Edit tour

Windows Analysis Report
LFLtlBAuf7.exe

Overview

General Information

Sample name:	LFLtlBAuf7.exe renamed because original name is a hash value
Original sample name:	687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728.exe
Analysis ID:	1578202
MD5:	9a7cea63db91937ec2fa0c4a40dcde82
SHA1:	dbc121740eb6aa3221beadd3ae69df1ce095c441
SHA256:	687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs new ROOT certificates

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LFLtlBAuf7.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\LFLtlBAuf7.exe" MD5: 9A7CEA63DB91937EC2FA0C4A40DCDE82)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4", "StartupKey": "Quasar Client Startup", "Tag": "Staking", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: LFLtlBAuf7.exe PID: 7144	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a06:$x4: Uninstalling... good bye :-( 0x2ab1fb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb8:$f1: FileZilla\recentservers.xml 0x2a8ff8:$f2: FileZilla\sitemanager.xml 0x2a903a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9286:$b1: Chrome\User Data\ 0x2a92dc:$b1: Chrome\User Data\ 0x2a95b4:$b2: Mozilla\Firefox\Profiles 0x2a96b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb634:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9808:$b4: Opera Software\Opera Stable\Login Data 0x2a98c2:$b5: YandexBrowser\User Data\ 0x2a9930:$b5: YandexBrowser\User Data\ 0x2a9604:$s4: logins.json 0x2a933a:$a1: username_value 0x2a9358:$a2: password_value 0x2a9644:$a3: encryptedUsername 0x2fb578:$a3: encryptedUsername 0x2a9668:$a4: encryptedPassword 0x2fb596:$a4: encryptedPassword 0x2fb514:$a5: httpRealm
0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9af0:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a06:$x4: Uninstalling... good bye :-( 0x2ab1fb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb8:$f1: FileZilla\recentservers.xml 0x2a8ff8:$f2: FileZilla\sitemanager.xml 0x2a903a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9286:$b1: Chrome\User Data\ 0x2a92dc:$b1: Chrome\User Data\ 0x2a95b4:$b2: Mozilla\Firefox\Profiles 0x2a96b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb634:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9808:$b4: Opera Software\Opera Stable\Login Data 0x2a98c2:$b5: YandexBrowser\User Data\ 0x2a9930:$b5: YandexBrowser\User Data\ 0x2a9604:$s4: logins.json 0x2a933a:$a1: username_value 0x2a9358:$a2: password_value 0x2a9644:$a3: encryptedUsername 0x2fb578:$a3: encryptedUsername 0x2a9668:$a4: encryptedPassword 0x2fb596:$a4: encryptedPassword 0x2fb514:$a5: httpRealm
0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9af0:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:17.180649+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.4	49732	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:17.180649+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.4	49732	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4", "StartupKey": "Quasar Client Startup", "Tag": "Staking", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: LFLtlBAuf7.exe	ReversingLabs: Detection: 57%
Source: LFLtlBAuf7.exe	Virustotal: Detection: 54%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFLtlBAuf7.exe PID: 7144, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: LFLtlBAuf7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.4:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 51.15.17.193:4782

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: LFLtlBAuf7.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LFLtlBAuf7.exe, 00000000.00000002.3022864860.000001D3F755B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: LFLtlBAuf7.exe, 00000000.00000002.3022864860.000001D3F7605000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: LFLtlBAuf7.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: LFLtlBAuf7.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: LFLtlBAuf7.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: LFLtlBAuf7.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: LFLtlBAuf7.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LFLtlBAuf7.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D38016A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D38016A000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D38041E000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380041000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: LFLtlBAuf7.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49734 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFLtlBAuf7.exe PID: 7144, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B721729	0_2_00007FFD9B721729
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9BE399	0_2_00007FFD9B9BE399
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9B73AE	0_2_00007FFD9B9B73AE
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9BC295	0_2_00007FFD9B9BC295
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9AAA4D	0_2_00007FFD9B9AAA4D
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9B815E	0_2_00007FFD9B9B815E
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9BB009	0_2_00007FFD9B9BB009
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A4E56	0_2_00007FFD9B9A4E56
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A9621	0_2_00007FFD9B9A9621
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A8C79	0_2_00007FFD9B9A8C79
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A5B24	0_2_00007FFD9B9A5B24
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A10D1	0_2_00007FFD9B9A10D1
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9B0EFA	0_2_00007FFD9B9B0EFA
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9B0E0F	0_2_00007FFD9B9B0E0F
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9BA623F1	0_2_00007FFD9BA623F1

Source: LFLtlBAuf7.exe

Static PE information: invalid certificate

Source: LFLtlBAuf7.exe, 00000000.00000000.1762953059.00007FF7A2EDB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs LFLtlBAuf7.exe
Source: LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs LFLtlBAuf7.exe
Source: LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs LFLtlBAuf7.exe
Source: LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs LFLtlBAuf7.exe
Source: LFLtlBAuf7.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs LFLtlBAuf7.exe

Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Info_HWiRjj

Source: LFLtlBAuf7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LFLtlBAuf7.exe	ReversingLabs: Detection: 57%
Source: LFLtlBAuf7.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: LFLtlBAuf7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LFLtlBAuf7.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LFLtlBAuf7.exe

Static file information: File size 5069152 > 1048576

Source: LFLtlBAuf7.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x18ac00
Source: LFLtlBAuf7.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e000

Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LFLtlBAuf7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LFLtlBAuf7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LFLtlBAuf7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: LFLtlBAuf7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LFLtlBAuf7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LFLtlBAuf7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LFLtlBAuf7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LFLtlBAuf7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: LFLtlBAuf7.exe

Static PE information: real checksum: 0x4d8785 should be: 0x4dd978

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B60D2A5 pushad ; iretd	0_2_00007FFD9B60D2A6
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B7200AD pushad ; iretd	0_2_00007FFD9B7200C1
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9A2BA0 push eax; ret	0_2_00007FFD9B9A2C0C
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Code function: 0_2_00007FFD9B9C2DFA push esp; iretd	0_2_00007FFD9B9C2DFB

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

File opened: C:\Users\user\Desktop\LFLtlBAuf7.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Memory allocated: 1D3F66A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Memory allocated: 1D3F6B20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Window / User API: threadDelayed 948	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Window / User API: threadDelayed 420	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Window / User API: threadDelayed 918	Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe TID: 4856

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: LFLtlBAuf7.exe	Binary or memory string: 3VmCIl
Source: LFLtlBAuf7.exe, 00000000.00000002.3020250433.000001D3F6980000.00000004.00000020.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020250433.000001D3F6A56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LFLtlBAuf7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LFLtlBAuf7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFLtlBAuf7.exe PID: 7144, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d390009ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LFLtlBAuf7.exe.1d3f7710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFLtlBAuf7.exe PID: 7144, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Modify Registry	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LFLtlBAuf7.exe	58%	ReversingLabs	Win64.Backdoor.Quasarrat
LFLtlBAuf7.exe	55%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D38041E000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380041000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D380184000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	LFLtlBAuf7.exe, 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, LFLtlBAuf7.exe, 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipwho.is	LFLtlBAuf7.exe, 00000000.00000002.3016217749.000001D38016A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578202
Start date and time:	2024-12-19 12:30:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LFLtlBAuf7.exe renamed because original name is a hash value
Original Sample Name:	687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 174 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:19	API Interceptor	1x Sleep call for process: LFLtlBAuf7.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	RegAsm.exe	Get hash	malicious	Quasar	Browse
51.15.17.193	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	Dix7g8PK1e.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	CROC000400 .pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	contract_signed.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	T.T_Copy.12.18.2024.exe	Get hash	malicious	ArrowRAT	Browse	199.232.214.172
	22054200882739718047.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	Sh2uIqqKqc.exe	Get hash	malicious	Cryptbot	Browse	199.232.214.172
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	199.232.214.172
ipwho.is	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
OnlineSASFR	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138
	https://antiphishing.vadesecure.com/v4?f=M2FwZHlGNnU1aUlkc09ZNMiasRwGBdZehRVCQSRcBe4&i=WjB4M1dJWGJJMnNGTHV5MsMuKUIodncDHGeRU4kVkuY&k=CXOq&r=Skk2OVhvdXl2cm1uOWJtRKZOD61t44mSShExmLHL82awntC61WSfAdSPd_A2w4Sr0ol-2lJuHE1y6ZnIh9tzeQ&s=c0986918e90c31f67e295092df95ad67b5167b30a053715360f0707a34067922&u=https%3A%2F%2Fgeomesure-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fjeason_geomesure_fr%2FEjezfvLh_FRNp0BDRFgaob0B5QrN_MFtVHWEoF2b4R1bRw%3Fe%3DomoERY	Get hash	malicious	Unknown	Browse	163.172.240.109
	801.ps1	Get hash	malicious	AsyncRAT	Browse	163.172.125.253
	BA9qyj2c9G.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.159.4.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	108.181.61.49

Process:	C:\Users\user\Desktop\LFLtlBAuf7.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\LFLtlBAuf7.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKX99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:sDImsLNkPlE99SNxAhUe/3
MD5:	CFEE760231A67D76F830DE53A6E7D5BA
SHA1:	B2B3455A9AD0A893EDA7695654553FAFEC2078E6
SHA-256:	32526473031BF02CA80BA7CE15568E8404209E0494AAD39C47F94375A1762F72
SHA-512:	A7F344660847DE4826A399CADB7AA089081A317DF8E44EB68C4239C0F50DF2B17506BE8FE486A6A639C4B9F86499D46A9CE94170325947D9ED94B2B8BCF0C96B
Malicious:	false
Reputation:	low
Preview:	p...... .........R..R..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.492813615607406
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LFLtlBAuf7.exe
File size:	5'069'152 bytes
MD5:	9a7cea63db91937ec2fa0c4a40dcde82
SHA1:	dbc121740eb6aa3221beadd3ae69df1ce095c441
SHA256:	687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728
SHA512:	36e6a806125b1d80e97482f0b03a7481a136f01d2808169f171d89c54d2faf6f5b6913f4751dc737d5dc672f63622e379fd87f306cec2e076d8a5e73d33059dd
SSDEEP:	98304:nMuUyniWYpCYL5ztUvPPpmDw7FhcNXIvNS12RA4:njifpTptUvpWw7FmNXENSV4
TLSH:	2836E015671D81B0CDEA353564552B62EA30BD0C903CA7264FF41AA75AFFB606CBE23C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x14017a720
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67391C16 [Sat Nov 16 22:26:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/06/2016 01:00:00 24/01/2019 12:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDF5D23A3D4h
dec eax
add esp, 28h
jmp 00007FDF5D239B97h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FDF5D239D32h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FDF5D239D35h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FDF5D239D2Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FDF5D239706h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1aa3b4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4ce000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4cb000	0x18b4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4d1200	0x4760
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4cd000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a7f30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a7df0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18c000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18aba0	0x18ac00	c24fb07454e0aaf45bb4143696affd89	False	0.436002068160228	data	5.4390628618365335	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18c000	0x1ef16	0x1f000	1bc29c9db0fa5f001e38e56d26a7cb2e	False	0.5450557585685484	data	6.6716731157425535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1ab000	0x31f1b0	0x31e000	ce64ce36c44e312132c894dfdf60aaa0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4cb000	0x18b4	0x1a00	cd8980337ac4893b7e88b6b219da0f77	False	0.4670973557692308	data	5.358076399100812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4cd000	0x68c	0x800	97d47352cd47ffb4c99ad849b5edf092	False	0.50146484375	data	4.938144079025551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x4ce000	0x6f58	0x7000	3a915be53e9888df2cff64df0f7e7cef	False	0.38584681919642855	data	6.018425547468443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4ce328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x4ce990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x4cec78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x4ceda0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x4cfc48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x4d04f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x4d0a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x4d3000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x4d40a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x4d4510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x4d47f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x4d4ae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x4d4b64	0x14	data			1.25
RT_GROUP_ICON	0x4d4b78	0x14	data			1.25
RT_VERSION	0x4d4b8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:31:17.180649+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.4	49732	TCP
2024-12-19T12:31:17.180649+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.4	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:15.688419104 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:15.808383942 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:15.808547974 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:15.821388006 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:15.943475008 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:17.054800987 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:17.054863930 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:17.055067062 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:17.060847998 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:17.180649042 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:17.452558041 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:17.498528957 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:20.584109068 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:20.584150076 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:20.584238052 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:20.595940113 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:20.595957041 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.042793036 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.042948008 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:23.091485023 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:23.091516972 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.092622042 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.099775076 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:23.143341064 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.708285093 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.708364964 CET	443	49734	108.181.61.49	192.168.2.4
Dec 19, 2024 12:31:23.708478928 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:24.487854004 CET	49734	443	192.168.2.4	108.181.61.49
Dec 19, 2024 12:31:25.592911959 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:25.712625980 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:25.712753057 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:25.832470894 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:26.103308916 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:26.154648066 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:26.295136929 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:31:26.342176914 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:51.295557976 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:31:51.415349960 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:32:16.420543909 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:32:16.540244102 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:32:41.545537949 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:32:41.666831017 CET	4782	49732	51.15.17.193	192.168.2.4
Dec 19, 2024 12:33:06.670948029 CET	49732	4782	192.168.2.4	51.15.17.193
Dec 19, 2024 12:33:06.790442944 CET	4782	49732	51.15.17.193	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:20.336873055 CET	54727	53	192.168.2.4	1.1.1.1
Dec 19, 2024 12:31:20.479342937 CET	53	54727	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:20.336873055 CET	192.168.2.4	1.1.1.1	0x519	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:18.175128937 CET	1.1.1.1	192.168.2.4	0xb4e0	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:31:18.175128937 CET	1.1.1.1	192.168.2.4	0xb4e0	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:31:20.479342937 CET	1.1.1.1	192.168.2.4	0x519	No error (0)	ipwho.is	108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	108.181.61.49	443	7144	C:\Users\user\Desktop\LFLtlBAuf7.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:31:23 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:31:23 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:31:23 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:31:23 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:31:12
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\LFLtlBAuf7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LFLtlBAuf7.exe"
Imagebase:	0x7ff7a2a10000
File size:	5'069'152 bytes
MD5 hash:	9A7CEA63DB91937EC2FA0C4A40DCDE82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3016217749.000001D3801D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3016217749.000001D380001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.3023821649.000001D3F7710000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3017909695.000001D390001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3020936416.000001D3F71E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BA623F1 Relevance: 7.6, Strings: 1, Instructions: 6355COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BA63759

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 4f09895de0a91d000801c437656e719a76fc30db9c6c34b2dc25684c6fd9326e
Instruction ID: b030bb8f66e029906cb5676493dce48b1602cda442231efec5f83afd116f7f7a
Opcode Fuzzy Hash: 4f09895de0a91d000801c437656e719a76fc30db9c6c34b2dc25684c6fd9326e
Instruction Fuzzy Hash: 9D83B492B1AE4F4FEBB597AC047527916C3EFE8650B5A01BAD01EC32F6ED59ED024340

Function 00007FFD9B9BE399 Relevance: 4.9, Strings: 3, Instructions: 1118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8"_L, xrefs: 00007FFD9B9BEC72
>-_L, xrefs: 00007FFD9B9BE5D2
="_L, xrefs: 00007FFD9B9BE770

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: 8"_L$="_L$>-_L
API String ID: 0-3512647206
Opcode ID: 8fc4bd70457ceba566aa944e20f48637631841d4cce3f0aa5d9b5c065addb623
Instruction ID: b53a3a20af092bc6664fc9de1d2a8287c20b13f862eefccc214d0d4b52643c0e
Opcode Fuzzy Hash: 8fc4bd70457ceba566aa944e20f48637631841d4cce3f0aa5d9b5c065addb623
Instruction Fuzzy Hash: 8D72B031B18A5A4FEB98DF1884A56B977E2FF98300F1505BDE45EC72D6CE24EC428B41

Function 00007FFD9B9A4E56 Relevance: 2.4, Instructions: 2363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcac0675e4c10994f1437616828011b0112eddede069ed06e7c5a006d543ea22
Instruction ID: 1c818b58412aef96427be1333dcbbc3f0f428a2b77ea247973c79291aacc3cce
Opcode Fuzzy Hash: bcac0675e4c10994f1437616828011b0112eddede069ed06e7c5a006d543ea22
Instruction Fuzzy Hash: 9E03B030B19A4D8FDBA8DF68C4A0BA977F1FF59300F1541A9D44DDB2A6CA35E981CB40

Function 00007FFD9B9BC295 Relevance: 2.2, Strings: 1, Instructions: 930COMMON

Download Yara Rule

Strings

^-_L, xrefs: 00007FFD9B9BC5D0

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: ^-_L
API String ID: 0-2018131486
Opcode ID: df479162b9d2822514afa530b4dad094e7d11a39e49952f79d2e20fbf6859ecc
Instruction ID: 84f506093bc007106ad42aa0c9757baa07152dab219b5b31b53b8b809ed186fe
Opcode Fuzzy Hash: df479162b9d2822514afa530b4dad094e7d11a39e49952f79d2e20fbf6859ecc
Instruction Fuzzy Hash: 73527722B2EA9E5FE7B59B6844666B43BE1EF95310B0600BED08DC71F3DD1C6D068B41

Function 00007FFD9B9A9621 Relevance: 1.2, Instructions: 1230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a624dfc46b46658a50a4e4e112022c69fcd0832b18612781a92b2e7c105d8c4f
Instruction ID: 70f15bf0fa071e05e3c7cf7afdcd87c9bc1bf546376017cd38876cb4eb44cb0d
Opcode Fuzzy Hash: a624dfc46b46658a50a4e4e112022c69fcd0832b18612781a92b2e7c105d8c4f
Instruction Fuzzy Hash: 84720630B1DA4D5FEBA8EB2CC469A7577D1FF99310F0540BAE44EC72A6DE24AC428741

Function 00007FFD9B9AAA4D Relevance: 1.0, Instructions: 997COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0df519c5c0fd07e535de7c441a34903876bfc7d4754ee429414d0ab05a2f4a
Instruction ID: 3acdc1d69f483352f83f6d86d8ee4914b67e2bc80aaeab858af27bff3192b962
Opcode Fuzzy Hash: 5a0df519c5c0fd07e535de7c441a34903876bfc7d4754ee429414d0ab05a2f4a
Instruction Fuzzy Hash: 9D625D30B18A498FEB98EB2CC4A9B6577E1FF99300F5541B9E44DC72A6CE35E841CB41

Function 00007FFD9B9BB009 Relevance: .9, Instructions: 883COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba08f3c9f7954079e48e1e09320d71d587fac550a4d19398a0f04cf85f72c14
Instruction ID: 252a9a027ecde0bdded8c04ce35c168b2674bed2169b11b9a5de1e7b81eb6ab0
Opcode Fuzzy Hash: eba08f3c9f7954079e48e1e09320d71d587fac550a4d19398a0f04cf85f72c14
Instruction Fuzzy Hash: 3952D131B29A0D5FDBA8DB6884A5675B3D1FF98300F45027DD44EC32E6DE24BD428B81

Function 00007FFD9B9A8C79 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8811477b48205af7106a490028df54c0b700a138bde22600c3769f9bc0e9883f
Instruction ID: 6fea6ed99eaa259df7744053555bcca5edb07bc23380ba9ccf07061b64269c31
Opcode Fuzzy Hash: 8811477b48205af7106a490028df54c0b700a138bde22600c3769f9bc0e9883f
Instruction Fuzzy Hash: 5632D230B19A0D4FEB68DB6C84A97B977E2FF99300F5541BDD44EC72E2CE24A9428740

Function 00007FFD9B9A5B24 Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05ed600590322300c5e8fa69696712b077eb99d777c87c8837607e81c1de9f2
Instruction ID: b1d0ce9d07485be39bc9f7c5434af2826c31cb8707311280c07a77c0a9199a4a
Opcode Fuzzy Hash: b05ed600590322300c5e8fa69696712b077eb99d777c87c8837607e81c1de9f2
Instruction Fuzzy Hash: 45025B30B29A1D8FEBA8EF58C49476977E1FF58305F1141B9D44ED72A6CE34AD828B40

Function 00007FFD9B9B73AE Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36813293ac496a57d0c908bba21184ef62c19cb6bb9674ec7ede02e880fdf735
Instruction ID: e7263d75629b2d833cd97b765c6d23f5812d8edeece3ae9c0dc3c2ce951bfd11
Opcode Fuzzy Hash: 36813293ac496a57d0c908bba21184ef62c19cb6bb9674ec7ede02e880fdf735
Instruction Fuzzy Hash: 87D19530A18A4D8FEBA8DF28C855BE977D2FF58301F54426ED81DC7295CF7899408B82

Function 00007FFD9B9B815E Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6109bba709664ef8c6fbbce5fa6f2aded53d5ded3f31248e35a33e7bed50bb
Instruction ID: 18243c8c5c4454130deb5ab81c30cfcb8db8659cfd5ec3c7c5e9f12f6ab2e2da
Opcode Fuzzy Hash: 3d6109bba709664ef8c6fbbce5fa6f2aded53d5ded3f31248e35a33e7bed50bb
Instruction Fuzzy Hash: 9ED16430A18A4D8FEBA8DF68C8A57F977D1FB58310F54826ED80DC7295DF7499808B81

Function 00007FFD9B9BF6F0 Relevance: 5.1, Strings: 3, Instructions: 1327COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B9BFAD0
, xrefs: 00007FFD9B9BFDDB
@"_H, xrefs: 00007FFD9B9BFC60

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: $ $@"_H
API String ID: 0-1907519176
Opcode ID: b1407f9b35bd6d7855f811336eee55010381bacc67bac0cfa2395c3f842a25d8
Instruction ID: 7f0544257e9b269ca32cbd006878af021a3692fd825b61912b2cd598a6519087
Opcode Fuzzy Hash: b1407f9b35bd6d7855f811336eee55010381bacc67bac0cfa2395c3f842a25d8
Instruction Fuzzy Hash: 0592D431B2AA5D5FEBB8EB6C8465B7437D1EF59300B1600B9D44EC72B2DE28ED418B41

Function 00007FFD9B7236A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B723787

Strings

U, xrefs: 00007FFD9B7236FA

Memory Dump Source

Source File: 00000000.00000002.3031160781.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b720000_LFLtlBAuf7.jbxd

Similarity

API ID: DeleteFile
String ID: U
API String ID: 4033686569-3372436214
Opcode ID: 701eacc6cb6688dcdf234caf667b6f0af5ae847496853e5e7d6ec5a3ab4bf5b8
Instruction ID: 00b2b69321e1adb3de71f25f58ba96bee810e77d55b53102a704629e2212b34b
Opcode Fuzzy Hash: 701eacc6cb6688dcdf234caf667b6f0af5ae847496853e5e7d6ec5a3ab4bf5b8
Instruction Fuzzy Hash: D141263190DA4D8FDB18DF688859AF9BBF0EF55320F0582AFD04DD72A2DB24A905C791

Function 00007FFD9B7236ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B723787

Strings

U, xrefs: 00007FFD9B7236FA

Memory Dump Source

Source File: 00000000.00000002.3031160781.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b720000_LFLtlBAuf7.jbxd

Similarity

API ID: DeleteFile
String ID: U
API String ID: 4033686569-3372436214
Opcode ID: e79e4b2d7d2fe20f1279c5bc10c9f4e70cf6ef264b83ee998999788ad746cd86
Instruction ID: a90a196e6517e35c4f8ece30fef54922df9ff0c110fa08562c645ddfcd1bfa13
Opcode Fuzzy Hash: e79e4b2d7d2fe20f1279c5bc10c9f4e70cf6ef264b83ee998999788ad746cd86
Instruction Fuzzy Hash: A031E131908A1C8FDB58DB58C499AF9BBF0FF65320F04426FD049D3292DB34A806CB91

Function 00007FFD9B9BE401 Relevance: 3.0, Strings: 2, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>-_L, xrefs: 00007FFD9B9BE5D2
="_L, xrefs: 00007FFD9B9BE770

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: ="_L$>-_L
API String ID: 0-2034932364
Opcode ID: e226ac1152c2fb4740893b1e47013cdb21c2f571b90fb30abec2e972750d3052
Instruction ID: fa3bc8221ef97f2ee4bfa1d6a2ccf2a0fd515a5f54bb2edd052fb250c297f4c8
Opcode Fuzzy Hash: e226ac1152c2fb4740893b1e47013cdb21c2f571b90fb30abec2e972750d3052
Instruction Fuzzy Hash: 05E18130B18A4A4FDB98DF58C8A5A6977E2FF98300F5545BDE449C72E6CE24EC42CB41

Function 00007FFD9B9A2440 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B9BAC99

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2bf5521ac9c8adab27e7838cce09d22d07f81cf7110f4a7aa10215026b1b9c5a
Instruction ID: a0195e10a28a5b4351c0dacd16fc71782e6fb41ec28df82ac13a1149a5d62bbc
Opcode Fuzzy Hash: 2bf5521ac9c8adab27e7838cce09d22d07f81cf7110f4a7aa10215026b1b9c5a
Instruction Fuzzy Hash: E0F1EF30B29A0E4FDB68DF58C4A557573E2FF98300B2545BDD44AC72AADE35EC428B81

Function 00007FFD9B9A3FA6 Relevance: 1.7, Strings: 1, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFD9B9A44B7

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ef3c9ca2224081f052d645e30fd28b1dafe17cba5585d9e00243ecacb8f0aebe
Instruction ID: 9f79edd9ffd99039a7c96f77cf63e4a5fb575ee8afb234831c725fd04e83c077
Opcode Fuzzy Hash: ef3c9ca2224081f052d645e30fd28b1dafe17cba5585d9e00243ecacb8f0aebe
Instruction Fuzzy Hash: 0DD12731B1E74E4FE7A5DB6884653747BE1EF46310F1502BED48ACB2E2DE18AD068742

Function 00007FFD9B9AC425 Relevance: 1.6, Strings: 1, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`#_H, xrefs: 00007FFD9B9AC46D

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: `#_H
API String ID: 0-1699567775
Opcode ID: 718260283d9d013a62526f9fc0adfe6a706fc7e8dde871af446dbc1b88a43098
Instruction ID: 0a175f931462a3a4ab086b58acce9ef5ef4eafa2d66f9e7f78b95dc1e76c71ce
Opcode Fuzzy Hash: 718260283d9d013a62526f9fc0adfe6a706fc7e8dde871af446dbc1b88a43098
Instruction Fuzzy Hash: 4FB13832B19F4E4FE7A4EA2C94A46B573D2FF98394B00017AD45DC72ABDE25BC428741

Function 00007FFD9B9BA9C1 Relevance: 1.6, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B9BAC99

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 661424a95b502536a4d9bb83fc193e335158bd4dcd989ca458aecfe15cb85688
Instruction ID: 867c4d10e027aaa9ac61e61e54197f2a7dd07be58aa77dc03434418d47c7f07b
Opcode Fuzzy Hash: 661424a95b502536a4d9bb83fc193e335158bd4dcd989ca458aecfe15cb85688
Instruction Fuzzy Hash: C5A1BE30A28A0D8FDB58DF48C495575B3E2FBA8305B2545BDD849C72A6DE35EC43CB81

Function 00007FFD9B9B17E5 Relevance: 1.5, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+#_^, xrefs: 00007FFD9B9B1901

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: +#_^
API String ID: 0-3716952818
Opcode ID: ce9f7429a65ce38805cf776b9fcd5cdad034490fbc780aaab95710bdfdfec9e7
Instruction ID: c5419c1a3ab9b6cff845698c9d9f84614d8a2c1697046b5f3a0d8463fd5d8936
Opcode Fuzzy Hash: ce9f7429a65ce38805cf776b9fcd5cdad034490fbc780aaab95710bdfdfec9e7
Instruction Fuzzy Hash: FC61A526B1D2A65BE716B7B8F8F25D53BB09F0222870841F7D0EC8E0D7DD1D68498792

Function 00007FFD9B9B2139 Relevance: 1.5, Strings: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"#_^, xrefs: 00007FFD9B9B2201

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: "#_^
API String ID: 0-2693037432
Opcode ID: d8866e68f97dce0a03cf1d8c2b29f2756983ffd6623eddb091e661b36813f994
Instruction ID: af6506eac93fb72f7640ef64f906cbea1c0ccc31bf4dc2b30106b52cc6de4695
Opcode Fuzzy Hash: d8866e68f97dce0a03cf1d8c2b29f2756983ffd6623eddb091e661b36813f994
Instruction Fuzzy Hash: 88615536A19B5A9FD706EF68E8E19E577B0FF05314B5541B6C058CB0A7CF29B840CB82

Function 00007FFD9B9B2150 Relevance: 1.4, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"#_^, xrefs: 00007FFD9B9B2201

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: "#_^
API String ID: 0-2693037432
Opcode ID: 23810f83fa69fdf1b77a635e9fb44e21749d9d69f588c11952ff300ef6db8775
Instruction ID: 0fa387f9ddac8e17e7cbb52379485f801601f805d96baa013469527bcd129722
Opcode Fuzzy Hash: 23810f83fa69fdf1b77a635e9fb44e21749d9d69f588c11952ff300ef6db8775
Instruction Fuzzy Hash: A8510436A18B1A9FE705EF68E8E19E577B0FF04318B5541B6D05DCB0A7CE29B841CB81

Function 00007FFD9B9B10F2 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFD9B9B116E

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: d756cc2dd5e05436181a940b1ba8b110aa9e4bece7b25048b0ac7b1e6ee7bcf1
Instruction ID: c58223e806d6ae4fd0bcf2304015872ba0352d997837fa595db98c1af095429f
Opcode Fuzzy Hash: d756cc2dd5e05436181a940b1ba8b110aa9e4bece7b25048b0ac7b1e6ee7bcf1
Instruction Fuzzy Hash: DA412736B1C66A5FDB06FB68E8E15D637B0FF06324B4901B2D0998B097CE287855C7D2

Function 00007FFD9B9A20E2 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

#$_^, xrefs: 00007FFD9B9A2101

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: #$_^
API String ID: 0-494341272
Opcode ID: 43dbb86ee1e5bd6c1d593096f4446a29c5922d515faed1272093b54beb3e1322
Instruction ID: 843c53862812544f7f16e4a3e8e1b75d1cac81d6dfb3390ed7f93cb69c42ec42
Opcode Fuzzy Hash: 43dbb86ee1e5bd6c1d593096f4446a29c5922d515faed1272093b54beb3e1322
Instruction Fuzzy Hash: 77415C73B1962B5AD306BBBCB4D24E577A0EF0473474886B7C09C8E0E7DE5D688182C1

Function 00007FFD9B9A20D7 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

#$_^, xrefs: 00007FFD9B9A2101

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: #$_^
API String ID: 0-494341272
Opcode ID: 4fdf64587c96846bd8479b305efd5339e4057f030bfefb1d7eab44e448f740c3
Instruction ID: c0006b42380b06f0574a824992fb99c8a0a7419eadf2e76857d0632c1e45de51
Opcode Fuzzy Hash: 4fdf64587c96846bd8479b305efd5339e4057f030bfefb1d7eab44e448f740c3
Instruction Fuzzy Hash: 33316A73B1A62A5AE302BFBCB4D24E577A0EF0573474886B7C09C8E0E7DD5D688182C5

Function 00007FFD9BA601BA Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

"#_L, xrefs: 00007FFD9BA601D2

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: "#_L
API String ID: 0-1396509744
Opcode ID: ead69b2631441b07ba8e6fb0a8f43f6f37ac55844edcad535a9879c1e91fae98
Instruction ID: 68a3f054955147353ed3966dfc145d9a35c54f1025a02506c417fad7b7468167
Opcode Fuzzy Hash: ead69b2631441b07ba8e6fb0a8f43f6f37ac55844edcad535a9879c1e91fae98
Instruction Fuzzy Hash: 65315872B1EA898FE76D9B6C147627037C1EFAA310F4501BED08AC32E3DC555C418746

Function 00007FFD9B9A20CF Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

#$_^, xrefs: 00007FFD9B9A2101

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: #$_^
API String ID: 0-494341272
Opcode ID: a9c706c59e6e288ccfce03b2dd362ae136ce6ef552206fbb2adc8c34ca853740
Instruction ID: df430c6585db65169e733b42dee18ef9c4f7cebd1d5fe871dbda49758f9fc026
Opcode Fuzzy Hash: a9c706c59e6e288ccfce03b2dd362ae136ce6ef552206fbb2adc8c34ca853740
Instruction Fuzzy Hash: 9B312673B1A62A5AD312BBBCB4D24E577A0EF0573474886B7C09C8E0E7DD69688182C1

Function 00007FFD9B9B1148 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFD9B9B116E

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: b347f95b3537456995f52e50ec6d73b5080fb028020ef23e4d98fecf200d7cea
Instruction ID: 35324e3c315f57bc75cacc58c217929e54ffda90e6d9648f5e7184ea336ba857
Opcode Fuzzy Hash: b347f95b3537456995f52e50ec6d73b5080fb028020ef23e4d98fecf200d7cea
Instruction Fuzzy Hash: 35314632A1CB6A5FDB05EF58ECD05DA77B0FF45320B1501B2D059CB092CE24B8118BD1

Function 00007FFD9B9ACA76 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Y#_H, xrefs: 00007FFD9B9ACB6E

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: Y#_H
API String ID: 0-3899584436
Opcode ID: c8f60a8bb7f8d9155bd1a6a0887b6422b9a0059cb23454071771ee5c18adf15e
Instruction ID: 0a47ea3347507d79f1db83344600e05c474c5d6dffccfffc3abced3ea6d6dcfc
Opcode Fuzzy Hash: c8f60a8bb7f8d9155bd1a6a0887b6422b9a0059cb23454071771ee5c18adf15e
Instruction Fuzzy Hash: 63314531F2AA4E5FE798EB7888A55B8B7B1FF94300B4504BAD42DC72E6DE346945C700

Function 00007FFD9B9BD0F0 Relevance: 1.1, Instructions: 1051COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b76285943b2c4fed38a0538060f3cba6cbafc8219d72cca7aa55e287104c7c
Instruction ID: 7aef329203b579ff5c17e34864ecb8accef9b32ceba777ad079a4c40b7775ba7
Opcode Fuzzy Hash: 39b76285943b2c4fed38a0538060f3cba6cbafc8219d72cca7aa55e287104c7c
Instruction Fuzzy Hash: 8D72E630A19A5D9FEBA8EF58C465AA977E1FF58300F1101B9D44DC72A6DE34ED42CB80

Function 00007FFD9B9BD1F0 Relevance: 1.0, Instructions: 990COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194a5371d74dd7c225bce9e6dbfc482f8d8638539136b43e97c20ef2e20edf4d
Instruction ID: 8157c69b0a5098a79008b6038414114b0e7e8915a4da841c86ee55b871c7c6ba
Opcode Fuzzy Hash: 194a5371d74dd7c225bce9e6dbfc482f8d8638539136b43e97c20ef2e20edf4d
Instruction Fuzzy Hash: C462F831A1DA4E9FEBA8DF58C465AA937E1FF58304F1101B8D44DC72A6CA24ED42CB80

Function 00007FFD9B9BD320 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15026a1d7ca91a91f65a7bc31e6368fac34210595290168033cbbc7d505d241c
Instruction ID: befb61a47eebdd6383c93ff6779a8315c092eefd63dbef2dedc9e2abe9165cf9
Opcode Fuzzy Hash: 15026a1d7ca91a91f65a7bc31e6368fac34210595290168033cbbc7d505d241c
Instruction Fuzzy Hash: 6B52C530619A4D9FEFA8EF68C465AA977E1FF59304F1101B9D40DC72A6CE25ED42CB80

Function 00007FFD9B9C2356 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bddd2c1cb8c6821f3708c8de2046f1942177671d8c7d7a8543bef8daad6b44c
Instruction ID: ebce185295de5e7a9d3e9af743f3c14fd2c0f3c56547740de36f06e2006ea28b
Opcode Fuzzy Hash: 1bddd2c1cb8c6821f3708c8de2046f1942177671d8c7d7a8543bef8daad6b44c
Instruction Fuzzy Hash: 2C429330B29A5D9FEBA8EBA884656B977E1FF58300F1141B9D04DC32A6DF34AD41CB41

Function 00007FFD9B9BBA79 Relevance: .8, Instructions: 804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d4b6668da403465f9db5b33bd00147b997c7264c592bd2b5cfc46baf2abb49
Instruction ID: df6de60169ef733d4b655fdd167c49cebcbfa7d0268eff168d44c3e06e4767f2
Opcode Fuzzy Hash: e7d4b6668da403465f9db5b33bd00147b997c7264c592bd2b5cfc46baf2abb49
Instruction Fuzzy Hash: 05325530B2DA5A1FE769EB6C84A16B577D1EF95300F4501BDD48FC31E6DE28B8028B81

Function 00007FFD9B9BD377 Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448bbaf2869378813e997f833b03cc050e706a5bda39b1faf16f0f32e8bae00d
Instruction ID: 7975c8ceb757e00d5988f547d32bdbb4b2cbef10818340ee04bb8bf8429c6cfa
Opcode Fuzzy Hash: 448bbaf2869378813e997f833b03cc050e706a5bda39b1faf16f0f32e8bae00d
Instruction Fuzzy Hash: 1B425F3061991E8FEF98EF58C4A5AA977E1FF58344F5101B9E40DC72A6CE25E942CB80

Function 00007FFD9B9B32F7 Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a921a4633d631e8e564531db960a2992d3eacab90c6689f89de741c4008ce06a
Instruction ID: ba5f9a3c225ca14c339c98c63d12d53702154e89bbf89e9429eccd0bc663ec16
Opcode Fuzzy Hash: a921a4633d631e8e564531db960a2992d3eacab90c6689f89de741c4008ce06a
Instruction Fuzzy Hash: 60129170F1E61E9FEB65EB7888616B877B1EF59300F5400BAD00DD72A6CE38A945CB01

Function 00007FFD9B9C05EC Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7031fe4ed346b387444e4b80ac6f47ffb726c2cb9502ed6242cb53899f5f81
Instruction ID: 639dfe681daabd5a128c5d6e1eb660f1e8975577d9cd9133acc454709e29bb45
Opcode Fuzzy Hash: 9a7031fe4ed346b387444e4b80ac6f47ffb726c2cb9502ed6242cb53899f5f81
Instruction Fuzzy Hash: ED126931B1EA4E5FE7A5EB6884665B47BD1EF99700F0600BAD04DC72A3DF28AD428741

Function 00007FFD9B9C1DC7 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcbda3c981fb73eae4d3776f9ce6744493e02f236f6c7ef10a2d0753c3486da
Instruction ID: dec94983bfa7b1e58aaeae5529bebac916dcb2b3cc62e1df7995b4df29f1bea0
Opcode Fuzzy Hash: cbcbda3c981fb73eae4d3776f9ce6744493e02f236f6c7ef10a2d0753c3486da
Instruction Fuzzy Hash: 36D19431B1991D5FEBA4EB688860BB877E1EF99300F5541F9D04DD32A2CE34AD85CB81

Function 00007FFD9B9BDDED Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f24df55fd5d1da0bf2efdf59bd4413328193c2121eee6c9c2fdc66711d9f60
Instruction ID: a45944aba6ac5c6f9c405a44cd34ceec0894f42b1c7e4cf85e216e4df8338a41
Opcode Fuzzy Hash: 82f24df55fd5d1da0bf2efdf59bd4413328193c2121eee6c9c2fdc66711d9f60
Instruction Fuzzy Hash: BB124871A2FB9E5FE7B5876448265A43FE0EF56310B1609F9C48DCB0F3D91C6A0A8B41

Function 00007FFD9B9C2399 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8ef5aaeb7d84e0e8dd31140c3f129531fcaa26ad6442beecee4c605933e5e4
Instruction ID: 1e70fe0fb61fd25766c10d9619d8db69b93ef675d73d06d3656a2a27cbbfa5c6
Opcode Fuzzy Hash: 6f8ef5aaeb7d84e0e8dd31140c3f129531fcaa26ad6442beecee4c605933e5e4
Instruction Fuzzy Hash: 16029130B2DA5D5FEBA8EBA884656B977E1FF59300F1101B9D04DC32A6DE34AD41CB81

Function 00007FFD9B9B1B28 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e1d9e424c6aca4b68ba349bd572ea42d76a99203d511f922ceaba84fcc926a
Instruction ID: edc9cbdf380377b44d1103626a199789672de6578d6327cb7348bd532ec545d7
Opcode Fuzzy Hash: 72e1d9e424c6aca4b68ba349bd572ea42d76a99203d511f922ceaba84fcc926a
Instruction Fuzzy Hash: 18F19F32B2EB6A5FD765DB68D8A15E43BE0EF45308B1900BEC05CCB1E3D9197906CB51

Function 00007FFD9B9A2C7F Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa91fa9ccbf599914149cc150a989fe93c37dbf4227a239601ac462301c89e5
Instruction ID: fc8e3f207f68ba769385cdf6ab8b8968fce9ce8c45298d7e85dd2e18b0c1d626
Opcode Fuzzy Hash: 1aa91fa9ccbf599914149cc150a989fe93c37dbf4227a239601ac462301c89e5
Instruction Fuzzy Hash: CCE1AC31B1EA8D4FE765DBA884652647BE1EF99300B1601FAD44DCB2A3DE29AC46C740

Function 00007FFD9B9B0007 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05006b6622d23239ac7720bc54f93b124d4f1faa3c28cadb637ce039cc82741
Instruction ID: 676fa94f10ced79c7dc6b0a3c356b2d5b64f936150c41e7cc29f0e6e8fbc9571
Opcode Fuzzy Hash: b05006b6622d23239ac7720bc54f93b124d4f1faa3c28cadb637ce039cc82741
Instruction Fuzzy Hash: 6EE1B430B19E5E9FE7A9DB59C0A0A65B7E2FF55300B5581B6C00DC71AACE34ED85CB80

Function 00007FFD9B9C1DF2 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52794b4dfed251c8780ff24ba79bea1ce7828f31dadcfd596de8d510a5a9780
Instruction ID: d20865919e16982ed30e8448403c193e7bfba953c6cafdd5c0ee3efc1fb1293f
Opcode Fuzzy Hash: c52794b4dfed251c8780ff24ba79bea1ce7828f31dadcfd596de8d510a5a9780
Instruction Fuzzy Hash: 8C71C431B2EA5D5FEBA8EB6888617B477E1EF99700F1501F9D04DC32A2CE246D45CB81

Function 00007FFD9B9A8E03 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf46d84fa93db3851e5cfe99e7a4c4a3bd896a58efb21d80758cf1e958bcc6c
Instruction ID: 95066363343951ddfe15d78a3bffac777c4dccdd78984214dd259f75e8a1c400
Opcode Fuzzy Hash: bdf46d84fa93db3851e5cfe99e7a4c4a3bd896a58efb21d80758cf1e958bcc6c
Instruction Fuzzy Hash: 85E1E230B19A499FEBA8DB6C84A87B477E1FF55304F5541BDD48EC72E3CE28A9468700

Function 00007FFD9B9C4A39 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26475b1327377b13d9785b152f2f9cf84a0acef1cf0818f092f679e1e583dc6
Instruction ID: 61075d0e8635b059d7376df0161de797a520ec2d5d84142350fad290c6d95b6c
Opcode Fuzzy Hash: d26475b1327377b13d9785b152f2f9cf84a0acef1cf0818f092f679e1e583dc6
Instruction Fuzzy Hash: 86C1B530B29A0D4FEB58EB6C9465BB977D1EF99310F1101BDE04DC32A7DE25AD428781

Function 00007FFD9B9B9F8D Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a87a82fae26fe5f2c62ec4664061ed48210fb52103f5cf7cb71c80975e2adda
Instruction ID: 34e8dd64eeec59a9db3ccf27380ad101b7547ea65607dc490dc37f878b24ba68
Opcode Fuzzy Hash: 7a87a82fae26fe5f2c62ec4664061ed48210fb52103f5cf7cb71c80975e2adda
Instruction Fuzzy Hash: 16C10231B19A5E8FDF94EF6CC465AAD77E1FF99310F0401BAE409D3292DE24AD018B81

Function 00007FFD9B9AA659 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61d0be76307bd6407d5a771339548e3bd6696065f24f8f255b08f0fa85e6abb
Instruction ID: c222792dd928b3d0afd11bbb2d1ee8068c7adf55fe5ebfb22e68d8e9b39bb46b
Opcode Fuzzy Hash: e61d0be76307bd6407d5a771339548e3bd6696065f24f8f255b08f0fa85e6abb
Instruction Fuzzy Hash: AED18631A18A0D9FDBA8EF68C4957B9B7E1FF98300F1541B9D05DC32A6DF34A9418B41

Function 00007FFD9B9C3429 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f916d0721a70b1d1ac0ae652fbff064c405d4aea818e7fb70167af6f512c4d1
Instruction ID: 930cd9564fd395fd63f40173560bc8015760b9d5ffcd99dc678af8ba69929665
Opcode Fuzzy Hash: 9f916d0721a70b1d1ac0ae652fbff064c405d4aea818e7fb70167af6f512c4d1
Instruction Fuzzy Hash: 99B1F330B2EA4D5FEBA4EB6C846667573E2FF89304B550579D04EC72B2CE39AD428740

Function 00007FFD9B9A8E4D Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e099242159e9a85430d6776c0abcdce9b780b1216224df38d40e63fc867057e
Instruction ID: 548d24d6b84532833fe288cc0202a5e605cae4fb9842f50c3043545d0f3ab8e0
Opcode Fuzzy Hash: 8e099242159e9a85430d6776c0abcdce9b780b1216224df38d40e63fc867057e
Instruction Fuzzy Hash: A5B1D420B19A0D4FEBA8EA6C84697B577E1FF59300F5541BCD48EC72E3CE28A9468700

Function 00007FFD9B9A3180 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566593b7ef77aee91516f297b97d5f6c9a8b58431e8aa87a187a35a468c18479
Instruction ID: c46ca275403fe2bf84cf5b3845f970b0427ab364ca1256d0b148a3b367c5be0c
Opcode Fuzzy Hash: 566593b7ef77aee91516f297b97d5f6c9a8b58431e8aa87a187a35a468c18479
Instruction Fuzzy Hash: 90A1A131B1DA0D9FDBA8EBA8D4616B973E1FF88310F154179D45EC72A2CE35A9028B40

Function 00007FFD9B9A8FAE Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e817d6d80d94620035d6831435b7a6e91ac612d5044e0bdff5fe83ab1c9d5a
Instruction ID: 0a0ef9696cb0883aab2e78c9348d2c977cd4149491b12e28891a5ab87eb7dbfc
Opcode Fuzzy Hash: 60e817d6d80d94620035d6831435b7a6e91ac612d5044e0bdff5fe83ab1c9d5a
Instruction Fuzzy Hash: E1A1A130B19A0D4FEBA8DA5C84697B477E2FF99304F5541BDD84EC72E3CE28A9858740

Function 00007FFD9B9A6D81 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156de5443689a3ebbbb194d3ae80f1ec6ab108b22ca07a9d1b097f71dfce6b36
Instruction ID: 4601f375f1774c54833fa9e43733f36b5d4ed7c22c756a94f9745ac8ebc44363
Opcode Fuzzy Hash: 156de5443689a3ebbbb194d3ae80f1ec6ab108b22ca07a9d1b097f71dfce6b36
Instruction Fuzzy Hash: 5C912432B2AA4D5FE7A5EB6C846567537D2EF99340B1500F9D44EC72E3DE29BD028340

Function 00007FFD9B9A8F26 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29900d03a022d47d7d02ee7f1b8542f8286cb346261bacb7893c89cbd0787f6
Instruction ID: 3805783582b485a95123f0f46af326eeb71baec4c160e1dd9f5c82ee72fe5b63
Opcode Fuzzy Hash: a29900d03a022d47d7d02ee7f1b8542f8286cb346261bacb7893c89cbd0787f6
Instruction Fuzzy Hash: 99A1A230B19A0D4FEBA8DA5C84697B577E1FF98304F5541BDD88EC72E3CE28A9468740

Function 00007FFD9B9A8DDD Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d5d03b94c2729b6408719f04e07a9fed7aca8b22fde811bb700fb32ec2b712
Instruction ID: 76a758999569a02dba0547861ed002714d0e44670abe4927d39a29ea2c3fd342
Opcode Fuzzy Hash: 97d5d03b94c2729b6408719f04e07a9fed7aca8b22fde811bb700fb32ec2b712
Instruction Fuzzy Hash: 61A1C430B19A0D4FEBA8DA5C84697B477E1FF88304F5541BCD48EC72E3CE28A9458740

Function 00007FFD9B9A8F08 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e425966378f3a21976b87d306e04aff9a67bc232965e1be571c1df769b75593
Instruction ID: 1c6928218e6fd400ed4b3b4e9b1c77233f7afa06f0bff38540c816ec80449b31
Opcode Fuzzy Hash: 0e425966378f3a21976b87d306e04aff9a67bc232965e1be571c1df769b75593
Instruction Fuzzy Hash: 8FA19330B19A0D4FEBA8DA5C84697B577E1FF98304F5541BDD88EC72E3CE28A9468740

Function 00007FFD9B9A8F87 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39216c28f095803cca92c3c9d63d41a72b11f13c0ac1794c256af6ac879a9857
Instruction ID: fa0e948eff25f34b865f1ad42a2a9d1539d9304ee1b243a2bd060f62919a311a
Opcode Fuzzy Hash: 39216c28f095803cca92c3c9d63d41a72b11f13c0ac1794c256af6ac879a9857
Instruction Fuzzy Hash: 4CA19230B19A0D4FEBA8DA5C84697B577E1FF98304F5541BDD88EC72E3CE28A9458740

Function 00007FFD9B9BEF79 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e4124ea4279f9934f19a6b19d8b7a9f201e2cb374d782a1fcde595809fccb4
Instruction ID: d07aacfc8a8e3541f687e7354c3dd5966e5571e56f151e1a336f27100d25fb00
Opcode Fuzzy Hash: 12e4124ea4279f9934f19a6b19d8b7a9f201e2cb374d782a1fcde595809fccb4
Instruction Fuzzy Hash: EA810721F1E95D1FEBA4DA6C88B577837D2EF9A740B0540BAD48DC72E3DD18AD028741

Function 00007FFD9B9A8F6A Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a9a9beb036d96532e5d96c3d422a136a834e0640bc67eebb3d3e3959e534e9
Instruction ID: a99010f61e5b523e09420571b239f80159dff7bbf0c2312d9733455e1ed2c5ee
Opcode Fuzzy Hash: 46a9a9beb036d96532e5d96c3d422a136a834e0640bc67eebb3d3e3959e534e9
Instruction Fuzzy Hash: D5A19230B19A0D4FEBA8DA5C84697B977E1FF98304F5541BDD88EC72E3CE28A9458740

Function 00007FFD9B9A8F4C Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaf87ae970da9ce723106b514553efb57e5a66f54c86948fbaf54bfb3785d29
Instruction ID: 42c290aaeca6611127c338931050059dc06f94506ce429d93c91f17b434f1661
Opcode Fuzzy Hash: dbaf87ae970da9ce723106b514553efb57e5a66f54c86948fbaf54bfb3785d29
Instruction Fuzzy Hash: A5A19120B19A0D4FEBA8DA5C84697B577E1FF98304F5541BDD88EC72E3CE28A9458740

Function 00007FFD9B9C572C Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2872496b3ac73af49f8506c7360bcd9328d896345c2f62fb747ae305d197bcba
Instruction ID: c0a4d24be0b38f3de1cc21ce19666b3698e9792af8f1100da7691d808b731a0d
Opcode Fuzzy Hash: 2872496b3ac73af49f8506c7360bcd9328d896345c2f62fb747ae305d197bcba
Instruction Fuzzy Hash: 1291B631B19A1D9FEB58FB6894656BD77E2EF88710F510079D00EC72A6CF25AD42C780

Function 00007FFD9B9A34A1 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3034d88f3f0ad92b3ef84eaa5c27eedb53b5d8a683667f846d59753ce1b98bcd
Instruction ID: c84e593fdb6136ff1041553cb02e44a6002fbfe45e952a9fd9312b2da6275e38
Opcode Fuzzy Hash: 3034d88f3f0ad92b3ef84eaa5c27eedb53b5d8a683667f846d59753ce1b98bcd
Instruction Fuzzy Hash: E6916630B1EB4D5FD7A5DB688465AB5B7E1FF59310B0901BAC00EC32A2CE29ED45C780

Function 00007FFD9B9C2FAC Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c53d438907b3594b825158346c7e8f5aaf50dd267fd82439a2c3cc11fda4fc
Instruction ID: 6952217ee54b76ffe13a1973683739227599aa0b6a26ff3492b4486887197f10
Opcode Fuzzy Hash: f9c53d438907b3594b825158346c7e8f5aaf50dd267fd82439a2c3cc11fda4fc
Instruction Fuzzy Hash: C2A11F3172991D9FDF94EFA8C4A1EA977A1FFA8340B150164E40DD72A6CE34E941CB80

Function 00007FFD9B9BD8B4 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643fe457e9fc43778b468e2b69497ba41c585a0693e38f6a96903026632ae6d0
Instruction ID: b2d179695aad1334e058308a5c4df0c56cb72a6f5afda87da6af2e518473f9fc
Opcode Fuzzy Hash: 643fe457e9fc43778b468e2b69497ba41c585a0693e38f6a96903026632ae6d0
Instruction Fuzzy Hash: 93A1403071994D8FEF99EF68C4A5AA577E2FF59344B5101A8E40DC72A6CE35EC82CB40

Function 00007FFD9B9C38B4 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c251e921ae350454e5eccbf39578055b638c9ea3a28150f452fa540deb31c9
Instruction ID: 473b2a58555dc1065ee96940a1bdfd3c5967532b911ac6d6d414020d067dc95f
Opcode Fuzzy Hash: b5c251e921ae350454e5eccbf39578055b638c9ea3a28150f452fa540deb31c9
Instruction Fuzzy Hash: 23815F30B2DE1D5FDBA8EB688466AB977E1FF99700B050179D04EC32A6CE24BD418781

Function 00007FFD9BA6214D Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fe5e9dcb08887af3f797e8bf319dd81ba4eaaaf233141fde2369463b272d18
Instruction ID: d8aa51c968e249ab5919c5086b1aed67b2f46ffccbce29315c7c34199ce6fdb4
Opcode Fuzzy Hash: 90fe5e9dcb08887af3f797e8bf319dd81ba4eaaaf233141fde2369463b272d18
Instruction Fuzzy Hash: 3B817010B2EF8A4FE6A5A7D984A2375A6D2FF98600F45407AD10DC32E7DE58EE014381

Function 00007FFD9B9C4820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49c419e0065de104e46d43abd8eeca0a0b73793b8d749ae1aa8d6db6f61a17a
Instruction ID: 93aeda27e513e4a0588d82e5b7c9c5db442ba656ed58f2ccb5ade442353bc81e
Opcode Fuzzy Hash: b49c419e0065de104e46d43abd8eeca0a0b73793b8d749ae1aa8d6db6f61a17a
Instruction Fuzzy Hash: E971B23071EA494FE799EB2C9469B6037E1EF99700B1501BEE04DC72B3CE19AC42C741

Function 00007FFD9B9B4BE0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ddbd32624662fb05d46858a90c9b551af3f64b51229128053df0fcfbcc1eae
Instruction ID: da48d22c3cb95f32bbbe68792b6aa82444270f47ee965892d29aca5bed552cd0
Opcode Fuzzy Hash: b6ddbd32624662fb05d46858a90c9b551af3f64b51229128053df0fcfbcc1eae
Instruction Fuzzy Hash: 84517030A18A1C8FDB69DB58D855BE9BBF1EF59310F0082ABD44DD3256DE34A984CF81

Function 00007FFD9B9C0C30 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89953e631d7cf99b8530dc58f209c1d7545ff858d42a94cd3098a02e9be14ed1
Instruction ID: 16479247a5c68badc319d5944b6f3f26758c40456402bd0872925c88bea3cffa
Opcode Fuzzy Hash: 89953e631d7cf99b8530dc58f209c1d7545ff858d42a94cd3098a02e9be14ed1
Instruction Fuzzy Hash: 16611861A2F7CA2FE775A76444261B43FE0EF46601F1605FEC48DCB1A3DA1C6A0B8391

Function 00007FFD9B9B9AE9 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1250b2a3f24a090a5b83f3337f624c079e0869bea59cf932aba50437db58ca
Instruction ID: 9b7d8ebf4c9d79925691662947ebda8962867b791473d8695d5553274f3a21d7
Opcode Fuzzy Hash: da1250b2a3f24a090a5b83f3337f624c079e0869bea59cf932aba50437db58ca
Instruction Fuzzy Hash: 3F616921B2EA9E1FD76A9B7C44792B17BD1EF55210B0601FBD04DC71E3DD18AD068B82

Function 00007FFD9B9BCC70 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643bfd9c0380ffd3577576dd538c029c93562160562076c2c220ecfcf86f9519
Instruction ID: d80d761aed176a68ce59efa286c0b5245925979f2ef8d453fd2129abf3b02e1f
Opcode Fuzzy Hash: 643bfd9c0380ffd3577576dd538c029c93562160562076c2c220ecfcf86f9519
Instruction Fuzzy Hash: 69512A30B1EA5D5FDB75D7A898596A87BF0EF89311B0501FAE04CC72B2CE285D45CB90

Function 00007FFD9B9AD5B4 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc611ea3ec55f51f82f7d50523e5a66d3c48905f7b74fd468d2127b0815afa3e
Instruction ID: a19b3775738a85bbfa0dbb62490e446a2793d67a886afc1c7f6a696e49326e1a
Opcode Fuzzy Hash: dc611ea3ec55f51f82f7d50523e5a66d3c48905f7b74fd468d2127b0815afa3e
Instruction Fuzzy Hash: 76519071B1994D4FDB98EF6CC464AA977E2EF98310B0505B9E05EC32A6CE24EC418780

Function 00007FFD9B9A3751 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504b126321bd237a8c8556fcd0e3d4d28bef4c623d2d6eaac2645b262d12e939
Instruction ID: c9bef485aba032b7840fa57efc06f98df64ef2adc5f3fc3900d705b54a95cf16
Opcode Fuzzy Hash: 504b126321bd237a8c8556fcd0e3d4d28bef4c623d2d6eaac2645b262d12e939
Instruction Fuzzy Hash: A8515630A2DB8D5FE766AB6C9814671BBE0EF56314F1502BAD48EC31F3DE19A8428341

Function 00007FFD9BA60050 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3020ee41cd88d6b3d017b78edd3989fd46023e699ed1d3b21ff4f39def4b8a
Instruction ID: 6a28d8dd0ddc3dc53f5e2963f9c7933ed2396d555e419100bb1bdca1f84ad684
Opcode Fuzzy Hash: cb3020ee41cd88d6b3d017b78edd3989fd46023e699ed1d3b21ff4f39def4b8a
Instruction Fuzzy Hash: 3A412662B0E7C94FD366876898796303FE0DF17220B0A01FBC089C71F3E959AC458341

Function 00007FFD9B9A4775 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dc1df5c50988ab03a8efb58a09f43e2b80205dbfd78b2e732a17c06d0ff443
Instruction ID: c54700e702b2f53a55ff3a01101e8438b171228dd4175f540198f2ddc5278ca1
Opcode Fuzzy Hash: 68dc1df5c50988ab03a8efb58a09f43e2b80205dbfd78b2e732a17c06d0ff443
Instruction Fuzzy Hash: 6941E33070ED4D5FEBA4EF5CA4A4A75B3E0EF59310B1600FAD45DC72A6CA15ED428781

Function 00007FFD9B9B8C5D Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ff8500a5849852fee340e97312074f4e597afb442f437cd3162aeefb1e4b41
Instruction ID: 7ded899d6b58aaa849755ac5c08d68e7bf01891c87c38daee80362f6180f81e1
Opcode Fuzzy Hash: 89ff8500a5849852fee340e97312074f4e597afb442f437cd3162aeefb1e4b41
Instruction Fuzzy Hash: 0151C330B1AA1D9FEB91EB6884696A87BF1EF5D340F5500B6D40DCB2B2CE289D41CB10

Function 00007FFD9B9A76BC Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1216be2417eb6f3695f5f11a163c7b100aa00ff39a2fe2f975e9d9f51d7d9c6
Instruction ID: fc049b11067d565d1f9c3ec45a7bdbd0be7ebeee3ec13ebb676d52621cda3f41
Opcode Fuzzy Hash: b1216be2417eb6f3695f5f11a163c7b100aa00ff39a2fe2f975e9d9f51d7d9c6
Instruction Fuzzy Hash: 01416D22B1EE4E1FE7A4D66C98AA5B577C1FF9922070901FAD45DC31E7DD18BC428341

Function 00007FFD9B9B89BD Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c5609a6e0487d7d2b53d7f4f129086fa2bfb1cd947b4a0abd34296941fa890
Instruction ID: 28579003db7b0ee0513bef59637dc14e44f1168d9bf3736a40e464f2b7968996
Opcode Fuzzy Hash: e2c5609a6e0487d7d2b53d7f4f129086fa2bfb1cd947b4a0abd34296941fa890
Instruction Fuzzy Hash: E351B130B2AA1D9FEB94EBB884656B977F1EF49300B4505BAD41DC72F2DE399941CB00

Function 00007FFD9B9AE3A9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd311764a45ef00d81efd78df7ae46d4fc3ad38d335b82195f8083f0b62ba7fd
Instruction ID: 26803cda3e44438aaa1ff3ef2a55456ac6fcbccec94ba4176a7bb1253bc68a33
Opcode Fuzzy Hash: bd311764a45ef00d81efd78df7ae46d4fc3ad38d335b82195f8083f0b62ba7fd
Instruction Fuzzy Hash: 8E512531A29E8E4FEB49EB68C4A19E53BB1FF55300B5101F6E40AC71EBDD24AD46C781

Function 00007FFD9B9ACDE9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3008cce3680cd3f631ab339b35e1a1c01f81c444a00a8146f7f8d254dc0e3d6
Instruction ID: 43c94c925c3f4ae7f32a30dd824091e3edd6ab578e8ede8506c78ac1876a95a1
Opcode Fuzzy Hash: d3008cce3680cd3f631ab339b35e1a1c01f81c444a00a8146f7f8d254dc0e3d6
Instruction Fuzzy Hash: 22413A32B1EF891FD7B5CB6898655A07FF1EF55210B0941BED088CB1A3DE14AD458381

Function 00007FFD9B9A7A72 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6de7e32934bbb05a758a4d0db9b3cb892b1d4f6dc13eae0a61069c0b995f17
Instruction ID: cf8fe22d958a9c2bf66cb6a1144eb1b6e864922624e792578dd475fe91b11b37
Opcode Fuzzy Hash: 2f6de7e32934bbb05a758a4d0db9b3cb892b1d4f6dc13eae0a61069c0b995f17
Instruction Fuzzy Hash: 0341077061D78C6FDB699F6C84266B57BE0FF55310F16006FE48AC32A2CA39E941C741

Function 00007FFD9B9A76AE Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ebf65af8eb0cd01fe7cf83e2102b61d6136959394f6f933d4fbd87850cb8d3
Instruction ID: 08c9deb4fa7e477669808a78f6cdf7790c17a212d81d2eff77f7265fd317e058
Opcode Fuzzy Hash: 16ebf65af8eb0cd01fe7cf83e2102b61d6136959394f6f933d4fbd87850cb8d3
Instruction Fuzzy Hash: 6D316C22B1EE4E1FE7A4E76C88AA97577D2EF9931030901FAD05DC31A7DD18BC028341

Function 00007FFD9B9A4D78 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00482a545766fcc4c2f370e1076b527f2255d64c2d162d761259aae2649d55dc
Instruction ID: a436212ac49f10ec8e067f6c918e88a0a20b931b09af5fa4e198064e33a7c82d
Opcode Fuzzy Hash: 00482a545766fcc4c2f370e1076b527f2255d64c2d162d761259aae2649d55dc
Instruction Fuzzy Hash: E8412B2171FA8E1FFB95D75884647657BD1EF95300F4541BDD04DCB2A2DE24FA418341

Function 00007FFD9B9BEFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62410bdb7ecc87cae158b6d678396d346183b8e25ae99e4bd1a5976ba675a095
Instruction ID: 8a319be6f2ac981cd81bfaabdacc659b4b0ceaaf32110d68c1a3f305be6809f5
Opcode Fuzzy Hash: 62410bdb7ecc87cae158b6d678396d346183b8e25ae99e4bd1a5976ba675a095
Instruction Fuzzy Hash: A231D321F1E91D0BEFA8DA6D58A577827C2EFCA744B0540B9E48DC32F7DD286D028641

Function 00007FFD9B9AD1F9 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122d2f34ca3b4aef0ee1fff1f41675a33ba70b6d7cb80ebbcc4ecace5a5e34e5
Instruction ID: 550b5c22fbf13e75623acaf6d3c44c8a02ad96ebfccee8cf4fb1a933c9e923a5
Opcode Fuzzy Hash: 122d2f34ca3b4aef0ee1fff1f41675a33ba70b6d7cb80ebbcc4ecace5a5e34e5
Instruction Fuzzy Hash: 5C416B3061AA8E9FEB99DF58C460BA937A1FF45304F4500F9E41ECB1E2CE29E955C701

Function 00007FFD9B9B99AA Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6491d312b8e5ef1658ce422458ba09e4d36235a761149bdf29c064d363cd4c69
Instruction ID: 448140cd133891b1a4faf3b8663d8d84083c950e770f450418dd9d5fe535e980
Opcode Fuzzy Hash: 6491d312b8e5ef1658ce422458ba09e4d36235a761149bdf29c064d363cd4c69
Instruction Fuzzy Hash: A2315931A1F79D1FD766977C98294A87FA1DF87220B0902BFD049C71A3CD1A6806C751

Function 00007FFD9B9BA061 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621b4995b40d7ac988cefa656abde5883a0db78d8c678da53aabeb43d72cc2e1
Instruction ID: 1fce448305760e710b7bb56744cae697ceec4378d80627506b320cd287d68c7e
Opcode Fuzzy Hash: 621b4995b40d7ac988cefa656abde5883a0db78d8c678da53aabeb43d72cc2e1
Instruction Fuzzy Hash: F5316A32B09E5E0FEB96967C546A2B937D2EF9A210B0501FBD848C31A3EE145C028741

Function 00007FFD9BA60718 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb96b118d426ee3b505404818683b8e5c4225d86eec427ce7d1a9e87038d764
Instruction ID: 72af9865d501067c2567681f57ad96ec00458eb48b663bf46a74ec3356cdc35e
Opcode Fuzzy Hash: 5fb96b118d426ee3b505404818683b8e5c4225d86eec427ce7d1a9e87038d764
Instruction Fuzzy Hash: D7418862B1EF494FE76CDB6C04662703BC1EB29710F4401BED48EC32E3D8556C418786

Function 00007FFD9B9A2EEE Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e367a395b901bfce175db1ef96a19bac2fe45b3bb3732cb202fbe0fd9bbf61a9
Instruction ID: 5608617ecc17d59cb4bf644837d146ca2901fa24b29c92411c6abba0a80fb02e
Opcode Fuzzy Hash: e367a395b901bfce175db1ef96a19bac2fe45b3bb3732cb202fbe0fd9bbf61a9
Instruction Fuzzy Hash: D0314A31A1FB8E5FD79A9B7884A15607BE1EF9B31071941FBC449CB1A7CC2AAC46C350

Function 00007FFD9B9A28F2 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b47745218729e0b80cf7e585e9b5c064f1c86352e115897d8ae0200c8a6dfd
Instruction ID: 0e49c62fc4a65bfff2bec2d044f49c257ed4b1442ee53d4bb944aca89ad23cc5
Opcode Fuzzy Hash: 72b47745218729e0b80cf7e585e9b5c064f1c86352e115897d8ae0200c8a6dfd
Instruction Fuzzy Hash: DA415A21B2EB8D4FD755A7A884A15F63BB1EF9A300B4500F7D04AC72E7CD286D09C391

Function 00007FFD9B9A3780 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8024ee3084a24d46748330e7e2ffcc065613e147085b219955db6b2a76b4cce
Instruction ID: 51c413ca73130835723bc0f9967695aaefc52f4aab2bba42852aaa8409c45d43
Opcode Fuzzy Hash: f8024ee3084a24d46748330e7e2ffcc065613e147085b219955db6b2a76b4cce
Instruction Fuzzy Hash: A7317B30B1DE0D5FFB99EB2C941563577E1EF96314B0201B9E85DC32B6DE29AC028381

Function 00007FFD9B9B8F1D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226e2a19b275d1ad631d81c11c4ab791f156c805029ab498a8895e73dc5982c6
Instruction ID: 1139415cb18324f90970d8800156ee3119e89bb0df94bdb808e554b47368f727
Opcode Fuzzy Hash: 226e2a19b275d1ad631d81c11c4ab791f156c805029ab498a8895e73dc5982c6
Instruction Fuzzy Hash: A441A530B29A1D9FDB94EBA884696B877F1FF49300F5104BAD40DC72B2DB389941CB40

Function 00007FFD9B9C332D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca2f2576ba98561ea716813dd4c81c90a863f765d6a64c498926c1f282c88be
Instruction ID: 605cb175f431e0914f42ce8348de9246e867d8b0176704bb4c86e1f294b9d72e
Opcode Fuzzy Hash: cca2f2576ba98561ea716813dd4c81c90a863f765d6a64c498926c1f282c88be
Instruction Fuzzy Hash: C931F53071DA4D6FEB94EB6C9465AB57BD1FF99310B0541BAE04DC32A2CE35E8428B81

Function 00007FFD9B9B9FCF Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e90be242785260e332e17d267a9fcdfec83ff00dc647b6c251b2c36cbda5a7b
Instruction ID: 27a251032690507c952efa2fe6e8f9309954ddec9cdea7c3c044b8939aac7013
Opcode Fuzzy Hash: 4e90be242785260e332e17d267a9fcdfec83ff00dc647b6c251b2c36cbda5a7b
Instruction Fuzzy Hash: A6317131B1EF5E0FE7A296BC68651F97BD2EF9A22070501FBD448C71A3EE189C428741

Function 00007FFD9B9B1535 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f0d626f42ca44de189b9c47ddd9e914fd819c07b2af9dc3344f872c0ca88b6
Instruction ID: ef1f540780f7d5d9bcb9c3a98d1f51eda4aa2f9ef8c6d426d17f4cb92560aee3
Opcode Fuzzy Hash: b7f0d626f42ca44de189b9c47ddd9e914fd819c07b2af9dc3344f872c0ca88b6
Instruction Fuzzy Hash: 8331AB31A2EFA84FD764DB3884A4A647BE1EF5920470805FEC48ACB1F3CD18A941CB41

Function 00007FFD9BA65098 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80248dde8730db9e877ba8f1c346bc2ba197f1e16f7ebb9df138ce5f42b7442d
Instruction ID: 34fbe1d86a7d619ccf957e539c5ebae60b5ea7c83a3747e03dac413ccbcea3a7
Opcode Fuzzy Hash: 80248dde8730db9e877ba8f1c346bc2ba197f1e16f7ebb9df138ce5f42b7442d
Instruction Fuzzy Hash: 49313A52F0EE4E5FF7B5A3AC04B927826C2DF9861075601BAD40DC32EBED59ED424340

Function 00007FFD9BA657AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4146b25709c065dbf9af481a466b6c793d448ff084d0539c8a32859dba30f216
Instruction ID: 670bc3bc1064f1c3a2e57c8fd8ef988fb1eb6d67aa0b11a2e7f1751a02f4efa3
Opcode Fuzzy Hash: 4146b25709c065dbf9af481a466b6c793d448ff084d0539c8a32859dba30f216
Instruction Fuzzy Hash: 4621B992B0AE4E4FF7B9A7AC14B923516C3DF9815075601BAD40EC32E6ED59ED424340

Function 00007FFD9B9BEEA9 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3010e53a5b14cae2035b51ad160de60e0892e48ca862605b808052e0117a873
Instruction ID: 07a4115cf628d946aa0e114b68f4859d44fa85d980e1036ba3ef18254e09ff2c
Opcode Fuzzy Hash: c3010e53a5b14cae2035b51ad160de60e0892e48ca862605b808052e0117a873
Instruction Fuzzy Hash: 9721473161DB8A0FD31AA7685851AF57FE0DF56224F0802EFD08AC71E7DD19A4468381

Function 00007FFD9BA65160 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1575da3162e9fd22a90f5a772c99521ec296da133992d8211ef51944905e67
Instruction ID: 58c06fb73a35a6e661a2592cc0be2782f2dcd7d9065c4e99fe230f4258dfa10c
Opcode Fuzzy Hash: 4a1575da3162e9fd22a90f5a772c99521ec296da133992d8211ef51944905e67
Instruction Fuzzy Hash: 9E219152B0EE0E4FE6B9A7AC18B927556C3DFD8240B5601BB901DC72EAEC59ED424340

Function 00007FFD9B9AD9F4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba24cb0820a7ece3bfe78468af31f59b8efb25b61dd20ae2f4a2b93ce9e093a
Instruction ID: 4eb0a7a11f58e30ca92df31f03544f06c6377aaf56b70db24c3c32ac45693510
Opcode Fuzzy Hash: 9ba24cb0820a7ece3bfe78468af31f59b8efb25b61dd20ae2f4a2b93ce9e093a
Instruction Fuzzy Hash: 1D213A71B0DB090FE3189E2D98954B4B7D2EF99324705427FD44DC7297DC29AC438381

Function 00007FFD9BA6522F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e7c518c7dfc392980feed8d901a3c5b58adebd2018f4877512fc6227a5c28f
Instruction ID: 4b10ea33b25f744d19b17c95bf9abe474d17adff4a67501d54c71e73c772a47e
Opcode Fuzzy Hash: 92e7c518c7dfc392980feed8d901a3c5b58adebd2018f4877512fc6227a5c28f
Instruction Fuzzy Hash: 7821B652B0EE4E4FE7B9A7BC146923966C2DF98140B5A01BAD04EC32F6ED59ED410340

Function 00007FFD9B9A7390 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa6f813701c919fddf71e561cd51c1f5a4b0ae78bac847fb07beed41f684fa8
Instruction ID: 12a2929afbba1c50df18f54f05ed9dfaca9462652ae6074f416194cead8fca71
Opcode Fuzzy Hash: 2fa6f813701c919fddf71e561cd51c1f5a4b0ae78bac847fb07beed41f684fa8
Instruction Fuzzy Hash: C1310721B2DB4D0FE791EAA8946427577D1FF98314B05027AD84CC32F2DE2DAA818301

Function 00007FFD9B9BAE7D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850157f88ab5ef5e42f76ecd2a33bd898380fd9926152b0b668011ecbfb6743f
Instruction ID: 49dc0e0581654489bed0c08f4c06ecf191f9143c09d9e278c620b81086e4e5d1
Opcode Fuzzy Hash: 850157f88ab5ef5e42f76ecd2a33bd898380fd9926152b0b668011ecbfb6743f
Instruction Fuzzy Hash: 17318130A19A4E8FDB94EF68C4647EA77E1FF58304F1045A9E419C72A6CF35E911CB40

Function 00007FFD9B9B0C78 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4deac538460361070ea1c17acd896912214c2b2a18c55ff29f996106d5114f80
Instruction ID: 5c5c28c77d1e186e446e05de41bd0df9b742970e70455982a65814f93917fbf1
Opcode Fuzzy Hash: 4deac538460361070ea1c17acd896912214c2b2a18c55ff29f996106d5114f80
Instruction Fuzzy Hash: 2031C132B1CA168FD75DEF58E0A56EAB3E0FF48314B18413ED05EC3282CF29A8408B44

Function 00007FFD9B9A3169 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17acbbae42f2e5874379e2568fe2fbea20de0fa040d663db037ad0915a4a1e34
Instruction ID: c479f9c0a8ac6e27f9f841e3d30cfaa6289b80d9462252f52f38e371783bdb5e
Opcode Fuzzy Hash: 17acbbae42f2e5874379e2568fe2fbea20de0fa040d663db037ad0915a4a1e34
Instruction Fuzzy Hash: E931E431A0DB8C9FC759DF68C8615A93BF1FF8A314B15417AD448C72A2CA35E802CB40

Function 00007FFD9B9B0CD3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c666a0cce767878ba5b0c7dea4d9a1d11059ebb05f0993f3e391cb6a4a93e02
Instruction ID: c13c796ceffeddeb545f5dadb803eadbaa74b3b273404666a90cea564c59fb20
Opcode Fuzzy Hash: 1c666a0cce767878ba5b0c7dea4d9a1d11059ebb05f0993f3e391cb6a4a93e02
Instruction Fuzzy Hash: 80312532B0D7994FD799DF6894646AABBE0FF49710F0441BFE09DC32E2CE2568008B05

Function 00007FFD9B9AD475 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7e1d3286ab30c3ba0a4b2c25d1bd53de05f923cf278eb6e5e39c07d9d71a32
Instruction ID: 1673f4020a9b06ae21d90411cbf9b2584e37a3af315764d094b64949f50be7e7
Opcode Fuzzy Hash: 1c7e1d3286ab30c3ba0a4b2c25d1bd53de05f923cf278eb6e5e39c07d9d71a32
Instruction Fuzzy Hash: 3531263072E94B2FE779826894746B477D1EF85254B1A00B9C04EC71F6CD18BD818342

Function 00007FFD9BA65957 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73198707fa46f54c00594f2e1628b6581e362910ae344505bb59f3f5ea049b38
Instruction ID: eb10a439d06ab5e56b9ec38d87c9453c5985b03247c08c4a4b5d501092002ddc
Opcode Fuzzy Hash: 73198707fa46f54c00594f2e1628b6581e362910ae344505bb59f3f5ea049b38
Instruction Fuzzy Hash: 9A21C752B0AE4E4FE7B9A36C04B927956C2DF9811075A01BAD41EC32E6ED58ED424340

Function 00007FFD9B9A3FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee89f1cc1e4578617d4487d369e2b64a146da24e7eb7bc8bc02b81fa21a444d
Instruction ID: 5810c650a0ccf747fa534abd04e0ee91caa16f480decdc4ffd653c293e1ece79
Opcode Fuzzy Hash: 6ee89f1cc1e4578617d4487d369e2b64a146da24e7eb7bc8bc02b81fa21a444d
Instruction Fuzzy Hash: 0B214821B1DB491FF3A8965C685A7B577D1DF96220F0901BEE48DC32B3DC156C438382

Function 00007FFD9BA6286A Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bc10002feb44b4a1c2d5619cca2a441e5fd1c65c933f12d387323664c9b603
Instruction ID: 6f3cf4285e1a812c74a03edc19f58eefac8fd589c0036f0b70fbd5a8487ef6bc
Opcode Fuzzy Hash: 95bc10002feb44b4a1c2d5619cca2a441e5fd1c65c933f12d387323664c9b603
Instruction Fuzzy Hash: B221A452B0AE4E4FE7B9A7AC08B527556C3DFD865075A01BBD00DC32F6ED59ED414340

Function 00007FFD9BA639C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38f2163c8ee49aa356cbc3a0e4b0df0e864cd465607045add2c976f9393d832
Instruction ID: 17fdf19f66881387a2a3a22fe63d89bc7ab4e48fa861b2cf5bec2b9132d126ab
Opcode Fuzzy Hash: d38f2163c8ee49aa356cbc3a0e4b0df0e864cd465607045add2c976f9393d832
Instruction Fuzzy Hash: 3821D352B0EE4E4FE7B9A76C04B523816C3DF9821079A01BAD40EC32EBED59ED424340

Function 00007FFD9BA6369E Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8c462465f410c37aa7d87a7f74f8e01ee02f64d39c88e1ce28faa507bed775
Instruction ID: 64aa6f66b95342c84e7de82cc6f94ea5ed74be1f407612d5cebfdb904204f01f
Opcode Fuzzy Hash: 1b8c462465f410c37aa7d87a7f74f8e01ee02f64d39c88e1ce28faa507bed775
Instruction Fuzzy Hash: 1721D652B0EE4E4FE7B9A7AC047527966C3DF9824079641BAD00EC33FAED69ED024340

Function 00007FFD9BA65565 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc725b6c54835e3d94fe6d33e3d645bdf959e9e1eff1ddbc9ff0f3b3b411bc5
Instruction ID: c5190092f06ecd3ffa0fce6867b6034f99aa97fc09976c77cb1e97cdd187c790
Opcode Fuzzy Hash: 5fc725b6c54835e3d94fe6d33e3d645bdf959e9e1eff1ddbc9ff0f3b3b411bc5
Instruction Fuzzy Hash: C221A451B1AE4E4FE7B9A7AC14A923955C3DF9815075A01BBD00EC32F6ED59ED414340

Function 00007FFD9BA64667 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4ff111da4d5c3b58810c9b7c138f2dbbdadf55950114aaf0656cfee5c87db2
Instruction ID: 0aa2333f360087cc1b0f9e8b635c82e806da1efdfd540246bc9fb72bb857e989
Opcode Fuzzy Hash: da4ff111da4d5c3b58810c9b7c138f2dbbdadf55950114aaf0656cfee5c87db2
Instruction Fuzzy Hash: BB21A451B0EE4E4FE7B9A7AC047927955C3DF9815075605BED40EC32F6ED68ED424340

Function 00007FFD9BA648CD Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15dfb27c5dcd1df4cd22fded1f2d4f730ff606fc85bd7ba742464f1f4d5274
Instruction ID: 353c09c3a94f713fef4df3385731a676abab3ee13761bae6193e5754856615b7
Opcode Fuzzy Hash: 8c15dfb27c5dcd1df4cd22fded1f2d4f730ff606fc85bd7ba742464f1f4d5274
Instruction Fuzzy Hash: 3721F552B1AE4E4FE7B9A7AC14B423956C3DF9825076A01BAD00DC32F7EC29ED414340

Function 00007FFD9B9C0F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a20c36b7cf5880db7841803839ec32f7fe46570988001fe5f4f6c5dcb65ec98
Instruction ID: be26ca7091d60c8716064ec87b4a069f03ceeb9500b87381d25b71db66db68c4
Opcode Fuzzy Hash: 0a20c36b7cf5880db7841803839ec32f7fe46570988001fe5f4f6c5dcb65ec98
Instruction Fuzzy Hash: 51215C3071DA5C9FE7D4EB688494A2977E1FF98311F5505BEE04DC32A6CA24E9418B42

Function 00007FFD9BA626E9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84440e8e2793235c3e528f1700372f2a510ec469b87a3ca35549c15b437eac3b
Instruction ID: 8d37f9076141bfed0d3284c74840475be6bf2b950579730511e1db10d81ca432
Opcode Fuzzy Hash: 84440e8e2793235c3e528f1700372f2a510ec469b87a3ca35549c15b437eac3b
Instruction Fuzzy Hash: 1521B052B0AE4E4FE7B9A7AC04A927561C3DFD8150B9A01BBD01DC32F7EC68ED424344

Function 00007FFD9BA63A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea7c1ebcf13db2a197ecfaaa077f28e44ac4e14794778902f8988ae10fdf490
Instruction ID: 4b15d91962ae9a7d841f9d9563b12e46b8945e1e7d68aafd9bc606cc0f09a11e
Opcode Fuzzy Hash: cea7c1ebcf13db2a197ecfaaa077f28e44ac4e14794778902f8988ae10fdf490
Instruction Fuzzy Hash: 1F21C851B1EE4E4FEBB9A76C04B523566C3DF9825079A01BBD00EC32E6ED69ED424340

Function 00007FFD9B9C0501 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bf56f4cf51aec5455679c39dc5227b9a0849316975b983c4389918233d70fa
Instruction ID: 01de444fd1fa420ed77faceb9be7be96c98900d0ba3ab5ac2eb898cad163eb3a
Opcode Fuzzy Hash: 98bf56f4cf51aec5455679c39dc5227b9a0849316975b983c4389918233d70fa
Instruction Fuzzy Hash: 7C21CC30B1EA595FE7A9EB7C8469A6477E1EF9970070501BAE00DC72B2CE29AC42C750

Function 00007FFD9BA63CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee66cf7ea45dcb8df1bccb6f5a2657a2e533daed0b4a9f4a14f5f3f3ab66bfd4
Instruction ID: 2215e5517a218c4fb9e7e6ba131e509f5b81e125032f977f3c4cbfc5e61a2ff1
Opcode Fuzzy Hash: ee66cf7ea45dcb8df1bccb6f5a2657a2e533daed0b4a9f4a14f5f3f3ab66bfd4
Instruction Fuzzy Hash: 2A21B652B0EE4E4FE7BAA76C047523565C3EF986407AA05BAD00DC32E6ED69ED024340

Function 00007FFD9BA62566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993c9d30e71e186f365fd22301b3cbb0699dff718f21d9e87a8d66ddaae5ed54
Instruction ID: a11d5ae3c4ee8735a195182072b61f69592c92e13943121fdd370f61ee844160
Opcode Fuzzy Hash: 993c9d30e71e186f365fd22301b3cbb0699dff718f21d9e87a8d66ddaae5ed54
Instruction Fuzzy Hash: C7218361B1AE4E4FE7B9A7AC04B923961C3EF98610B9641BAD40DC32F6ED58ED424341

Function 00007FFD9BA632B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2964e13f402b66b63b2247c1bf527a500f1a7cd2db94c0053414e61263fbdf4b
Instruction ID: 12471aee083ed27d2e1dc2dd293e4f0ecdc42228cbc881568082a9a7d655f208
Opcode Fuzzy Hash: 2964e13f402b66b63b2247c1bf527a500f1a7cd2db94c0053414e61263fbdf4b
Instruction Fuzzy Hash: 4721C562B1EE4E4FE7B5A76C04B523965C3DF986107AA01BAD44DC33E6ED59ED024340

Function 00007FFD9B9AC776 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06125ef0169e5da767b47ec85219c3f7a284aff296eabea1ea33619a7c6fed57
Instruction ID: 2f2cf6d89af6cae069a7bc1044db5b5d10db3de229beda4856ca74a73d7586e3
Opcode Fuzzy Hash: 06125ef0169e5da767b47ec85219c3f7a284aff296eabea1ea33619a7c6fed57
Instruction Fuzzy Hash: 46214852B2EE891FE798A77C44A5AF567E1FF98210B4501FBD04EC71E7DD18B8494340

Function 00007FFD9B9A7750 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52887da0ceca6613c048b2cd3af6edc4bbaad04193e0740913384ffa09c6a81
Instruction ID: 573c8f6ff268e8763f518acd10b63c3498ee02f8b3e77c611780ae59b863a024
Opcode Fuzzy Hash: e52887da0ceca6613c048b2cd3af6edc4bbaad04193e0740913384ffa09c6a81
Instruction Fuzzy Hash: 69115C33B2AD1E2FE368E65C989697573C2EF8836035641B9E45DC32A6DD18BC028390

Function 00007FFD9B9AA6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction ID: a3fe919d601cbe0ae6064556c902af7cf9cdd44219379c1567502dd923f444f4
Opcode Fuzzy Hash: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction Fuzzy Hash: 3921657190CA1C5FDB68EA58DC4A5FAB7F4EBA5321F00413FD44ED3221DA31B9458B82

Function 00007FFD9B9A2943 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6463d4eb7f72b0b0807e2e1e3168fb863b4a898a5c8a9fb1852b125189f506
Instruction ID: 729bf87feff7b8735fac17328c247a330e877b76e855d9e07328324a19097c2e
Opcode Fuzzy Hash: 9f6463d4eb7f72b0b0807e2e1e3168fb863b4a898a5c8a9fb1852b125189f506
Instruction Fuzzy Hash: A521B731B25F0A4FE758EB58C4A56F673A1EF98300F5044B6944AC36E7CE25B9458790

Function 00007FFD9B9A3FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a6bbbedcd1cb1698da0322f547d16c234d947a5c6bdefe71956db845756ae2
Instruction ID: 2d529e086627061aa2c153391be82b01bf8f66fd976cc69ef52fed1dd23ae59d
Opcode Fuzzy Hash: e2a6bbbedcd1cb1698da0322f547d16c234d947a5c6bdefe71956db845756ae2
Instruction Fuzzy Hash: 3D113831B1DA0D1FE7B8A65C685A7B673C5DBDA260F05017EE48EC33A2DC15BC428282

Function 00007FFD9B9B9A09 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b90b1335bfead49733b8ddeb680fdf4ba0c733d5ed5c8acde984a866bb8169
Instruction ID: 83e69c6aa5a7022652a2d18bbeb62b98b2208199a193dabd3bc460f9c0bd0213
Opcode Fuzzy Hash: d7b90b1335bfead49733b8ddeb680fdf4ba0c733d5ed5c8acde984a866bb8169
Instruction Fuzzy Hash: 49210D31B2EB6C1FDB65966D9C255F87BA1EFDA620705027BE049C32A3CD15AC068781

Function 00007FFD9B9A7065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c556f3fda76098c06ae81203bad3f7eea9498d7f26b91a8ddb3fef5eec8e7a96
Instruction ID: 38538fab072b914d07b12df0893cc6c441b4dec172a304f1ee79eaaf78099ddd
Opcode Fuzzy Hash: c556f3fda76098c06ae81203bad3f7eea9498d7f26b91a8ddb3fef5eec8e7a96
Instruction Fuzzy Hash: 0421492162DA990FE751DB2C94696B07FD1DBAA310F0909BEE8C8C71B2D81DD9C2C301

Function 00007FFD9B9BAEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf88531d2914542c54e86e47f51150a36c5058c44abc4caaa0d47a7b70840b97
Instruction ID: e6d3853480c87d6b305c366ca959510429eb404153fb86101b0278411cdf52a0
Opcode Fuzzy Hash: cf88531d2914542c54e86e47f51150a36c5058c44abc4caaa0d47a7b70840b97
Instruction Fuzzy Hash: F5215930A28A4E8FDB98EF68C4647EA73A1FF58304F5005A9E41EC7296CF35E951CB40

Function 00007FFD9B9B96D5 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f8a6eee3eb0f492e7aee699fd19a94626a50f5edc4d7045a6633ffa7525368
Instruction ID: 8769832a91998fb92ff229f425d295f65043f768e724d94d4237385d5d26902d
Opcode Fuzzy Hash: 39f8a6eee3eb0f492e7aee699fd19a94626a50f5edc4d7045a6633ffa7525368
Instruction Fuzzy Hash: AB21C331B1EA8D4FDB94EF5C84656A937A1FF99310B5602BAD04CC72A2CE28AD418781

Function 00007FFD9BA639B2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0048333752088dbba18d999b26afdda0fc9b4240cbce65f35807a066f945d6
Instruction ID: 31adf86c4e50c2d4961695f2879ff3eccbc833a364651f14f01447a878c6ae22
Opcode Fuzzy Hash: cf0048333752088dbba18d999b26afdda0fc9b4240cbce65f35807a066f945d6
Instruction Fuzzy Hash: 5F21BB52B1EE4F4FF7F5576C08B513856C2DF9864079A01BAD45EC32E6ED59ED025300

Function 00007FFD9B9A4CF1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ecefa091646f333255a2bcbae24fc6ab4e2ff03aae2b209684d96efa6a0fca
Instruction ID: 4a52660c0ed6c4ff67cb165a07d748d36b9922c5541bdfac025924520c340095
Opcode Fuzzy Hash: 92ecefa091646f333255a2bcbae24fc6ab4e2ff03aae2b209684d96efa6a0fca
Instruction Fuzzy Hash: A721B131A1EB191FE765E72894913F57BD0DF84220F04067FD04DC61B2CE296B8683C6

Function 00007FFD9B9ACFC5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13409001959c1e933ec7977be163bba7c48e4aaece2282a9367e91ace09f969d
Instruction ID: b9d30a2279e17f54a2ef1f10de0bc9b5ce5940cb5b567da3b8976b9ed6a15086
Opcode Fuzzy Hash: 13409001959c1e933ec7977be163bba7c48e4aaece2282a9367e91ace09f969d
Instruction Fuzzy Hash: AD118F0158FADA1FE34657B44C399E13FA5DF8755071E42EBE085CA4B3C85C4A8B8362

Function 00007FFD9BA65A4F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20661cfd64fb6f0d946b6ff37e51641e759ec480457436becf85e175033328c
Instruction ID: 4b536f7c7a760201d1cf30f7ad6e1e8acd780f29501163ea023ee6e062123f6a
Opcode Fuzzy Hash: e20661cfd64fb6f0d946b6ff37e51641e759ec480457436becf85e175033328c
Instruction Fuzzy Hash: BA11B661B0AE4E4FE7B5976C08B823455C2DF9821079A01BFD45DC32E7ED59DD014340

Function 00007FFD9BA64A86 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c7f8715356bd390859e2cc912ef8663367792d5145cf7ba946c7ae5c11bdfc
Instruction ID: 151c7525d5e1e63521f7c586db4e4ffe67691ed268023315fced1d47e57cfe95
Opcode Fuzzy Hash: f5c7f8715356bd390859e2cc912ef8663367792d5145cf7ba946c7ae5c11bdfc
Instruction Fuzzy Hash: 8111E661B0AE4F4FE7B997AC14B423855C2DF9811079A01BAD41EC32F6ED59DD414300

Function 00007FFD9BA62C8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee56791ed6583093ce3353f144011a65c6c347eafcebfc0fcb69bc645fe173b9
Instruction ID: f9ac815675cd7694d2662a72f35ff23a153227cbc28e3c94d967b5b03ecf1a4e
Opcode Fuzzy Hash: ee56791ed6583093ce3353f144011a65c6c347eafcebfc0fcb69bc645fe173b9
Instruction Fuzzy Hash: 7811C861B0AF4E4FF7B9A3AC04B423565C2DFD8250B5A01FAD41DC32EAED59DD014340

Function 00007FFD9BA62964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196a39a534160c21a71a587290381a7ea487f331a2cd1ca7ed3b05dc24b7223a
Instruction ID: 8e831eb6583b9ec38c777d86f1281445cd8c25e11a64452179ad74d1ead36657
Opcode Fuzzy Hash: 196a39a534160c21a71a587290381a7ea487f331a2cd1ca7ed3b05dc24b7223a
Instruction Fuzzy Hash: 7211EB62B0EE4F4FE7BAA3AC04B423955C2DFD8150B5A41BAD41EC32E7ED59ED014300

Function 00007FFD9B9B8E7E Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d5f07fc4b94cb668f5bdf99abe13c757df6978108d8ebf126e4c7c27f8085c
Instruction ID: eb03518ac4701661a191dfa18fd7a01b92e244171402fd341a4250c8407c397e
Opcode Fuzzy Hash: 22d5f07fc4b94cb668f5bdf99abe13c757df6978108d8ebf126e4c7c27f8085c
Instruction Fuzzy Hash: CB11580044F7D21FE79393B869655923FF18E8B52070E41EBD4C4CE0B7C44E488AC762

Function 00007FFD9B9B8BCD Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d1f593fd8c4ddf0532d515bf3b72328a1183dc6134ae75d855ffebd59a8c1
Instruction ID: 43525be8bc7dcde6dccf3d4375c697ca35b6c0343490da9ea7834d9ddc0f3552
Opcode Fuzzy Hash: 009d1f593fd8c4ddf0532d515bf3b72328a1183dc6134ae75d855ffebd59a8c1
Instruction Fuzzy Hash: D011662058F7D65FD34387A49C65A927FF49F8B25030E41EAE085CB0B3C50D898BCB62

Function 00007FFD9B9AD3F5 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37349b8919b9e1d820be5bed372112a3caaf06cd03214356f15c9ea2c4fa412b
Instruction ID: 9269700414e6f8212ba85bae8efd1d8669cb1bb5cd8c959c43a96e0507ee76bb
Opcode Fuzzy Hash: 37349b8919b9e1d820be5bed372112a3caaf06cd03214356f15c9ea2c4fa412b
Instruction Fuzzy Hash: 0B119E2168FBC61FC34797758C20AD17FE5EF8B11030A41EAD099CB5A7C91D9987C761

Function 00007FFD9B9AE521 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb15890c89776780cf4d0a7b4c34852c439d83ef1d0e6a9d1743a7282e3843a1
Instruction ID: 172f88314ba68027c9feceaf381319891c5016ad89b084332ace8905f7ec25a3
Opcode Fuzzy Hash: fb15890c89776780cf4d0a7b4c34852c439d83ef1d0e6a9d1743a7282e3843a1
Instruction Fuzzy Hash: DF21FF3090EB899FDB06CF6898606A9BFF0FF5A300F1505AAE099C32A2DA745544CB01

Function 00007FFD9B9A2468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dcac51953c36fde6fa97a4e41277d77917129466f0696c7107d38f503b26b6
Instruction ID: 09afabb7a0db2dd213c957265a17d9179636720feb5a659064881dc914289875
Opcode Fuzzy Hash: 07dcac51953c36fde6fa97a4e41277d77917129466f0696c7107d38f503b26b6
Instruction Fuzzy Hash: 8E112C32A2F59E1BE32557B458249E97BE0EF41310B5A01FAE484C71E7DC5DAB828781

Function 00007FFD9B9A65F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b691c1ca9017714bcd798cea18696fe9b272ef8884baaeec02fc5327d4047f65
Instruction ID: 4e61911019b7e252dc7851ef5d3af38a06e44d0c3c3b540a49b50fdec18bcc1d
Opcode Fuzzy Hash: b691c1ca9017714bcd798cea18696fe9b272ef8884baaeec02fc5327d4047f65
Instruction Fuzzy Hash: FF11823190A68A4FCB51DFE4C855AEABBF0EF46200B0545AAD058C71A2DB789545C791

Function 00007FFD9B9B159D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b84b53e865da72223d2b4bccaaab8bb3da6ced88e1ad119a527e9d57d68279
Instruction ID: d5231e7433b5e37f3cc21bef4e0e0ac394d862f7423ea8268b2f92d684e9eebd
Opcode Fuzzy Hash: a6b84b53e865da72223d2b4bccaaab8bb3da6ced88e1ad119a527e9d57d68279
Instruction Fuzzy Hash: 4211E73162AAA89FDBA4DB3984A4A647B91FF18204B0800EDD44AC71E3DE14E944CB41

Function 00007FFD9B9C0D65 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b607663166d407666adb0c58425849f8310739662877e1afb623d7209f0b9e0
Instruction ID: 39ba3c4eb843626dda61d036266f14111c16dd7fe12901830130f5df4108afe5
Opcode Fuzzy Hash: 1b607663166d407666adb0c58425849f8310739662877e1afb623d7209f0b9e0
Instruction Fuzzy Hash: 9301E521B1FF5E1FDBAAA26C54392746BD1DF86A40B1641BAC00CC71F2DE1869428351

Function 00007FFD9B9B15B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e26e0d7eefe4920f30d99df203dcab842cd2c84517f41d611dc951f12f54ca7
Instruction ID: 522273f5e6368105072157f8ee4e31143ad17d0d3496e19fdc3eca72606e2062
Opcode Fuzzy Hash: 0e26e0d7eefe4920f30d99df203dcab842cd2c84517f41d611dc951f12f54ca7
Instruction Fuzzy Hash: 51110631625E6C9FDBA8EB3984A4A6577D1FF68304B0804BCD44AC72E6DE14E904CB40

Function 00007FFD9B9C0D42 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d18156d2dcbcc4643a326c97a2ce5c29fe5c897c81a8deab218c535597341f
Instruction ID: 72d3ee8b55146ce835c0824dcc643195799b110d6f2f719f6632d57f7d29733c
Opcode Fuzzy Hash: c6d18156d2dcbcc4643a326c97a2ce5c29fe5c897c81a8deab218c535597341f
Instruction Fuzzy Hash: 9601D811F2EA5E2BDB6963B854752B96BC1DF85650F1601FAC00CC71F2DE1C79414351

Function 00007FFD9B9AFF80 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e166f1ba7aea67348964e664996433623bb98b37e980d20b575754f80a4ffdc
Instruction ID: 286d234210d1379a4cb230b6816d4b4d0ec70b678ca41fa545a482b867851327
Opcode Fuzzy Hash: 2e166f1ba7aea67348964e664996433623bb98b37e980d20b575754f80a4ffdc
Instruction Fuzzy Hash: 7B11C230A1AB4A9FEB5A977CA8257603BA0DF43344FA941F9C41ECB1F2C9295C49CB11

Function 00007FFD9B9C4A60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7a6dbc683798abebfb26eb89d7879d39a7b8b1a89416f40f83340995e018d0
Instruction ID: 25b3735e086b7b1e4c30706d1187105418dcec98b7d2dc46250e62e644ddf2ce
Opcode Fuzzy Hash: 2d7a6dbc683798abebfb26eb89d7879d39a7b8b1a89416f40f83340995e018d0
Instruction Fuzzy Hash: 8DF0C87270C61C1EA72CA929AC4B5F673D5D786235B00013FE48EC3152ED21B81342D5

Function 00007FFD9B9C5EAB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b34ca1c5356a0f615b8afa29beeb87d00eb38979f326c9b5abae3652a37bae
Instruction ID: 897dd2d886b4ea34fc7a1502a63ead5c50180d0aa4ce280f8b31426a78e0caba
Opcode Fuzzy Hash: 82b34ca1c5356a0f615b8afa29beeb87d00eb38979f326c9b5abae3652a37bae
Instruction Fuzzy Hash: F801DB7171DE4C4FDB59A62C64165F477D1EB86320B4501BEE04EC72A3DE11EC428784

Function 00007FFD9B9BC229 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7279095e6ad4d09d6bbe585fabefeb8203d7da51c691ce44899d049a3d4d596c
Instruction ID: f17a740b1e979dbd082594dedcd62199d11cdb265ea3bd13de75809eaffddfaa
Opcode Fuzzy Hash: 7279095e6ad4d09d6bbe585fabefeb8203d7da51c691ce44899d049a3d4d596c
Instruction Fuzzy Hash: 1901A211B1DF8A0FD7A9E37864A55F277E1DF9922034942FBD04AC31DBDC2899458381

Function 00007FFD9B60EA8A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3030777135.00007FFD9B60D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B60D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b60d000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0ac73d739d9ef06a14b2f64827ab18abfe1051dd34441c71f980f520150b3e
Instruction ID: 00092e5b053283dc50afd047b10b5bfa4bf08f8bfe2b6bdb656a682677c0000d
Opcode Fuzzy Hash: 0f0ac73d739d9ef06a14b2f64827ab18abfe1051dd34441c71f980f520150b3e
Instruction Fuzzy Hash: 97016232A0DE08CFD668EB6EE04599577D1FB4832071045AFD099CB6A6DA21F886CB91

Function 00007FFD9B9B990B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b86783e21328853a36022aa46b1a5c38f60fa4b5938f29ff15e0b79a76afee
Instruction ID: a0d77608ee7308112e416793b24033e2ecf9f8a183eeb3f1086686544887a789
Opcode Fuzzy Hash: 19b86783e21328853a36022aa46b1a5c38f60fa4b5938f29ff15e0b79a76afee
Instruction Fuzzy Hash: F8014630B1490D8FDB84EFADD899AA9B3E1FF9831170100B9D04AD72A2CE24EC42CB40

Function 00007FFD9B9B88F4 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e49297abfa1a89f238b5967bb13eb5a2ab5711ff48a65a4eab5120a816989d
Instruction ID: 826a000bf5a418785b95b1ec47dd1926d9461e9c7c925da839a721c87a8a20c9
Opcode Fuzzy Hash: b1e49297abfa1a89f238b5967bb13eb5a2ab5711ff48a65a4eab5120a816989d
Instruction Fuzzy Hash: A901D620B1EF5E0FE795A3BC18661642AE0DF49654B8501F6D41DC71F7DD0C9D418791

Function 00007FFD9B9A223A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3741dde4fbe5e6ccd64275337497112d5045905cdfab7a2a039b346cefea70ef
Instruction ID: b41c9f6a47d1db2d6005a4b1794c3f48e286910501b4c47ae6c5d77e28a80e1d
Opcode Fuzzy Hash: 3741dde4fbe5e6ccd64275337497112d5045905cdfab7a2a039b346cefea70ef
Instruction Fuzzy Hash: CF01443081EBCC6FE75697B894696A67FF0EF56300F4600E7D848CB1A3C9292749C702

Function 00007FFD9B9AD551 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e8c658469c25a1244628fe33641a416c2f09698af8f4013bf7e4e62d10c4bf
Instruction ID: 25057a6395094c1e8abb88021e6ff15a2aa18724058f1e2e97f094c999f1ff26
Opcode Fuzzy Hash: 36e8c658469c25a1244628fe33641a416c2f09698af8f4013bf7e4e62d10c4bf
Instruction Fuzzy Hash: 60F028B181E69D2FD755CFA88C19AE63BE4FF56240B0A01ABF049C32A2CA245904C351

Function 00007FFD9B9B8965 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a6b1af8acf71f58e995891af2e2dd64ed19d1ba3da8de14df6f8521b41a8d3
Instruction ID: abb48996fe724640561ecbee2eb2cd1715d899372f53922e6035bcd0216bfa6e
Opcode Fuzzy Hash: 86a6b1af8acf71f58e995891af2e2dd64ed19d1ba3da8de14df6f8521b41a8d3
Instruction Fuzzy Hash: D9F0901060FBEA6FE767937C68A56603FB0AF4B64070A41E7D488CB1B7D9089D45CB52

Function 00007FFD9B9C1616 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0ea164c6dce90c31e4befc48181c9344c04f21632afdbea299f6ab49aba47a
Instruction ID: d4aee4b323d6746cad200d963a9ed6fba71526ff50cba08c2483213a2ed967e0
Opcode Fuzzy Hash: 2e0ea164c6dce90c31e4befc48181c9344c04f21632afdbea299f6ab49aba47a
Instruction Fuzzy Hash: FDF0BB1271EA5D1BD6B4A95C686517473D2DFD8614B59027AD00DC32A7CD25BE424381

Function 00007FFD9B9A6620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93f14fb15a693c26596626a5767639907b00ac16d63cd4ba175e964ffdce715
Instruction ID: ecab517812fe331a9f87dcd92e3a1ee14295021e54e0f51cde81f4fe2055e015
Opcode Fuzzy Hash: f93f14fb15a693c26596626a5767639907b00ac16d63cd4ba175e964ffdce715
Instruction Fuzzy Hash: B5F03C30E15A1E8FDB94EBA898556EEB7F0EF09300F41057AD01DD21A1DB756A408B81

Function 00007FFD9B9BDC95 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ac7d5f23756a64c5c3bc1b621eb051f8f8aa71bbd4bc77a5501fd0a0317172
Instruction ID: b92df21f5a6b0cde511476133d1247c226e3b05a64fa92b21b36231d8e38a0cb
Opcode Fuzzy Hash: 33ac7d5f23756a64c5c3bc1b621eb051f8f8aa71bbd4bc77a5501fd0a0317172
Instruction Fuzzy Hash: 92F05411B28E5F0BEB89FB6850E59F96291FFA420179442B6D01EC22DFDD28E94683C1

Function 00007FFD9B9A21D3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14782fdc2067001e5bc0f3af684b0c0540bd30bcfe890b62a349a26918c4ccda
Instruction ID: 7e0d47e916dac75a02521c8d512f7c34a74b3e73b85c165d1ac8f0b624ab3566
Opcode Fuzzy Hash: 14782fdc2067001e5bc0f3af684b0c0540bd30bcfe890b62a349a26918c4ccda
Instruction Fuzzy Hash: 33F02E6275FA0E1BD254B4DD28E11F17780F740330B45017ACA1CC75A6D589B9524290

Function 00007FFD9B9A22AD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f784f85fda87f68eac649d419e2aa6f8556e5b8301230ad74816adffe75703
Instruction ID: 8a223ba056d2f94ee04c68c9a25c91a53f51d730b8f38d62c67a1002257ba261
Opcode Fuzzy Hash: 52f784f85fda87f68eac649d419e2aa6f8556e5b8301230ad74816adffe75703
Instruction Fuzzy Hash: 00F0F431919B8C5FE759DBA848AA0E97FB1EF59300F8501E6D449C7063EE3555858700

Function 00007FFD9B9A3050 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bab26d313fd607b43e29aaf503c1553448321082006681047b909a65aac327
Instruction ID: 2ed602446618681e069398e4a624ae474f6b2d47d2c5556163297025f745a29f
Opcode Fuzzy Hash: a7bab26d313fd607b43e29aaf503c1553448321082006681047b909a65aac327
Instruction Fuzzy Hash: DFF05930B2DB490BE364EA7C941523573C1EF45205F02097DD88DC71B2DF26EC424241

Function 00007FFD9B60EA9C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3030777135.00007FFD9B60D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B60D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b60d000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8654a31c05ac4ff792fd6c6a9a15533ddbb3aace12f62fa4cb29af3fdeccb5
Instruction ID: 7f2311a8ed2858734c8d56f8bc68428b32c6d0e46598f8620adb82c8e4e9a2ec
Opcode Fuzzy Hash: 7a8654a31c05ac4ff792fd6c6a9a15533ddbb3aace12f62fa4cb29af3fdeccb5
Instruction Fuzzy Hash: DEF01D30919E09CFCBA4EF2EC485D1237E1FB583107114559D49DCB266D634F881CB90

Function 00007FFD9B9BA4C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f26f833482615666ea843ec038009ed36062965e41bda7db91f600928be7629
Instruction ID: 683bfbf8f6c9e07b7ae5944e2d2e8e252ece735b06186232aa8823457ae3f04c
Opcode Fuzzy Hash: 3f26f833482615666ea843ec038009ed36062965e41bda7db91f600928be7629
Instruction Fuzzy Hash: 63F02B3162EADE0BE32953A454645A47BA1FF41350B8A01F6D448CB0E3DD5CAE858781

Function 00007FFD9B9A345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction ID: 25193f3b3e4de8fed690c6e164b00f217c102333cc6b81a0e0a3d9c8277b5d65
Opcode Fuzzy Hash: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction Fuzzy Hash: 9AF0A77190D60D5FD718EE86EC465EA77A8FF85224F00013AF45D82162D6356962C750

Function 00007FFD9B9B8912 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d5141f500c1447a6ea3033528b6d01177b7dda3a7cc461686c99cb7377155
Instruction ID: 09abab16d3fc57b67e9e8445c8af89d46a07d4cf045e7d8c4ae2d2aece7b4569
Opcode Fuzzy Hash: ee2d5141f500c1447a6ea3033528b6d01177b7dda3a7cc461686c99cb7377155
Instruction Fuzzy Hash: F7F0A710B1DE1E0FE795B37C18665A87991DF89560B8406F6D45AC31F7DC189E418381

Function 00007FFD9B9B978A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5a83eb52d1d1e2f6a321c3ff9964017b670613b7e82d979e895dd3aad2df0b
Instruction ID: 486e943156524dabfdffe8c8bcf4372cfb4bb277b343d402b328974f23cb276d
Opcode Fuzzy Hash: 0f5a83eb52d1d1e2f6a321c3ff9964017b670613b7e82d979e895dd3aad2df0b
Instruction Fuzzy Hash: FBE07D3251C94C5BEB40AE6CA8108D57BD0FBC5308F00019AE55CC7151D2135515C741

Function 00007FFD9B9AC749 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad33ace608c5cb147a9f2598ba727f01101bb144dd5e7ca0b437bdf4e1de11c0
Instruction ID: 93266440e6028fbb3e1817c6c2d3a7357264cece61deb00438045f46e5e9d530
Opcode Fuzzy Hash: ad33ace608c5cb147a9f2598ba727f01101bb144dd5e7ca0b437bdf4e1de11c0
Instruction Fuzzy Hash: 32D09713B3AA0E06EF90A9583C902F06389FB94A28B404331C849830A2DC1B6A030180

Function 00007FFD9BA60FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034603322.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: 126ae2705a8d628c8edf92db5c6321160ebd2d9b5d4b19f9ec79f83eceef1031
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: C2D0C91176A61A07F66421DC68623B97285DB88714F611537E90DC22E6CCDEAD9122D2

Function 00007FFD9B9C1481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0ae170fc5869c372ac578353aac515bca9c7ffb40f7bd84bf7656414d58819
Instruction ID: c22eab70701aa32e8d7eba45cd06a45593d7edf9d8f402a0bdc38dfcc0024f0b
Opcode Fuzzy Hash: 1c0ae170fc5869c372ac578353aac515bca9c7ffb40f7bd84bf7656414d58819
Instruction Fuzzy Hash: 51D0223275E64D4EC731AA787C142FEB381EBC1235F5507BBC10DC2296CD2B82828382

Function 00007FFD9B9B93C6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13035b9b504be2c9442eeffaef87dacfc1ae0bdfe499cad79375d77f2b5bd5d8
Instruction ID: 8288cca27d47f5fe7edb6c63e620f0ef1c720dab6a956f2be0f889e5e3e44a33
Opcode Fuzzy Hash: 13035b9b504be2c9442eeffaef87dacfc1ae0bdfe499cad79375d77f2b5bd5d8
Instruction Fuzzy Hash: 33C01222BAA82E5ADAA4A29874232FCB311DBC5218B821432E11DC21C2CD4A29100AC2

Function 00007FFD9B9B28A3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction ID: d97d9ff80069605b3305ee02040128d0f8fe336204cb48883de2707b4daff958
Opcode Fuzzy Hash: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction Fuzzy Hash: 5BA00202BEB43E11D65420ED79520D8B784C785575BD63A72E9088415EAC8E5AD606C1

Non-executed Functions

Function 00007FFD9B9B0EFA Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

5#_^, xrefs: 00007FFD9B9B0F01

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID: 5#_^
API String ID: 0-1833570910
Opcode ID: 1859c82fe913a6da66943a0561f1cb6fa002ac77325063e64af4ac41a9a61cdf
Instruction ID: 8cc5f149879ada0612d22ac0024846f819f606b98f653735ae97522e77928cde
Opcode Fuzzy Hash: 1859c82fe913a6da66943a0561f1cb6fa002ac77325063e64af4ac41a9a61cdf
Instruction Fuzzy Hash: 465128A7F092675BE712BB6CF8E25D637A0DF1132C74901B3D0E84E0D3DD19784A8A85

Function 00007FFD9B9A10D1 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1223343a3ef92e7907e3c19a7612937f25bd1ebb747364f788bd1a387f69399
Instruction ID: ac9a2ca892f76cd01684f7a56976f01704012f78199660034a4726a4b6b88a46
Opcode Fuzzy Hash: a1223343a3ef92e7907e3c19a7612937f25bd1ebb747364f788bd1a387f69399
Instruction Fuzzy Hash: 1CF14D17B0E2A35AE71777BC74F24EA7BA0DF0222874946F3D0DD4D0A79D0D29868296

Function 00007FFD9B9B0E0F Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3034173665.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9a0000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222c1d5cc5a8618747a9f57f2910643d0fca179f91c897e5be3c0bdad871358e
Instruction ID: cbc85aa7f37435d5cb13f16b446b75bfc3d6106d9d663213267b0b0e73ccd0a8
Opcode Fuzzy Hash: 222c1d5cc5a8618747a9f57f2910643d0fca179f91c897e5be3c0bdad871358e
Instruction Fuzzy Hash: EE912767B0D2675AE716BBBCF4E19D63BA09F0122875841B3D0ED4E0D3DD1D384A8686

Function 00007FFD9B721729 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3031160781.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b720000_LFLtlBAuf7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37906b9bbcf4d3cb482ae57f5a5ec7cadd6fecaf6c6a58330f9b95b9883c2dce
Instruction ID: 46ee2b2db0f1acca58666333500e32a9c6061549134d667c2f9f08d4f55ee37c
Opcode Fuzzy Hash: 37906b9bbcf4d3cb482ae57f5a5ec7cadd6fecaf6c6a58330f9b95b9883c2dce
Instruction Fuzzy Hash: CC71BC2770866A09E7017BBCB8A54EE7BA0DFC5371F4406B7D2D8C9097EE19244AC7D2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LFLtlBAuf7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
LFLtlBAuf7.exe

Function 00007FFD9B9BE399 Relevance: 4.9, Strings: 3, Instructions: 1118
COMMON

Function 00007FFD9B7236A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
fileCOMMON

Function 00007FFD9B7236ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
fileCOMMON

Function 00007FFD9B9BE401 Relevance: 3.0, Strings: 2, Instructions: 460
COMMON

Function 00007FFD9B9A2440 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Function 00007FFD9B9A3FA6 Relevance: 1.7, Strings: 1, Instructions: 427
COMMON

Function 00007FFD9B9AC425 Relevance: 1.6, Strings: 1, Instructions: 367
COMMON

Function 00007FFD9B9BA9C1 Relevance: 1.6, Strings: 1, Instructions: 320
COMMON

Function 00007FFD9B9B17E5 Relevance: 1.5, Strings: 1, Instructions: 213
COMMON

Function 00007FFD9B9B2139 Relevance: 1.5, Strings: 1, Instructions: 208
COMMON

Function 00007FFD9B9B2150 Relevance: 1.4, Strings: 1, Instructions: 196
COMMON