3579865319097b7e12ddc1354
Instruction ID: 64e17a4675003d7153347d97e8b33a5743820e6ea435f3c2e2ebcc5669ef3f11
Opcode Fuzzy Hash: 50e248b8d2512fab021cb99d47392fc375c213d3579865319097b7e12ddc1354
Instruction Fuzzy Hash: B331E3A290E6A94FEB06BF78FC421E977A0FF46330B0415B3E4498B1A3D974685687D1

Function 00007FFB4B61C776 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

`"oK, xrefs: 00007FFB4B61C79E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: `"oK
API String ID: 0-583030241
Opcode ID: 7c9a7b745546fe4bc64825de56ef3cb93af08b38679ed77950d323a3555a3fa0
Instruction ID: 0fe015c9d680c48726dd9e3b076a5303137c4ad23714402d8771ce4bc267c2c3
Opcode Fuzzy Hash: 7c9a7b745546fe4bc64825de56ef3cb93af08b38679ed77950d323a3555a3fa0
Instruction Fuzzy Hash: 002108D261DECA1FE389AA3C89956B5BBD1EF98610B0441FAD14EC7193DC68A80A4350

Function 00007FFB4B612952 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

hs2, xrefs: 00007FFB4B61297D

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: hs2
API String ID: 0-3305532538
Opcode ID: 9a9a1d9d64cee1c8d360a4cf74cfe7da016c2d1d44f4266eba0e071f055962a6
Instruction ID: 8fcfbcfbc8e4eaa298bbb976321a1012e44825b3e9e71ee19532e3cdfeac068f
Opcode Fuzzy Hash: 9a9a1d9d64cee1c8d360a4cf74cfe7da016c2d1d44f4266eba0e071f055962a6
Instruction Fuzzy Hash: D2212891A2DA8A0FE785BB78C4522F9B3D1EF98700F04C4B6C24EC32D7CC6898078791

Function 00007FFB4B61223A Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

`9NK, xrefs: 00007FFB4B612271

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: `9NK
API String ID: 0-3190557843
Opcode ID: 47fea0ee00804936a145bfb536f2e706e1ac865a86e376ddc41232e5eef62d06
Instruction ID: 1f6c337190cf314f236061b63e32602551c8637b8b5e973ae4ce3709aa2e7ad1
Opcode Fuzzy Hash: 47fea0ee00804936a145bfb536f2e706e1ac865a86e376ddc41232e5eef62d06
Instruction Fuzzy Hash: 74F04C6181DBC91FDB12AB7488161B6BFF0FF46200F0944E7D59CCB0A3C9285508C752

Function 00007FFB4B6122AD Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hs2, xrefs: 00007FFB4B6122F2

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: hs2
API String ID: 0-3305532538
Opcode ID: b15e2e25798f6c5c65d089535504aad06c256c7dcf65d94367270d6d41d1d2f5
Instruction ID: 72535a65bb4c51729ee52cc27ea6e24aeffb0b87ccb2aec1141c69639701db16
Opcode Fuzzy Hash: b15e2e25798f6c5c65d089535504aad06c256c7dcf65d94367270d6d41d1d2f5
Instruction Fuzzy Hash: 03F022A181D6CD0FE755AF74881A0EA7FE0FF85210F0541EAE458C60A2ED6854058301

Function 00007FFB4B628912 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

hq2, xrefs: 00007FFB4B628947

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: hq2
API String ID: 0-3217440538
Opcode ID: 5cda14f4eb3aace3c3200787b0246668cbb0ffa00485f8a57163d1242b82902e
Instruction ID: d3dc05c961ad143219c882d41fd73466eb09d5c432f2b95d56e7ebeca2d8be50
Opcode Fuzzy Hash: 5cda14f4eb3aace3c3200787b0246668cbb0ffa00485f8a57163d1242b82902e
Instruction Fuzzy Hash: 61F0A090A1DA5B0FE696B77D982A1A869D0EF49260B4406F6E54AC32A2DD1CDC428385

Function 00007FFB4B62DDED Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734563c8356d63181a476c6ad84442d7d0a66a213bba96c6eedaa4bb2045aac6
Instruction ID: fb71ed8ac859c94d481f4acebf20c8360c790cca0d97dc20cbd47b4c3614e981
Opcode Fuzzy Hash: 734563c8356d63181a476c6ad84442d7d0a66a213bba96c6eedaa4bb2045aac6
Instruction Fuzzy Hash: 93F116B190D7864FF369BA38C9561A47BE0EF56310B0589FAC58DCB1B2DA3868468742

Function 00007FFB4B6345B9 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd6754ce35d944020062b33544a116c6b47bd70024b41b85cb632de707e64bc
Instruction ID: 08e81d1fd71c438d2e24e939f05b8ba34af6546f96b033af45b51af2089ed437
Opcode Fuzzy Hash: 7cd6754ce35d944020062b33544a116c6b47bd70024b41b85cb632de707e64bc
Instruction Fuzzy Hash: 1AD103B2A0DA854FE759EF7CC855664BBE0EF56310B0840FAD589C72B3DD28AC46C742

Function 00007FFB4B634A39 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e339872046ffef99e779162b48b5bf7701598f4b4a6268dfc2c610f8d0e213
Instruction ID: 5ef8ad71cb5100915f321bc44f0030a62739f3b46f2cb8728e364ad84d52dd97
Opcode Fuzzy Hash: 04e339872046ffef99e779162b48b5bf7701598f4b4a6268dfc2c610f8d0e213
Instruction Fuzzy Hash: 37C192B1A1CA094FEB99FF7CC855AA9B7D1EF58700F1441B9E54EC3292DD38AC428781

Function 00007FFB4B632399 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445ce3ed590758e541b1f9ff8990cef527ee435b66ed281a6762f72f8718e2aa
Instruction ID: abb2c8285d0b6fc85484b46a343ef0af0f2569d00a6f870f6d47cf403654bdf3
Opcode Fuzzy Hash: 445ce3ed590758e541b1f9ff8990cef527ee435b66ed281a6762f72f8718e2aa
Instruction Fuzzy Hash: 11C19071A1CA594FEB98FF28C8557A9B7E1FF59300F1041A9D14DC32A6DE34AC81CB81

Function 00007FFB4B612D79 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5b6515f5049ee890ce28c2c75b429e9b079b6cda090d2bbc1a23241d16e9db
Instruction ID: 62a9be21e5296be0682ed2e6b9b76ecf94c934aaccdbcd134592152490bd47c0
Opcode Fuzzy Hash: 5c5b6515f5049ee890ce28c2c75b429e9b079b6cda090d2bbc1a23241d16e9db
Instruction Fuzzy Hash: 76B136B1A0DA8A4FEB95FE38D9551B5BBE0EF49310B0441FAD18DCB1A2DE389C468741

Function 00007FFB4B613180 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2cfa3f85496fa467648f8beed43819471e9841544633f2fa872f2957ae4099
Instruction ID: 2f6460b9a4a5033c5d13905282d16ba27c894e623f83fb8f0d8d399606bd4f83
Opcode Fuzzy Hash: 2d2cfa3f85496fa467648f8beed43819471e9841544633f2fa872f2957ae4099
Instruction Fuzzy Hash: 7CA18F71A0CA499FDB58FE3CD9512B9B7E1EF88314F148179D58ED3292DE38A8028B40

Function 00007FFB4B618E03 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd656e76e93f189416797b732ddd03e5abbdcc1c44b218ae07501540fa7dc75
Instruction ID: 342730ea555717693a954c207dd70c2262d152cc2423c1cfb4a2268cc890f45f
Opcode Fuzzy Hash: 3bd656e76e93f189416797b732ddd03e5abbdcc1c44b218ae07501540fa7dc75
Instruction Fuzzy Hash: E1B1CFA0A0C64A4FF755EE38C9457B8B7E1EF65314F1481BDD58EC72E2DE38A8468311

Function 00007FFB4B6134A1 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe518f2aefdbb804ba13822473900a641438b987bbc060a5c1ef650ccaeed39
Instruction ID: 142972ca5ba97667dc3b733b07a5eef8cbe2da2e861178a4dea896618ae6e85f
Opcode Fuzzy Hash: afe518f2aefdbb804ba13822473900a641438b987bbc060a5c1ef650ccaeed39
Instruction Fuzzy Hash: DE9124B1A0DB895FD7A5EF3CC8555B5BBE0EF55310B0481BAC18EC72A2DA38A845C381

Function 00007FFB4B632FAC Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4e1cac02712e47b169db64fd434ea02e039b687999debe899f2bea2e741068
Instruction ID: d67af2dc2769ec86f0f30f68d0cf6c7ea75b671264716474b41a0357f59cd035
Opcode Fuzzy Hash: 9b4e1cac02712e47b169db64fd434ea02e039b687999debe899f2bea2e741068
Instruction Fuzzy Hash: EEA1FD71A1C90E8FDF84FF68C995EA9B7A1FFA8344B544164E50DD72A6CA34E841CBC0

Function 00007FFB4B6D214D Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87856d0a5c9689760fb65cb73325256c5ba81154f5b9764c42c1937387109537
Instruction ID: 0e3b098a18d7a92433ca3bbe40c8d1de7ce209b24b359df260c92c00c090cb75
Opcode Fuzzy Hash: 87856d0a5c9689760fb65cb73325256c5ba81154f5b9764c42c1937387109537
Instruction Fuzzy Hash: B6819091B2DE460BF786BB6DC992375A6D6FF98600F448079D20DC32EBDD28EC118391

Function 00007FFB4B618E4D Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c229d68c4e2b0e8996ea3ffc36129164b42f9d68bab9c1d312ccebdac797f05d
Instruction ID: 474704bca3fe9398dd0d26f35d22794e235175a4aaad7b9eb2afab465aeea123
Opcode Fuzzy Hash: c229d68c4e2b0e8996ea3ffc36129164b42f9d68bab9c1d312ccebdac797f05d
Instruction Fuzzy Hash: 57919160A0C64A4FF755AE39C9557B9B7D1EF69314F1481BCD98EC72E3CE38A8468301

Function 00007FFB4B618F42 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d84f138116f6f5b3057f3cf504b469454dd4c461a7d03d4d0c127b075325ee
Instruction ID: c026ce98210b5632f400d0f95db395a387628a385d624b41c52a15962d1453b8
Opcode Fuzzy Hash: b4d84f138116f6f5b3057f3cf504b469454dd4c461a7d03d4d0c127b075325ee
Instruction Fuzzy Hash: 6891F460A0C6494FF795AE39C9557B9B7E1EF69304F1481BDD58EC72E3CE38A8468300

Function 00007FFB4B6338B4 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a37f642e0c91a7a643c81b5fd0ed09455a40d85a282675778596d01e0b25410
Instruction ID: 3bd5f91064fd31d92bab1f17ed24bee42f728dc04813545e1fcf5513b390c196
Opcode Fuzzy Hash: 2a37f642e0c91a7a643c81b5fd0ed09455a40d85a282675778596d01e0b25410
Instruction Fuzzy Hash: F0714E71A1CA198FEB98FF6CD855AB9B7E1FF59700B004179E14EC72A6CE34AC418781

Function 00007FFB4B62CD7E Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e5e8b833bd38b20a1d6fefa3b6d1f9071ba98cb7d6d102d6ee9185b38ec09c
Instruction ID: a56b40426ddd4793c0484566cd2fce12dae0f09e2098e825cf78a04a3ffef190
Opcode Fuzzy Hash: 78e5e8b833bd38b20a1d6fefa3b6d1f9071ba98cb7d6d102d6ee9185b38ec09c
Instruction Fuzzy Hash: 1461C471B1CA5C4FEB59FB6CD8556A9BBE1EF99310F0441BAE14DC72A2CE389C018781

Function 00007FFB4B618EEB Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4cc3dededcecdb239d758476fa987102bd2cfaafd99daa63fb90c0335c8d66
Instruction ID: 664449102fa6a9e8084484d50a21947b12893463eb3e8e3611fe77e63393facd
Opcode Fuzzy Hash: ed4cc3dededcecdb239d758476fa987102bd2cfaafd99daa63fb90c0335c8d66
Instruction Fuzzy Hash: E281806060C6494FFB94AE39C5557B9B7E1EF58304F5481BDD58EC72E7CE38A8868700

Function 00007FFB4B618ECD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b6a3f9da555289b5697e304fe0924443f53538a99414f05900d488fca6b4a6
Instruction ID: cf2f251ef1cd9ac373f1783fffb092a4a8c944498fb6d4e8371d55b7ca9f3cc7
Opcode Fuzzy Hash: 99b6a3f9da555289b5697e304fe0924443f53538a99414f05900d488fca6b4a6
Instruction Fuzzy Hash: 6B81906060C6494FFB94AE39C9557B9B7E1EF58304F5481BCD98EC72E7CE38A8868700

Function 00007FFB4B618F26 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98f0756cbda4c5f8f4fffc000886fbc42f2c4a4a41a488de103134de21939bf
Instruction ID: ea646b55465f4b2d0ceaf76cccad72991bca2cd8c9c16b6bce5ad0397af8249d
Opcode Fuzzy Hash: d98f0756cbda4c5f8f4fffc000886fbc42f2c4a4a41a488de103134de21939bf
Instruction Fuzzy Hash: 2A81926060C6494FFB94AE39C5557B9B7E2EF58304F5481BCD58EC72E7CE38A8868300

Function 00007FFB4B618DDD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca8a63cf3f371827a1b2a3886beacff2d97cca7e21d68b356229b9bdd1e4cba
Instruction ID: 1d52483338413d018276787e9a69a3e3e935613f6046fe74d0d16912bc55f7db
Opcode Fuzzy Hash: 5ca8a63cf3f371827a1b2a3886beacff2d97cca7e21d68b356229b9bdd1e4cba
Instruction Fuzzy Hash: DC81926060C6494FFB95AE39C5557B9B7E1EF58304F5481BCD98EC72E7CE38A8868300

Function 00007FFB4B618FC7 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72d5eef90a0a6d1a0e2d3087ef244860b2b718b79bd7d9554a31460095a9668
Instruction ID: bf83ef02ca3b81958d7b20d2367bce96063ffcfe6f4dc3fd4242f1a9c6561312
Opcode Fuzzy Hash: b72d5eef90a0a6d1a0e2d3087ef244860b2b718b79bd7d9554a31460095a9668
Instruction Fuzzy Hash: 6F818F6060C6494FFB94EE39C5557B9B7E1EF58304F5481BDD98EC72E6CE38A8868700

Function 00007FFB4B618F08 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3132bbd5a69e05f9d9ed7028291b4821bb107bced579e343b860b6f425c5cdfc
Instruction ID: 7cd216e260b7fccc301aa8078a8f97f13bf15dd00dc3fbb84f3530e0ade93f57
Opcode Fuzzy Hash: 3132bbd5a69e05f9d9ed7028291b4821bb107bced579e343b860b6f425c5cdfc
Instruction Fuzzy Hash: AC819060A0C6494FFB94EE39C5557B9B7E1EF58304F5481BDD98EC72E2CE38A8868700

Function 00007FFB4B624BE0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d87d97ba1899ab1d65b8dba28b1cd730259be3575cfebfd594d85c8b38a8f66
Instruction ID: eaf877dffb572e6ab63b74cc354446f733248717ea007ad4bb1e9d72fa369531
Opcode Fuzzy Hash: 2d87d97ba1899ab1d65b8dba28b1cd730259be3575cfebfd594d85c8b38a8f66
Instruction Fuzzy Hash: 9451707190CA5C8FEB59EF28D8457E9BBF1FF59310F0081EAD44DD3252DA34A9858B81

Function 00007FFB4B620007 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98527036bc4ded4e9fb41c0f73f8db145acd48534802f55af6807ac32b7e7076
Instruction ID: a30eb3b2d50e7c220eb06733140cc2fde57e320f16fe589a96aa3eba90773447
Opcode Fuzzy Hash: 98527036bc4ded4e9fb41c0f73f8db145acd48534802f55af6807ac32b7e7076
Instruction Fuzzy Hash: AF717064A1C9478BF79DFA39C694675B6A2FF94300F14C2B6C50DC25A6DE38E8818681

Function 00007FFB4B61FFEC Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f979cfc0866454da6558b5afb68d454c97265e78fb195b5137630dd3ff9086e9
Instruction ID: 271d0789093ba9e00219fd0116cf66bd2e40cf11b2c6f76b38a5b439a28b34c3
Opcode Fuzzy Hash: f979cfc0866454da6558b5afb68d454c97265e78fb195b5137630dd3ff9086e9
Instruction Fuzzy Hash: 73715064A1C9078BF6ADFA39C694675F2E2FF94300F64C2B9D50DC25E5DE38E8818681

Function 00007FFB4B617750 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288a29a16d7c740c5f2d97badc0a57ec95fcb37568aceab1390fff966f1ad03f
Instruction ID: 2a89855debbc94918bb907f6dddc6a9ad68e50c34a6f4098dbaab5801aaed7ce
Opcode Fuzzy Hash: 288a29a16d7c740c5f2d97badc0a57ec95fcb37568aceab1390fff966f1ad03f
Instruction Fuzzy Hash: 88514DE1A0DA4D0FE399AA7CDC465B5BBC1EF95320B0541F9D58DC31A3EC24AC0383A1

Function 00007FFB4B61D5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d66cca27bd7c160458ee6b5d3ef030d6ae8a2acacece2d85e04ecac53638d83
Instruction ID: f998c231827a1fdc78dfa38d614a2f2684b5d16e8844a440809c66d273a0db5f
Opcode Fuzzy Hash: 8d66cca27bd7c160458ee6b5d3ef030d6ae8a2acacece2d85e04ecac53638d83
Instruction Fuzzy Hash: 90516FB161D9494FDB98EF6CD854AA977E2EF58310F1445B9E44EC3296CE34EC41C780

Function 00007FFB4B613751 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a83bc87b0c377272ab5476b41a74b74b24054c174cc24904b30bfcfeb8f27d
Instruction ID: 8301328ea4ebf10606ab58e695e36357003efdd71fd603c341cd42453333dce2
Opcode Fuzzy Hash: 52a83bc87b0c377272ab5476b41a74b74b24054c174cc24904b30bfcfeb8f27d
Instruction Fuzzy Hash: 005124B051D68A2FF796BB7CC905275BBD0DF46324F1445BED5CEC71A2DA29A8028342

Function 00007FFB4B628E7E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b357b12b37ae05cb3fc2c57eba2144cb946d9db20ad7d3e30b5c0bb4604d7c1
Instruction ID: 8bb30299a60ffbee1470cf60098a70fe96fcceaa7c25dd5fae4a676f855e9a6f
Opcode Fuzzy Hash: 2b357b12b37ae05cb3fc2c57eba2144cb946d9db20ad7d3e30b5c0bb4604d7c1
Instruction Fuzzy Hash: 8251D56090E7CA4FE796BBB88C561A97FE1EF46210B0940FFD589CB1A3D67C4846C712

Function 00007FFB4B6191FD Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae3fbfa95e55c893cd442c254bfa36c51dc6b49ece7747285155010339b5355
Instruction ID: 0a2521e84508a4fcbe6b60ee8bcdc279b1ae08b114c0fcd118aa185f361282d1
Opcode Fuzzy Hash: 2ae3fbfa95e55c893cd442c254bfa36c51dc6b49ece7747285155010339b5355
Instruction Fuzzy Hash: 7751B16060C6490BF798AA39C5463B9B6D2FFA8344F14817DD98FC76E7CD2CA8464245

Function 00007FFB4B628C5D Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625020049e5aa6b9f6b8ec8bac9bac1cac29c0fd1ea7d8bd0bc2810ea5b88861
Instruction ID: 9616b0b4ade27481fa5dd50a47e10894c0c0d89c47e1e08270633a20e0c6b251
Opcode Fuzzy Hash: 625020049e5aa6b9f6b8ec8bac9bac1cac29c0fd1ea7d8bd0bc2810ea5b88861
Instruction Fuzzy Hash: DA51B57091EA498FFB85FF78CC1A2A9BBE0EF19211B4444BAD44DC71A2DA389C41C712

Function 00007FFB4B614788 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718f4ff13355b0ced2032cd402144451c69b2706755c056a24878400415a534f
Instruction ID: 228eb8414e56c686722dbabe4f08d262ca9a0cf464ee05998cfbe2f5b1a13536
Opcode Fuzzy Hash: 718f4ff13355b0ced2032cd402144451c69b2706755c056a24878400415a534f
Instruction Fuzzy Hash: C341C17020D94A5FFAE1FE7CE855AB5B7D0EF49320B1440FAD88DC71A2D92AEC428751

Function 00007FFB4B614E56 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a364775691a8dedf4128ea3ea307e09e0267607adca6f81f10d6dfa4db47f5ae
Instruction ID: 4bf581adead94e73b9ee9cb50e231e630ca887dad322dba74cd70272b55f5488
Opcode Fuzzy Hash: a364775691a8dedf4128ea3ea307e09e0267607adca6f81f10d6dfa4db47f5ae
Instruction Fuzzy Hash: C1415DB460CA5D9FDB98EE2CC855BB673E1FF99310F1040A9E54EC7292CA35E812CB40

Function 00007FFB4B6289BD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c4a9d834cb5c8999aa4f8e8336a6b2949985cc0e3775263b6006c934553758
Instruction ID: 3c1632bf007578adb5bbad1eab39d662ac532c5fea1b920a062d74da332f63cb
Opcode Fuzzy Hash: d0c4a9d834cb5c8999aa4f8e8336a6b2949985cc0e3775263b6006c934553758
Instruction Fuzzy Hash: E151A2B091DA498FFB89FB78CD1A2A9BBE0EF05305B4445BAD54DC71A2DE389841C742

Function 00007FFB4B617A72 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8db323246f0b39a9e7e603c92a4e40af994863170f98fc44caadff671551016
Instruction ID: 05a6e0c9b4adff23538a65855d7446b8e626b6cdd4cca77973623b2d31ad0b28
Opcode Fuzzy Hash: f8db323246f0b39a9e7e603c92a4e40af994863170f98fc44caadff671551016
Instruction Fuzzy Hash: E341D6B050C7894FEB59AF2CD8556B5BBE0FF96310F14416EE58AC32A2CE35E841C741

Function 00007FFB4B61D1F0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0262f1a84c7ff54f14b3c0eb0f50adbf9f9387679e882a4148e74ff95669021
Instruction ID: 9b4af3176dc992613fc9013f5ad016a229983216a9601f4b5eecdebc064858ce
Opcode Fuzzy Hash: e0262f1a84c7ff54f14b3c0eb0f50adbf9f9387679e882a4148e74ff95669021
Instruction Fuzzy Hash: 92417970A18A4A9FEB89EF28C851BB977A1FF05300F4440B8E51ECB1E2CA39E855C701

Function 00007FFB4B6120B0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b32b660b3a441de10ca8e7ab8370ced9fbfa3acd331e5f76ad32db26df8774e
Instruction ID: a6aec3038f718d32104ec792e4deaa66857408de1b405cc44375bdbb2aace7fe
Opcode Fuzzy Hash: 9b32b660b3a441de10ca8e7ab8370ced9fbfa3acd331e5f76ad32db26df8774e
Instruction Fuzzy Hash: 1241D8F381F5554AE2027AB8E9432EC7754AF12E2870D85F6D5AE89093ED2C644242E5

Function 00007FFB4B62EFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfd5e8d49bc1935b1a7e9fc7172503f9aa272b4ce9d09a225b7aacad910a816
Instruction ID: 6f363a1ade379596816b71a99563b6fc14b1e645be280f88abf64414d1358b07
Opcode Fuzzy Hash: ecfd5e8d49bc1935b1a7e9fc7172503f9aa272b4ce9d09a225b7aacad910a816
Instruction Fuzzy Hash: DF31B261B0C9090FFA9CEA399D9567877C2EF95745B0480BDE58DC72A3CD38AC028245

Function 00007FFB4B6228A3 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c96bde31271adbc6cf8105895a8d54c05b274e68601d8b01c3af72a9fbf3647
Instruction ID: 81baccb0b90b44988d7b6e23d85849e09ab419338fe6f38df8b334d487a3c273
Opcode Fuzzy Hash: 0c96bde31271adbc6cf8105895a8d54c05b274e68601d8b01c3af72a9fbf3647
Instruction Fuzzy Hash: DA4193C3E0E6C64BF71A2E785D52164BFD1EF5674074988F5D1C84B0BFA838990A8683

Function 00007FFB4B6D0718 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc38de332ecef97a6b83c95f3cfcc5cee1725e7f2fc00ccbd365209c2887eeb
Instruction ID: 691f337667286f1d8f55cd3faa82f454e71c425289c24e64090257875aad5933
Opcode Fuzzy Hash: cbc38de332ecef97a6b83c95f3cfcc5cee1725e7f2fc00ccbd365209c2887eeb
Instruction Fuzzy Hash: EC313EA2A1DB494FF359AA7C9C673B4B7C1EB55310F5401BED48DC71E3D9185C028782

Function 00007FFB4B27EA00 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677803000.00007FFB4B27D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B27D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b27d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc92bad6d92b469a02146ed08b4c066caec9a9397b18c104dcecacfef7dc2a8
Instruction ID: d81104c7a405314c2ad2c74d94b26b98b2caaaa47180276b6bcece0819d79ee6
Opcode Fuzzy Hash: bbc92bad6d92b469a02146ed08b4c066caec9a9397b18c104dcecacfef7dc2a8
Instruction Fuzzy Hash: 6E41D57140DBC48FD39AEB38D8559527FF0EF56220B1945DFD0C8CB1A3D625A846CBA2

Function 00007FFB4B632185 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2f54ee5f459f939a7bdc8ed75b3e7599a44efda26a962016521e8df14c7a63
Instruction ID: d5bc69c24f248c7820e8ae104aa2bf4c4f7491249b75a07b0320bb5f5be95486
Opcode Fuzzy Hash: 5d2f54ee5f459f939a7bdc8ed75b3e7599a44efda26a962016521e8df14c7a63
Instruction Fuzzy Hash: 1F41EC71A0D91D8FEF98FF28CD91B68B7A1EF59300F5481A8D14DD32A6CA34AD46CB41

Function 00007FFB4B612EEE Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5f76cf5fe5fd7228de5900e1ec6d902b7f5a2d349f503c34dafcc3ea74f713
Instruction ID: dda3880a98ec88327d4cb43bbf9eca740aefd1093e9adf70b01e019da18d2a51
Opcode Fuzzy Hash: 6e5f76cf5fe5fd7228de5900e1ec6d902b7f5a2d349f503c34dafcc3ea74f713
Instruction Fuzzy Hash: 52313BA150EB8A0FE39AAF78C895170BBE1EF4A26070481FFC149CB1A7DC2D5C46C351

Function 00007FFB4B6304B0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f15af65a41857dbc7ae428a84bf4d955e9a91472d645597150b57a9846a649
Instruction ID: 67c3699a779477d21957c528e61fda7e17860534aa24facd00a7e5cf31341a73
Opcode Fuzzy Hash: 15f15af65a41857dbc7ae428a84bf4d955e9a91472d645597150b57a9846a649
Instruction Fuzzy Hash: B531067170C9494FE789FF7C8955669B7D1EF99310B0442BAD04DC32A2CE2898428381

Function 00007FFB4B613780 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ca14d7710f5d67d31e1a9435ffb421ff9b5c40347584a014873c7d6fb38748
Instruction ID: dd417017b5da1ab75c78c2e8204ce933068edbde8cb34793d53b352d0efc500e
Opcode Fuzzy Hash: 03ca14d7710f5d67d31e1a9435ffb421ff9b5c40347584a014873c7d6fb38748
Instruction Fuzzy Hash: EA31F87051CA492FF795FB7CC90957577D1DF85324B1145BDD9CEC31A2ED29A8024341

Function 00007FFB4B629A11 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b808dfcad1018d5ebe9674c1766f4c9c95564979395383aad0db93a4005c6858
Instruction ID: d457449a13b38371f9896397686eacf4dc3306dea19c0220925baf810454d126
Opcode Fuzzy Hash: b808dfcad1018d5ebe9674c1766f4c9c95564979395383aad0db93a4005c6858
Instruction Fuzzy Hash: 7A310A71A0DB890FE759BE7D9C564A87BA1EF9625070842BFD149C71E3DD289C068382

Function 00007FFB4B628F1D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e2ae588169e49bf6d06e353dcef5efa2a6140339f281b8b826c3eae5f89caf
Instruction ID: 698a6b6d8f61f5f3fb067e4f366a017945d9f70b0b1f84ce5252f87d80a916b9
Opcode Fuzzy Hash: 54e2ae588169e49bf6d06e353dcef5efa2a6140339f281b8b826c3eae5f89caf
Instruction Fuzzy Hash: 7341C3B0919A4E8FEB89FF78CC5A2A9BBE1EF14301B4444BAD54DC71A2DA389841C751

Function 00007FFB4B629590 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cf56048867cfcc2e9f2d93a45598c71e0f9a7ecee3f73b9ba3f7d674736474
Instruction ID: 707303adc2a3320d02e27f5338d9dc0d520c86aa8460a15b536693e414f88c02
Opcode Fuzzy Hash: 17cf56048867cfcc2e9f2d93a45598c71e0f9a7ecee3f73b9ba3f7d674736474
Instruction Fuzzy Hash: 2F418FB090C94E4FFB99FF68D9556A9BBE1FF98300F0044B5D50DD71D2DA39A8818742

Function 00007FFB4B630CB7 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0621b132692379ed43358aee99382acc9eb93dc7b2360940b57ff71f58506c38
Instruction ID: 0380900379f0d3b18644cd711a06bd9a81e1c4ff531a7d840f08851fbb0fdb7a
Opcode Fuzzy Hash: 0621b132692379ed43358aee99382acc9eb93dc7b2360940b57ff71f58506c38
Instruction Fuzzy Hash: FB31E6A290E6860FD769EA389D162A9BBD0EF45200F5095B9C5C9C71A3DA38680EC381

Function 00007FFB4B612DBA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992d748b9f5c9811c1b9e6001a0b6492304d2f329a86b611a0afe0b474eed2fd
Instruction ID: 862f6294835dd529c24db9f3c028b9f7b67a71162e6770756542cf6616296e1a
Opcode Fuzzy Hash: 992d748b9f5c9811c1b9e6001a0b6492304d2f329a86b611a0afe0b474eed2fd
Instruction Fuzzy Hash: 4B31D4B2B0D5894FEBA1FE28D9495B9BBE0FF9831070541B5E288CB575D9389C068740

Function 00007FFB4B620C78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c27ca6390df5f0ff194841c4671366a9ab054f76b21b48e24651667835b1058
Instruction ID: b467636f3dcef48f7a4534ed1ac32e5b6445f20bad0620389d485b9f84163802
Opcode Fuzzy Hash: 8c27ca6390df5f0ff194841c4671366a9ab054f76b21b48e24651667835b1058
Instruction Fuzzy Hash: 9A3101B2A0E6058BEB4DFE6CE0462E9B7D0FF48724F04457FD44EC6292DE34A8428784

Function 00007FFB4B6D57AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5c422512063952e1678e34a4d9ef903eb9f2563700f4a3e83ceede85de0d26
Instruction ID: 7e2e7affe575d5cbcf6c4cbcef10b549bcbabedb4ce7b7ec5bf1a34f9dbfbeac
Opcode Fuzzy Hash: 3e5c422512063952e1678e34a4d9ef903eb9f2563700f4a3e83ceede85de0d26
Instruction Fuzzy Hash: E021F682B0DE4F0BF7A9BA3C896523996C7DF8865075941BAD54EC76E7ED28DC430380

Function 00007FFB4B6D5098 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2ad50a0a8776d6e809635227b4de791eef89ab13439fb914093ab7e4ee166
Instruction ID: dfb86dfef261ad1ab6cc2fbe11f4c24d438d4446dab958006bf73cad02755a35
Opcode Fuzzy Hash: 02b2ad50a0a8776d6e809635227b4de791eef89ab13439fb914093ab7e4ee166
Instruction Fuzzy Hash: EE313B91B0DE8B0FF7A5BA3D89612749AC7DF9864075841BED54DC36E6DD28EC024380

Function 00007FFB4B617390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f109139cc3609c524d5bb18b26787237a369130552621550c67f571bf7aa39
Instruction ID: 6cef6c01b3b8b0c64ab2ed80e90aaefdab1f04016042bbf091d64d5a925138c6
Opcode Fuzzy Hash: c3f109139cc3609c524d5bb18b26787237a369130552621550c67f571bf7aa39
Instruction Fuzzy Hash: C031F4A2A1CA490FE781FE3CD8541B5B7D1FFA8314B4446BAD94CD32F2DE28AD818341

Function 00007FFB4B62AE7D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda1acfa166c82678633aa28deab74c2de28aa010aea5de4c5bbcc9ac90e77c1
Instruction ID: 58e29b6dcec978c4b77ab0730895cbf831cbbbd4ddbe46d66848cab65a053966
Opcode Fuzzy Hash: eda1acfa166c82678633aa28deab74c2de28aa010aea5de4c5bbcc9ac90e77c1
Instruction Fuzzy Hash: CB31647451CA8E8FEB88FF28C8547A977A1FF55304F1085A9E51DC7192DB79E812CB40

Function 00007FFB4B620CD3 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee80107693472b7ac6ea22320ef08c9092c2dd0573fb3e03dda59ced4bedee7
Instruction ID: e03e32da5b803251cbe044e5751a814d65b05c92fee5e2d9bbd05c25582e7bb0
Opcode Fuzzy Hash: fee80107693472b7ac6ea22320ef08c9092c2dd0573fb3e03dda59ced4bedee7
Instruction Fuzzy Hash: 813103B2A0D7884FE79DEF3894552A9BBE0EF49720F0445BFE08EC72A2CE3558418745

Function 00007FFB4B6D522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8a7961937e2b57c069c2c45943c2e9acead87bc011d6ccb208cac4ccfe3715
Instruction ID: 75c99f26a73cb34e111a1ac2ce134aa34a0b70ed8d634c4b485f9a8bb1b60142
Opcode Fuzzy Hash: 3e8a7961937e2b57c069c2c45943c2e9acead87bc011d6ccb208cac4ccfe3715
Instruction Fuzzy Hash: EF210782B0DE4B0BF395BA3C88552359AC7EFD8640B5941BAD64EC36A6DC28DC465340

Function 00007FFB4B629A40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c210b512628d40ec603ae5fbcacb23bdef45b9aeb5fda9ebcb98c04e0acb51
Instruction ID: 60d8e682be9ef6314cead1b84265f71e0f2eab3316fd19c20286252df5c05164
Opcode Fuzzy Hash: 43c210b512628d40ec603ae5fbcacb23bdef45b9aeb5fda9ebcb98c04e0acb51
Instruction Fuzzy Hash: 6421EA71A0DB590FEB59BE7DEC554A97BA1EF9622170482BEE109C31A3CD386C028791

Function 00007FFB4B613169 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc958443d236feca700d82b593c98cc182aa64069b24763b4914e46f7b736489
Instruction ID: d52b7c316593acc0fd1b7dc5263214839edc2b22971c8848f1e4049660cf82f0
Opcode Fuzzy Hash: cc958443d236feca700d82b593c98cc182aa64069b24763b4914e46f7b736489
Instruction Fuzzy Hash: 2A31F171A0C7889FDB59FF78C8551A97BF1FF8A314B0541BED489C7292CA34A806CB40

Function 00007FFB4B62EEA9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07503196c25fb5b778611aa191eae561118dd3d5ddfe93472479cb92165c700a
Instruction ID: 37b5e3dde04422be7104afd4d237e722c44ace1a196c1f23173ea9b5b71db1f5
Opcode Fuzzy Hash: 07503196c25fb5b778611aa191eae561118dd3d5ddfe93472479cb92165c700a
Instruction Fuzzy Hash: 3121296151DAC64FE316A73488516A6BFA0DF56214F0846FED489C71E7CE68A40AC391

Function 00007FFB4B613FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9049e3a0eb7237ff591441766464c706dfb8dc37983385f364172f9f98df0200
Instruction ID: d9bb46cc4dd9548474c6b96b5e5681e2ef931869503cde532b233c3374623a4b
Opcode Fuzzy Hash: 9049e3a0eb7237ff591441766464c706dfb8dc37983385f364172f9f98df0200
Instruction Fuzzy Hash: C4212DA1A0CB450FF358AB2D9C466B577D5DB96261F04417ED58DC31A3DC14AC438782

Function 00007FFB4B6D39C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a978687c11551485923b7e9dcf10524fb610e6f84efeffcb3ede387d898ed49b
Instruction ID: fc87a89028e75f92ae5b346489aa31bed001a640d60c912c44fb26c362fa94b6
Opcode Fuzzy Hash: a978687c11551485923b7e9dcf10524fb610e6f84efeffcb3ede387d898ed49b
Instruction Fuzzy Hash: 4621F592B0DE4A0FF7A5BA3C896523896C2DF9865079841BAD64DC72E6EC3CDC025340

Function 00007FFB4B6D5958 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f7e533de75c2dced38d2bbeff3ca6dc48b9a763a235d65be0925d858dc859d
Instruction ID: cd9e9de97b6567a7531e4ed60768f1bc39755aa7f3c5f1b41c6e899abc244bed
Opcode Fuzzy Hash: e9f7e533de75c2dced38d2bbeff3ca6dc48b9a763a235d65be0925d858dc859d
Instruction Fuzzy Hash: 57210681B0DE8B0BF7A9BA3C886523496C7DF8861075941BAD60EC76A7ED38DC020340

Function 00007FFB4B6D286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de8e40d7b733b89b89c7527193d2b37de3bc6f089b72fa744351d3e5146af0b
Instruction ID: 7ba8d0bedfb1b0e934e4b70606334eca1df5ef6381c76953e5e3f5b48886ca85
Opcode Fuzzy Hash: 4de8e40d7b733b89b89c7527193d2b37de3bc6f089b72fa744351d3e5146af0b
Instruction Fuzzy Hash: 80212891B0DE4A0FF7A5BA3C8865235A6C7EFD8640B5841BED14DC32EAED38DC065340

Function 00007FFB4B6D39B2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7d4d289d6de6df7288a8da854a9fd3728c5d73b6519624ea79ddd8ffc0d4ec
Instruction ID: 75f309aae9682524f96c1e9054730540f0097b87e6867cddde74421ec26e0445
Opcode Fuzzy Hash: 1a7d4d289d6de6df7288a8da854a9fd3728c5d73b6519624ea79ddd8ffc0d4ec
Instruction Fuzzy Hash: EB212892B0DE8B0BF3A5BA3C896127497C6DF8869075C41BAD24EC72E6ED3DDC025341

Function 00007FFB4B6D369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8205fd291e24ab8264eba5693ee267e6f5be8f3bc9839660b6e0ef9d58461cf
Instruction ID: 1ec873e37d2fc8159ac0a0e09e272fea7e3fb8d0d804417c2c99c9bb58829fe4
Opcode Fuzzy Hash: d8205fd291e24ab8264eba5693ee267e6f5be8f3bc9839660b6e0ef9d58461cf
Instruction Fuzzy Hash: FD21FB91B0DE8B0BF7A5BA3D895513596C3DF9864079881B9D60DC33A6ED2CDC054340

Function 00007FFB4B6D4668 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96e9730478c2c3700d9d2507a5521808c66bd7b4bb80e9dbde79ef6774b154a
Instruction ID: 6d295245b9337240cb955ed9e8c4247c72e873467ad6a7f6e53cfc8bfdad14e3
Opcode Fuzzy Hash: f96e9730478c2c3700d9d2507a5521808c66bd7b4bb80e9dbde79ef6774b154a
Instruction Fuzzy Hash: AC210A91B0DE8A0BF795BA3C896523895C3DFD865075941BAD60EC73E6EC38DC024340

Function 00007FFB4B630F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99a05c96232cb9c401152277802b73eea794190c2c9187357d2b282cb094c1f
Instruction ID: 4b70178b8ca7a13c0aaabd94c78ed07b092c389bba9c312465230478baa1638e
Opcode Fuzzy Hash: e99a05c96232cb9c401152277802b73eea794190c2c9187357d2b282cb094c1f
Instruction Fuzzy Hash: 5A213E7161CA498FE788FF28D589A29B7D1FF9C311F5445AEE44DC32A6CE34D8418B42

Function 00007FFB4B6D26EA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef31bfd1aa4d445373145df537617328df51ec5e7358a099818fd6d8a7066b5
Instruction ID: 11d6fac5f9bbf1e8a22e79a665b3260252c8ae933dbf2894e416553e4d19ff6c
Opcode Fuzzy Hash: 6ef31bfd1aa4d445373145df537617328df51ec5e7358a099818fd6d8a7066b5
Instruction Fuzzy Hash: 35212691B0DE4B0BF7F9BA3D8965235A5C7DFC8640B5881BAD60DC32AADD38DC024340

Function 00007FFB4B6D3A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64c814966c50b864e92d0f469829f0c116a8a389c50878e602f93ab8117789c
Instruction ID: 07fa39ea043e5582a3687a1f916bcd19a13efc239d0614583b691f774cf63921
Opcode Fuzzy Hash: d64c814966c50b864e92d0f469829f0c116a8a389c50878e602f93ab8117789c
Instruction Fuzzy Hash: 5B210791B0DE4A0BF7A9BA3C8961235A6C7EFD8640B5881BED50DC32E6ED3CDC024340

Function 00007FFB4B6D3CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1a7abf53a9625a7b10fc2c6b8b1c2e466d6698dc993086a9fc1b97bfe40f3b
Instruction ID: fc89977e5d06c61d6180e1e10732e03dbf1d0ca68000721d88ebb60108e5af8e
Opcode Fuzzy Hash: ee1a7abf53a9625a7b10fc2c6b8b1c2e466d6698dc993086a9fc1b97bfe40f3b
Instruction Fuzzy Hash: 4221DA92B0DE4B0FF7A6BA3C8955235A5D6EF8864075881B9E50DC32E6ED3CDC024740

Function 00007FFB4B6D32B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cdabae27ea6396d2c67ba521f6e1abdd7305af98771cf55ae1009b3c558968
Instruction ID: 9ebfde20fa87f377f7e4f6b864f2766a0646b11232fc6695aaf3671243be10f1
Opcode Fuzzy Hash: a8cdabae27ea6396d2c67ba521f6e1abdd7305af98771cf55ae1009b3c558968
Instruction Fuzzy Hash: AA21F891B0DE8B0BF7A5BA3C895123995C7EF8865075941B9D24DC33A6DD3CDC025340

Function 00007FFB4B6D2566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1684cad5c4d747f54e29ad37d9c053e3ab199c091d8a02c74e863a49cc1e268a
Instruction ID: 85bc44a5183e77e82dfc14e0940a4f55f2c5bd269acaeaa6eba6607c99d0cf2f
Opcode Fuzzy Hash: 1684cad5c4d747f54e29ad37d9c053e3ab199c091d8a02c74e863a49cc1e268a
Instruction Fuzzy Hash: 3121D791B0DE4A0BF7A9BB3C896523565C7DFD8610B9981BAD64DC32AADD38DC025340

Function 00007FFB4B62A710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b523d4505017abf7cebe92cd20327ed48e416b3855a3e7b77b440f7ce9ec35
Instruction ID: dd32e6be506088e2f241d506d1366df332d6cda5fc7a6d44e427c8a6d084cdd6
Opcode Fuzzy Hash: 30b523d4505017abf7cebe92cd20327ed48e416b3855a3e7b77b440f7ce9ec35
Instruction Fuzzy Hash: 6C21F671E0CA195FE75CFE6C98412B6B6D1EB89350F00827EE54EC3292DD74AC0286CA

Function 00007FFB4B61A6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction ID: 6ce72a7614fc01d5a75ba31646dba14641f27a881bb91d6a4588361506682705
Opcode Fuzzy Hash: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction Fuzzy Hash: 6221537190CA1C4FDB68EE58DC4A5F9B7F4EBA5321F00412FD44ED3251DA31A5468B82

Function 00007FFB4B613FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3deed7ede6475e4ea7e3cb25c2d5314813c618ee1e4cd28ffce43b48143ac60d
Instruction ID: 6817d85c4761af4841a4190248b4e459323ed4804dd33c3fce0507c4581b0144
Opcode Fuzzy Hash: 3deed7ede6475e4ea7e3cb25c2d5314813c618ee1e4cd28ffce43b48143ac60d
Instruction Fuzzy Hash: 4D113F7170CA491FE298BF2DEC0A7B573D9DBC5261F04417EE98DC32A2DC14AC438682

Function 00007FFB4B617065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bdd776d22b79b04627d79788310a404bad392225966d3438de67ec9ce85c07
Instruction ID: b17238e3938f6059bd347818c2c3615e4b5e0d41b1539112e08cc199e903fec3
Opcode Fuzzy Hash: f6bdd776d22b79b04627d79788310a404bad392225966d3438de67ec9ce85c07
Instruction Fuzzy Hash: 652107A161CA950FE755AE2CD8496B1BFE1DBA5211F0C49BED4C8C71B2D829D9C1C342

Function 00007FFB4B62AEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction ID: 9f49487ce2ccb248622a24faeaa569c0dfccdf28d7604b66d8d001503696ffb1
Opcode Fuzzy Hash: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction Fuzzy Hash: 1A214F74618A4E8FEB88FF28C4447AA73A1FF58304F5085A9E91EC7295CF75E852CB40

Function 00007FFB4B623805 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931a3cae95812ee964268571a3a383609c2f531e54fa12cff271b9f717e76842
Instruction ID: f38eefa0aa6d1e9d05c589d063a38d4b50e3956e7058c9736cffcbef0d46d602
Opcode Fuzzy Hash: 931a3cae95812ee964268571a3a383609c2f531e54fa12cff271b9f717e76842
Instruction Fuzzy Hash: B4315CB0A1D60A9FFB99FF78C8557A8B7A1FF05300F5040B9D14ED71A2DB3898428B02

Function 00007FFB4B63351E Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a93d5da9a7d0419d102406687ced014d090dc625b6e230be36e6b585b646c2
Instruction ID: a35555e4c7c984e950dc544b6cb1080ae0b9a5461b78078e744628c30a46daef
Opcode Fuzzy Hash: 66a93d5da9a7d0419d102406687ced014d090dc625b6e230be36e6b585b646c2
Instruction Fuzzy Hash: FB217E7162CA4A4FE699FE3CC995664B3D1FF45314B5494BDD14AC32A2CE39A882C700

Function 00007FFB4B629A88 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8345aafc41660277823babcfe5e83a5bba8de5610ed7346e3e3abcd7f384a04c
Instruction ID: 58758dd00dffd0c04205bd1e511dc6ab04810e152fbee7967e51ff4eba1b9a18
Opcode Fuzzy Hash: 8345aafc41660277823babcfe5e83a5bba8de5610ed7346e3e3abcd7f384a04c
Instruction Fuzzy Hash: FF1124B1B1CE1C1BAB5CBE7DEC055A9B7E2EFE5660B04427EE109C3292CD31680183C1

Function 00007FFB4B6296D5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb06573047948ffc3a5a095d8345b6595e8928de375a78c9ebc952b078015f
Instruction ID: 74d45819e68ad013068ebb2108c55f831f3e46daf207ebf8592bc2c7287be439
Opcode Fuzzy Hash: 58cb06573047948ffc3a5a095d8345b6595e8928de375a78c9ebc952b078015f
Instruction Fuzzy Hash: F421A4B1E0DA8D4FEB89FF28D8112A97BA1FF99310F4541B6D509C71E2DA389C418782

Function 00007FFB4B63572C Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1a32da012fc45aabbacad1e0cf9cd09a72bf6903572b7a89cd43dd84a9e4c5
Instruction ID: 6558557506b51565d62ab2fe123a3c74b9e128d2351ab6ecfb4811e2d893ff4b
Opcode Fuzzy Hash: fa1a32da012fc45aabbacad1e0cf9cd09a72bf6903572b7a89cd43dd84a9e4c5
Instruction Fuzzy Hash: A3115772A0DB5C5FE358BA3C8C192B67BE1EB8A220F0440BBD14AC31A2DE345C42C3C1

Function 00007FFB4B6D2C8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e7c7e70dcdc75e70522879767f9543dd12da5e3e9363255c421be87b6ab150
Instruction ID: 035666f57f1cf40b2f6551b5d44c0b7cd5a74d369b483b531750d67681747bb0
Opcode Fuzzy Hash: f9e7c7e70dcdc75e70522879767f9543dd12da5e3e9363255c421be87b6ab150
Instruction Fuzzy Hash: 1A11C891B0DE4A0BF7A6B63C8961235A5C6DFC8650B9941FAD50DC72EAED38DC025340

Function 00007FFB4B6D4A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682b773177957ea930ad0b5e5e686f499119266b84733dd1c50856799009a505
Instruction ID: d39510162d9fc6774ba3ba574aabfbdaf8ded8711665bb081232e009b8d1cea9
Opcode Fuzzy Hash: 682b773177957ea930ad0b5e5e686f499119266b84733dd1c50856799009a505
Instruction Fuzzy Hash: 09110891B0CE8B0BF7A6BA3D8861238D5C6DF8825075D41BAD54DC32E6ED38DC425340

Function 00007FFB4B6D2964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5de89beabf08d128ba73310487b0713e2e21339e344f53d8785077560fcf73
Instruction ID: e879fb87fd739ea90638a1059e0672051b5eb2bfd633c798d1a370f04a646306
Opcode Fuzzy Hash: cf5de89beabf08d128ba73310487b0713e2e21339e344f53d8785077560fcf73
Instruction Fuzzy Hash: 3A110892B0CE4B0BF7A6B63D885123495C6DFC8250B5981BAD60DC72E6ED38DC025340

Function 00007FFB4B6D5A50 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29af19fe7bddbcb4df934148d2848976f5a68db213d2ee23c6336425f619ab0
Instruction ID: 8c6a76d6c543f139501974170a04714abffc8a4c8b7c4caaeec312fa4617beaa
Opcode Fuzzy Hash: e29af19fe7bddbcb4df934148d2848976f5a68db213d2ee23c6336425f619ab0
Instruction Fuzzy Hash: CF11B691B0DE4B0BF7A6BA3C89A123495C7DF8825075D41BFD54DC76A6ED38DC025340

Function 00007FFB4B612468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf37cefaf086f031cfb998289852415b3928ba8ada2f9c30d988da43124f959c
Instruction ID: 5180ba0e37493911eea030d4a007f487700116c1d508541062cfcf824fcf2f35
Opcode Fuzzy Hash: cf37cefaf086f031cfb998289852415b3928ba8ada2f9c30d988da43124f959c
Instruction Fuzzy Hash: 3611366280D5824BF31ABF34DD051E6B6E0EF42310B4881FAE588D71A3D97CA8838392

Function 00007FFB4B6165F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3f074a3471d57d08f2a449a6fdb6a0f93d6141f6ff190d1f8901e83d7eb643
Instruction ID: 2a3e44bfc86f6782024e29431bc47fabfe27bc54884221b3ca029b619cc805d1
Opcode Fuzzy Hash: 6b3f074a3471d57d08f2a449a6fdb6a0f93d6141f6ff190d1f8901e83d7eb643
Instruction Fuzzy Hash: 7C11917180D68A4FDB42EFB4C8556EAFBF0EF46200F0546FAD058C70A2DB789945CB91

Function 00007FFB4B62159D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a116716afe93494771edfc151ad418f84f374fe3c75fbefc932ed8f9ed4a3b1
Instruction ID: c8cb4b22666efcfd349fa1f382cccb42a36c97e381ce04996c4d15ba14c8f739
Opcode Fuzzy Hash: 1a116716afe93494771edfc151ad418f84f374fe3c75fbefc932ed8f9ed4a3b1
Instruction Fuzzy Hash: ED11D5A151DA894FE799FF78C594A64B7D1EF28200B4844F8D44AC71E3D934A804CB51

Function 00007FFB4B62A495 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8227b4eae04754b543e362b283c374ece0c7ba386fe5b758d95995dfdca4d868
Instruction ID: c72a174acc2bfad64c5a36bb6476ee39f6e4ddcbfde225bbffa53659f953588c
Opcode Fuzzy Hash: 8227b4eae04754b543e362b283c374ece0c7ba386fe5b758d95995dfdca4d868
Instruction Fuzzy Hash: 9011C46284D5D10FE71A7B309C154E1BBA4EB42310B0981F6D548CB4A3D87D698783A2

Function 00007FFB4B6215B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc79ed181eb5643a10d9bd641771dc871cefde48688b93fb0304faf6521cbc0
Instruction ID: a5b5f8fc52feb333ecc81ed6bac68266352c164fb08c01abd693b509f2d47aa7
Opcode Fuzzy Hash: 9dc79ed181eb5643a10d9bd641771dc871cefde48688b93fb0304faf6521cbc0
Instruction Fuzzy Hash: DB11A3B151DA494FE7A9FF38C598A65B7D1EF58200B4444FCD84AC72A2DD34A805CB51

Function 00007FFB4B630D65 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b8868b6c2c00b43e5bd8e66cb48dd6c9906107f382b9b73557da781f5cf3ec
Instruction ID: 606742032865b994930f39b413f38f797d7530e2abcf3753432bf17f2349a93e
Opcode Fuzzy Hash: 63b8868b6c2c00b43e5bd8e66cb48dd6c9906107f382b9b73557da781f5cf3ec
Instruction Fuzzy Hash: E9110862A0EA860FE74AB6389968378FAD0DF45510B1491FEC149C71F2DD2C5C46C341

Function 00007FFB4B630D42 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fdc1f60797436ac4737b73db74a09b4cbd49ea7f6b01a88e7b30651e59c1ab
Instruction ID: 206294e79208c2bbe90953011da681dbfb8194513f801ab0fd270e5756ec89b4
Opcode Fuzzy Hash: 76fdc1f60797436ac4737b73db74a09b4cbd49ea7f6b01a88e7b30651e59c1ab
Instruction Fuzzy Hash: 5701D893A0D9560AE7497A389D253B8F6C1DF85214B54A0FAC14DC71F2DD3C6845C341

Function 00007FFB4B634A60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb9f0dd131afba3291b6971fe3d824c8f687bc691211d0a88a1d3b5be1337b6
Instruction ID: 37125e6e5fe9849d242ff1a8e41004dafbb3c3e601488a7ca827f3a2783092f8
Opcode Fuzzy Hash: 5bb9f0dd131afba3291b6971fe3d824c8f687bc691211d0a88a1d3b5be1337b6
Instruction Fuzzy Hash: 4CF0F6B260C61C1EA71CA92EEC4B5F673D5EBD6235B00023FE58AC3552ED22B81386D5

Function 00007FFB4B62DC9C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582f0f2f0e85204bf861418b1155237308fa38df7a5d45c9bf3c0d3c206a1665
Instruction ID: 5bb9361a4e20375f2e66227efff67f013094e49274813912ff33061ed09d5eb2
Opcode Fuzzy Hash: 582f0f2f0e85204bf861418b1155237308fa38df7a5d45c9bf3c0d3c206a1665
Instruction Fuzzy Hash: CE01AD61B2DE8B0FF786AB7880A01E5B7A1EFA921471441F7C009C3197DE68A8478381

Function 00007FFB4B629BD3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b1b977645e818f9718bece8ef7f28911d6113334693965fa11635b06bbbe71
Instruction ID: c55c4000b59a8d5ef80001372c4e3efcdac6fcbb422929d33d6e793374db7937
Opcode Fuzzy Hash: 14b1b977645e818f9718bece8ef7f28911d6113334693965fa11635b06bbbe71
Instruction Fuzzy Hash: B90122A0A2EE8B4AF75ABF38D4506F2B290EF64314F8082B9D54BC22C7DD38E4064351

Function 00007FFB4B61D099 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d577c821149f1f12f0c3065671e3e10f23ecee476ae33f9f02bd004c7e39a7
Instruction ID: ea08896e2878084a5b34c3576980b5219f2cd851336d1bacefdbab16bc446193
Opcode Fuzzy Hash: 63d577c821149f1f12f0c3065671e3e10f23ecee476ae33f9f02bd004c7e39a7
Instruction Fuzzy Hash: E801D6B190D7C84FD3059F28D5510A97FF0FB99314F0502AFE4CCD72A2DA289A028756

Function 00007FFB4B62990B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7219c1a0fd188c354b850304752bd673f0d8ef5391958d2de24aec2e3cc2d0ac
Instruction ID: 040269c4ff93a9c1cb1bbb916ad9289272b93655efd9382066b96ba7632ab94c
Opcode Fuzzy Hash: 7219c1a0fd188c354b850304752bd673f0d8ef5391958d2de24aec2e3cc2d0ac
Instruction Fuzzy Hash: 4E01E870B189098FEB88FF6CD895AA9B3E1FF983117054579D54AD72A6CE34E842CB40

Function 00007FFB4B631616 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14608a4007795690f22300fa2d7cb87e69f95fdb205fb0571e15a990d0b0d5b
Instruction ID: b86a036de5058fea4525b64305d3b4086d8caf8f6ac09b7c44df03f30e79f693
Opcode Fuzzy Hash: d14608a4007795690f22300fa2d7cb87e69f95fdb205fb0571e15a990d0b0d5b
Instruction Fuzzy Hash: 80F02B63B5CF490BD6F0ED6CEC4116473D2DFC4210B08527AC20CC31A6CD38A8928782

Function 00007FFB4B616620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5693916cbe645a1bcfd81b3fb16c0be39e2ad6f9e660ba7fdf0f590e0bc9b1
Instruction ID: ad59c7286ac63966bb26de7dc77eee5cd5bcabfe454fb679fccf52513669ec48
Opcode Fuzzy Hash: bf5693916cbe645a1bcfd81b3fb16c0be39e2ad6f9e660ba7fdf0f590e0bc9b1
Instruction Fuzzy Hash: DCF01970D08A1E8EDB91EF78D8056FEB7F0EF09300F41497AD519D21A1DB7569408B81

Function 00007FFB4B614D08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e778d094033bfd13238316d78516a3c96af22dbb346c0d3ba2d83c742b6ba96d
Instruction ID: 6254b32e752551881b995ae339df72100bce6ef349ecc2fb3162132de083500d
Opcode Fuzzy Hash: e778d094033bfd13238316d78516a3c96af22dbb346c0d3ba2d83c742b6ba96d
Instruction Fuzzy Hash: 61F0C8A1D0CA190AFB85FF3CC5542B9BAD1EBC8294F184A3DD44DC71B1CE7855818785

Function 00007FFB4B61345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction ID: f197d14c26db73e976942cac94d2d10ffdadf332475f1ccf7c22b428de3ed319
Opcode Fuzzy Hash: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction Fuzzy Hash: 46F0A77190D60D5FD718FE5AEC465FA77A4FF85324F00013AF54D82162DA356863CB50

Function 00007FFB4B613050 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055adb086e948258e7702dbf24f6ddb0c2987e88bb01d12b5d6de5e641706363
Instruction ID: 1c3ca9f97cc0243e47825ad165b75de0e6036c311acc5f15c5d5a50563a7cd8e
Opcode Fuzzy Hash: 055adb086e948258e7702dbf24f6ddb0c2987e88bb01d12b5d6de5e641706363
Instruction Fuzzy Hash: 6EF0E971A1CA454BE759FE3C950427173E5EF85305B1145BDD88ED71A2DF24DC068780

Function 00007FFB4B62978A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0101f52982053cf481902742b4828adaabe71ea533bf9a4a12f1fbe6b9911978
Instruction ID: a2f7b825f57b64b59b9585948abb53f432a9ef1ca62759d6133ce06b69b4d02d
Opcode Fuzzy Hash: 0101f52982053cf481902742b4828adaabe71ea533bf9a4a12f1fbe6b9911978
Instruction Fuzzy Hash: 8CE0CD7190C94D5BDB44BE6CBC008D6BFD0FBD5308F00019DE95CC7155D6269555C786

Function 00007FFB4B612D3B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cda01aec51a8143fa790f52dcb9c4297d1932822d138540ed8eb92babe56a57
Instruction ID: 1268b74b0299814610119d7fb478df92a1019b819b57ffb21497891de5ec9583
Opcode Fuzzy Hash: 5cda01aec51a8143fa790f52dcb9c4297d1932822d138540ed8eb92babe56a57
Instruction Fuzzy Hash: F9E0C250B2EA854BF642A73C801337DA2D39FC8310F9840F8D84DC32C7E82C6C024253

Function 00007FFB4B61C749 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2165c790381f163309c8639caec67d71f8796f559d01a91511a449ec832f579a
Instruction ID: ee4b1e0198cb8f875dd99ff899563c19d66ebf7754ad7fa1b4e5188851eb4677
Opcode Fuzzy Hash: 2165c790381f163309c8639caec67d71f8796f559d01a91511a449ec832f579a
Instruction Fuzzy Hash: BBD02ED3E0C68C0BE780EE38ECC01FDB3A1FB81248F208239C18883042CD2944068A80

Function 00007FFB4B6D0FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680569525.00007FFB4B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B6D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b6d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: 536aa4ef4f30bb39333b49b0dd0358d0397576544c80e2de591b87a7494a286f
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: 9CD0C95172E41207F75835ADED423B9B285DBC8B18F608436E61DC22EACCDE6C8612D2

Function 00007FFB4B631481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction ID: 4298ab4ae85ab1b537b4af3f95ad67978ddcc68c515cce14ff51ca3f053ec5c3
Opcode Fuzzy Hash: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction Fuzzy Hash: 2DD0A72274D54D4DD221AE38BC002E9B391DBC5125F50477AC20DC1185CC2640924242

Function 00007FFB4B6293C6 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a503146fc0f55b476adfbd8bbf79bccaeddd2cf6e8c4c915966a6bd274eed1a2
Instruction ID: d12a0411d443f75b908db237191584139f0e3fe0ba986e533cc03037fda9aea1
Opcode Fuzzy Hash: a503146fc0f55b476adfbd8bbf79bccaeddd2cf6e8c4c915966a6bd274eed1a2
Instruction Fuzzy Hash: 69C01292B4E80A09AA88BA38B8022EDF2009FD6300BC15431E60DC20C3CD6A28100682

Non-executed Functions

Function 00007FFB4B6111F2 Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

2%_^, xrefs: 00007FFB4B611201

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: 2%_^
API String ID: 0-4094711381
Opcode ID: c12a8ea7179a9452355ca5a88283afeec1302f64fee5cdd6ddfa2540fa1e41ed
Instruction ID: eab81a3290225d9c33d7b90ee852150fbf4191dfc88fbc42603b2e319a9264b0
Opcode Fuzzy Hash: c12a8ea7179a9452355ca5a88283afeec1302f64fee5cdd6ddfa2540fa1e41ed
Instruction Fuzzy Hash: 55C166D780F5928AF20277B8E9932E97B54AF03E2C70886F6D5DE4D093FD2C245385A5

Function 00007FFB4B620EFA Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

5$_^, xrefs: 00007FFB4B620F01

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: 5$_^
API String ID: 0-1745159387
Opcode ID: f4235401d31c6b5bc15bc708ee0d08186b80af0b9837076368c35d1d640254ef
Instruction ID: f45272bff3f30b9fe51cf958acc5174dae66fcdc3b30dc584839cd221232f9c3
Opcode Fuzzy Hash: f4235401d31c6b5bc15bc708ee0d08186b80af0b9837076368c35d1d640254ef
Instruction Fuzzy Hash: 4D512BE7D0F1658AF601BB7CF9532D93B94EF06A3870851F3D5CC4E063E824644B8199

Function 00007FFB4B61BDA5 Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1d5a4124d2d073a1b1f1503217bdd501ca329b288ee4c8e4aa33664ce9391b
Instruction ID: ebb496a490883ea4a9a2ecd8a96b0cd2c8cdbad10f06bac2bf456ab2d45329ca
Opcode Fuzzy Hash: 0b1d5a4124d2d073a1b1f1503217bdd501ca329b288ee4c8e4aa33664ce9391b
Instruction Fuzzy Hash: D2F1E17160CA494FEB95EF3CD859AB977E1EF49301F0940FAE54DCB2A2CA29EC418741

Function 00007FFB4B6110D1 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9593e7d2e57dc388d989f269a500900ae25f4553d4b5b6588f2c3f0c5494de92
Instruction ID: 06d500fa0540d577c09721d696c645301b8b19eee2ebf70aaa0392780c2135d5
Opcode Fuzzy Hash: 9593e7d2e57dc388d989f269a500900ae25f4553d4b5b6588f2c3f0c5494de92
Instruction Fuzzy Hash: 78E174D780F5928AF60277B8E9932ED7B54AF03E6C70886F2D49E49093BD2C245385A5

Function 00007FFB4B620E0F Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5667c9dca97246d6f1e074846bb066e3f5610066a19767a630bc0648ca5c472f
Instruction ID: 1f2c876ff26bebc0a9b9a7d30b5476e87af7f86b41eb2703935176b8475ef368
Opcode Fuzzy Hash: 5667c9dca97246d6f1e074846bb066e3f5610066a19767a630bc0648ca5c472f
Instruction Fuzzy Hash: 9491C6D790F16586F6127B7CF9532E97B94EF02E3870851F7D4CD4E0A3AC28648B81A9

Function 00007FFB4B61B3C1 Relevance: 6.5, Strings: 5, Instructions: 285COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B61B5E9
HA(K, xrefs: 00007FFB4B61B5C1
HA(K, xrefs: 00007FFB4B61B436
HA(K, xrefs: 00007FFB4B61B470
HA(K, xrefs: 00007FFB4B61B510

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K$HA(K
API String ID: 0-2834500941
Opcode ID: 8cc1b9606e2e41612736642f7bce1533003bb454e598d14af3022b2f95e38b24
Instruction ID: 7f36fada1af91835f8d4b2aecb128dba2c19d669b5865fe25f3f9724d7fd1d15
Opcode Fuzzy Hash: 8cc1b9606e2e41612736642f7bce1533003bb454e598d14af3022b2f95e38b24
Instruction Fuzzy Hash: 60815BA2A0DE8A0FE755AB78C8555B4BBE1FF55310B0D81FAD14DC7193DD28AC438790

Function 00007FFB4B62C419 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

hs2, xrefs: 00007FFB4B62C547
HA(K, xrefs: 00007FFB4B62C485
^._L, xrefs: 00007FFB4B62C5D0
(`GK, xrefs: 00007FFB4B62C65E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (`GK$HA(K$^._L$hs2
API String ID: 0-3077391667
Opcode ID: 6d172f420dbaf963e5d5d17cab4ca66fd9a9522b5dd54a70b4583008cdf5dabb
Instruction ID: 9aef8d760f4191bc84a6d040120c546ad53236e4a49ae072f8df4ede9f1e0c14
Opcode Fuzzy Hash: 6d172f420dbaf963e5d5d17cab4ca66fd9a9522b5dd54a70b4583008cdf5dabb
Instruction Fuzzy Hash: 6FA13AA2A1DF8A4FF759FA3CD8456B5BBD1EF95310B0441BAD48DC31A3DD38A8068352

Function 00007FFB4B634DFC Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B634EB1
HA(K, xrefs: 00007FFB4B634E9A
HA(K, xrefs: 00007FFB4B634F70
HA(K, xrefs: 00007FFB4B634FA6

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K
API String ID: 0-1955787288
Opcode ID: ca35d38e17c4ac2a68416216467cfa004c0f51243e1faf8a45766e810d95cc32
Instruction ID: 22536acc1d821c2f5377ea5733d37d73977cbb3a744086dda19112ba7bc2eedd
Opcode Fuzzy Hash: ca35d38e17c4ac2a68416216467cfa004c0f51243e1faf8a45766e810d95cc32
Instruction Fuzzy Hash: F86126A2A0DA870FE746AABCD8952A0F7D1EF85310B5881F9D84CC71D7D929AC43C381

Function 00007FFB4B6355C8 Relevance: 5.1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B635611
(~MK, xrefs: 00007FFB4B6355FA
HA(K, xrefs: 00007FFB4B6355D3
(~MK, xrefs: 00007FFB4B63568B

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: (~MK$(~MK$HA(K$HA(K
API String ID: 0-32128973
Opcode ID: 7126648f9d94325805e763df725c31ff180e7bdcd56d4387b3ef67627d0acb6a
Instruction ID: 3b5276793fb99b99b2ad9b9343765380a3c2311578b0ec12bf51947b37034e85
Opcode Fuzzy Hash: 7126648f9d94325805e763df725c31ff180e7bdcd56d4387b3ef67627d0acb6a
Instruction Fuzzy Hash: 75410B92A1DA864FE747A73888661787BD3EF4625070981FED48EC31E3DD28AC038345

Function 00007FFB4B61B543 Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

HA(K, xrefs: 00007FFB4B61B5E9
HA(K, xrefs: 00007FFB4B61B576
HA(K, xrefs: 00007FFB4B61B5C1
HA(K, xrefs: 00007FFB4B61B54E

Memory Dump Source

Source File: 00000000.00000002.2680196462.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b610000_RegAsm.jbxd

Similarity

API ID:
String ID: HA(K$HA(K$HA(K$HA(K
API String ID: 0-1955787288
Opcode ID: a4484d678da356222aba846c4c061f0c7fb2ca5058744649ea47a69fe568e12a
Instruction ID: 1178dbbafbaf73f053dd95b6bfbcb73d8d776a0d297be66a0d75c13620cd4564
Opcode Fuzzy Hash: a4484d678da356222aba846c4c061f0c7fb2ca5058744649ea47a69fe568e12a
Instruction Fuzzy Hash: 9B4116A161999A4FE786EB38C496674BBD2FF59300B4981F5D18DC7293DE28EC028780

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RegAsm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
RegAsm.exe

Function 00007FFB4B62E399 Relevance: 11.1, Strings: 8, Instructions: 1119
COMMON

Function 00007FFB4B62AF99 Relevance: 11.0, Strings: 8, Instructions: 1035
COMMON

Function 00007FFB4B39295E Relevance: 10.3, Strings: 8, Instructions: 260
COMMON

Function 00007FFB4B619621 Relevance: 8.7, Strings: 6, Instructions: 1223
COMMON

Function 00007FFB4B62EF79 Relevance: 5.5, Strings: 4, Instructions: 465
COMMON

Function 00007FFB4B62B9F7 Relevance: 13.3, Strings: 10, Instructions: 757
COMMON

Function 00007FFB4B629FBC Relevance: 10.5, Strings: 8, Instructions: 527
COMMON

Function 00007FFB4B621B28 Relevance: 9.2, Strings: 7, Instructions: 483
COMMON

Function 00007FFB4B61FFA7 Relevance: 8.0, Strings: 6, Instructions: 521
COMMON

Function 00007FFB4B616D81 Relevance: 7.8, Strings: 6, Instructions: 328
COMMON

Function 00007FFB4B6354C9 Relevance: 5.6, Strings: 4, Instructions: 551
COMMON