Edit tour

Windows Analysis Report
O9MV0lNEO5.exe

Overview

General Information

Sample name:	O9MV0lNEO5.exe renamed because original name is a hash value
Original sample name:	55c5b0b62609618558f51c5f35380291a4337cae8b14e65dd5ce7b226e9e4096.exe
Analysis ID:	1578203
MD5:	2884a477526c8308e9492845449e7e55
SHA1:	eee9ad47bffe627c71529e81bf9daaf95ee3df30
SHA256:	55c5b0b62609618558f51c5f35380291a4337cae8b14e65dd5ce7b226e9e4096
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

O9MV0lNEO5.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\O9MV0lNEO5.exe" MD5: 2884A477526C8308E9492845449E7E55)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "d099b659-69af-41e2-9d7f-a5e64da5be06", "StartupKey": "Quasar Client Startup", "Tag": "Viltrac", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd460:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3a4:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3c2:$a4: encryptedPassword 0x2fd340:$a5: httpRealm
00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Process Memory Space: O9MV0lNEO5.exe PID: 6204	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a32:$x4: Uninstalling... good bye :-( 0x2ab227:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fe4:$f1: FileZilla\recentservers.xml 0x2a9024:$f2: FileZilla\sitemanager.xml 0x2a9066:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92b2:$b1: Chrome\User Data\ 0x2a9308:$b1: Chrome\User Data\ 0x2a95e0:$b2: Mozilla\Firefox\Profiles 0x2a96dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb660:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9834:$b4: Opera Software\Opera Stable\Login Data 0x2a98ee:$b5: YandexBrowser\User Data\ 0x2a995c:$b5: YandexBrowser\User Data\ 0x2a9630:$s4: logins.json 0x2a9366:$a1: username_value 0x2a9384:$a2: password_value 0x2a9670:$a3: encryptedUsername 0x2fb5a4:$a3: encryptedUsername 0x2a9694:$a4: encryptedPassword 0x2fb5c2:$a4: encryptedPassword 0x2fb540:$a5: httpRealm
0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b1c:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd460:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3a4:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3c2:$a4: encryptedPassword 0x2fd340:$a5: httpRealm
0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.O9MV0lNEO5.exe.192006d0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.O9MV0lNEO5.exe.192006d0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a32:$x4: Uninstalling... good bye :-( 0x2ab227:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.O9MV0lNEO5.exe.192006d0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fe4:$f1: FileZilla\recentservers.xml 0x2a9024:$f2: FileZilla\sitemanager.xml 0x2a9066:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92b2:$b1: Chrome\User Data\ 0x2a9308:$b1: Chrome\User Data\ 0x2a95e0:$b2: Mozilla\Firefox\Profiles 0x2a96dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb660:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9834:$b4: Opera Software\Opera Stable\Login Data 0x2a98ee:$b5: YandexBrowser\User Data\ 0x2a995c:$b5: YandexBrowser\User Data\ 0x2a9630:$s4: logins.json 0x2a9366:$a1: username_value 0x2a9384:$a2: password_value 0x2a9670:$a3: encryptedUsername 0x2fb5a4:$a3: encryptedUsername 0x2a9694:$a4: encryptedPassword 0x2fb5c2:$a4: encryptedPassword 0x2fb540:$a5: httpRealm
0.2.O9MV0lNEO5.exe.192006d0000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b1c:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd460:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3a4:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3c2:$a4: encryptedPassword 0x2fd340:$a5: httpRealm
0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:20.679309+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.5	49709	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:20.679309+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.5	49709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "d099b659-69af-41e2-9d7f-a5e64da5be06", "StartupKey": "Quasar Client Startup", "Tag": "Viltrac", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: O9MV0lNEO5.exe	Virustotal: Detection: 36%			Perma Link
Source: O9MV0lNEO5.exe	ReversingLabs: Detection: 52%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O9MV0lNEO5.exe PID: 6204, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.1% probability

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: O9MV0lNEO5.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.5:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 51.15.17.193:4782

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: O9MV0lNEO5.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: O9MV0lNEO5.exe, 00000000.00000002.3371203154.00000192005FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: O9MV0lNEO5.exe, 00000000.00000002.3374418238.0000019265C9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8
Source: O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: O9MV0lNEO5.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: O9MV0lNEO5.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: O9MV0lNEO5.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: O9MV0lNEO5.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: O9MV0lNEO5.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: O9MV0lNEO5.exe, 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: O9MV0lNEO5.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: O9MV0lNEO5.exe, 00000000.00000002.3375070273.000001926791A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3375070273.000001926791A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: O9MV0lNEO5.exe, 00000000.00000002.3375070273.00000192677F1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267BCE000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: O9MV0lNEO5.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.5:49710 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O9MV0lNEO5.exe PID: 6204, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF848F3295E	0_2_00007FF848F3295E
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491BAA4D	0_2_00007FF8491BAA4D
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491CBA79	0_2_00007FF8491CBA79
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491C7336	0_2_00007FF8491C7336
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491CE399	0_2_00007FF8491CE399
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B9621	0_2_00007FF8491B9621
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B4E56	0_2_00007FF8491B4E56
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B76AE	0_2_00007FF8491B76AE
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491CB009	0_2_00007FF8491CB009
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491C80E2	0_2_00007FF8491C80E2
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491CEF79	0_2_00007FF8491CEF79
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B11F2	0_2_00007FF8491B11F2
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491C0E0F	0_2_00007FF8491C0E0F
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B5D35	0_2_00007FF8491B5D35
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491BBDA5	0_2_00007FF8491BBDA5
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B10D1	0_2_00007FF8491B10D1
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491C0EFA	0_2_00007FF8491C0EFA
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8492723F1	0_2_00007FF8492723F1

Source: O9MV0lNEO5.exe

Static PE information: invalid certificate

Source: O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs O9MV0lNEO5.exe
Source: O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs O9MV0lNEO5.exe
Source: O9MV0lNEO5.exe, 00000000.00000000.2112095031.00007FF646F23000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs O9MV0lNEO5.exe
Source: O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs O9MV0lNEO5.exe
Source: O9MV0lNEO5.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs O9MV0lNEO5.exe

Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\d099b659-69af-41e2-9d7f-a5e64da5be06
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Var_qiGorla

Source: O9MV0lNEO5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O9MV0lNEO5.exe	Virustotal: Detection: 36%
Source: O9MV0lNEO5.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: O9MV0lNEO5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: O9MV0lNEO5.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: O9MV0lNEO5.exe

Static file information: File size 4904800 > 1048576

Source: O9MV0lNEO5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x162800
Source: O9MV0lNEO5.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e200

Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: O9MV0lNEO5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: O9MV0lNEO5.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: O9MV0lNEO5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: O9MV0lNEO5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: O9MV0lNEO5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: O9MV0lNEO5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: O9MV0lNEO5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: O9MV0lNEO5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: O9MV0lNEO5.exe

Static PE information: real checksum: 0x4aa9e0 should be: 0x4b79d0

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF848E1D2A5 pushad ; iretd	0_2_00007FF848E1D2A6
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491B2BA0 push eax; ret	0_2_00007FF8491B2C0C
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Code function: 0_2_00007FF8491D2DFA push esp; iretd	0_2_00007FF8491D2DFB

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

File opened: C:\Users\user\Desktop\O9MV0lNEO5.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Memory allocated: 19267470000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Memory allocated: 1927F7B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Window / User API: threadDelayed 946	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Window / User API: threadDelayed 972	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Window / User API: threadDelayed 423	Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: O9MV0lNEO5.exe, 00000000.00000002.3371203154.000001920064A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\O9MV0lNEO5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\O9MV0lNEO5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O9MV0lNEO5.exe PID: 6204, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192006d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.O9MV0lNEO5.exe.192777b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O9MV0lNEO5.exe PID: 6204, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
O9MV0lNEO5.exe	36%	Virustotal		Browse
O9MV0lNEO5.exe	53%	ReversingLabs	Win64.Backdoor.Quasarrat

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	O9MV0lNEO5.exe, 00000000.00000002.3375070273.00000192677F1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267BCE000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	O9MV0lNEO5.exe, 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	O9MV0lNEO5.exe, 00000000.00000002.3375070273.0000019267934000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	O9MV0lNEO5.exe, 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, O9MV0lNEO5.exe, 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ipwho.is	O9MV0lNEO5.exe, 00000000.00000002.3375070273.000001926791A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578203
Start date and time:	2024-12-19 12:30:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	O9MV0lNEO5.exe renamed because original name is a hash value
Original Sample Name:	55c5b0b62609618558f51c5f35380291a4337cae8b14e65dd5ce7b226e9e4096.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 171 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	RegAsm.exe	Get hash	malicious	Quasar	Browse
51.15.17.193	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
OnlineSASFR	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138
	https://antiphishing.vadesecure.com/v4?f=M2FwZHlGNnU1aUlkc09ZNMiasRwGBdZehRVCQSRcBe4&i=WjB4M1dJWGJJMnNGTHV5MsMuKUIodncDHGeRU4kVkuY&k=CXOq&r=Skk2OVhvdXl2cm1uOWJtRKZOD61t44mSShExmLHL82awntC61WSfAdSPd_A2w4Sr0ol-2lJuHE1y6ZnIh9tzeQ&s=c0986918e90c31f67e295092df95ad67b5167b30a053715360f0707a34067922&u=https%3A%2F%2Fgeomesure-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fjeason_geomesure_fr%2FEjezfvLh_FRNp0BDRFgaob0B5QrN_MFtVHWEoF2b4R1bRw%3Fe%3DomoERY	Get hash	malicious	Unknown	Browse	163.172.240.109
	801.ps1	Get hash	malicious	AsyncRAT	Browse	163.172.125.253
	BA9qyj2c9G.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.159.4.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.535622374113614
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O9MV0lNEO5.exe
File size:	4'904'800 bytes
MD5:	2884a477526c8308e9492845449e7e55
SHA1:	eee9ad47bffe627c71529e81bf9daaf95ee3df30
SHA256:	55c5b0b62609618558f51c5f35380291a4337cae8b14e65dd5ce7b226e9e4096
SHA512:	d4e3694af590f82a1464e403c05c4f7ed34dcd9a91b5b4930d72ae406625952f332b22f3a15aba4a2a412b1967ccb09a7383d2c4140752a1b296e9326f89b5f3
SSDEEP:	98304:nTPuv0E+GYYL6xaCOW01gjUYGpriBENypxqD4TIuCrRsr/mmubvhgLHbsdlR9fCp:TmcyhqatWTwrspxC4TIfir/mpbOsdlRK
TLSH:	CA36D016571D81A4CEE6353560593763DB30FC08903CE72A8FB45A656AFFB606CAE23C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x140152220
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x674A7898 [Sat Nov 30 02:29:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3CB8ADFB74h
dec eax
add esp, 28h
jmp 00007F3CB8ADF337h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F3CB8ADF4D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F3CB8ADF4D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F3CB8ADF4CDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F3CB8ADEEA6h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x182454	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a6000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4a3000	0x1890	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4a9000	0x4760
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a5000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17fff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17feb0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x164000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x162640	0x162800	6ba52e4bc3dca74430dc77309511216d	False	0.4374104702926657	data	5.40396546201627	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x164000	0x1efb6	0x1f000	35c7b228f883185216c8a0c5c2bdb57a	False	0.5450951360887096	data	6.724885356955416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x183000	0x31f3b0	0x31e200	8334b0e6dcf61d2f6882b24cc0e3e565	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4a3000	0x1890	0x1a00	59b57e9c69e80b37a348d0f1f0741971	False	0.4655949519230769	data	5.315213252521135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a5000	0x68c	0x800	f8fdcac3b1bdf8e8cd78dddebf0b8d0d	False	0.50341796875	data	4.94145957513927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x4a6000	0x6f58	0x7000	50e61ae8f8e8edbce738912005b332e3	False	0.3857421875	data	6.01824858893758	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a6328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x4a6990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x4a6c78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x4a6da0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x4a7c48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x4a84f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x4a8a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x4ab000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x4ac0a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x4ac510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x4ac7f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x4acae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x4acb64	0x14	data			1.25
RT_GROUP_ICON	0x4acb78	0x14	data			1.25
RT_VERSION	0x4acb8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:31:20.679309+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.5	49709	TCP
2024-12-19T12:31:20.679309+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.5	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:19.124099970 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:19.243874073 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:19.244039059 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:19.330698967 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:19.451659918 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:20.488468885 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:20.488490105 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:20.488619089 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:20.559506893 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:20.679308891 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:20.951132059 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:20.992839098 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:21.496879101 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:21.496954918 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:21.497055054 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:21.502810955 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:21.502852917 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:23.894247055 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:23.894373894 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:23.898046970 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:23.898057938 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:23.898313999 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:23.907125950 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:23.947330952 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:24.509037971 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:24.509114981 CET	443	49710	108.181.61.49	192.168.2.5
Dec 19, 2024 12:31:24.509186029 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:25.282677889 CET	49710	443	192.168.2.5	108.181.61.49
Dec 19, 2024 12:31:26.365232944 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:26.485774994 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:26.485850096 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:26.605470896 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:26.876455069 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:26.930454016 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:27.067862034 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:31:27.117841005 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:52.070985079 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:31:52.190680981 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:32:17.196146965 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:32:17.315850019 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:32:42.321084023 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:32:42.441045046 CET	4782	49709	51.15.17.193	192.168.2.5
Dec 19, 2024 12:33:07.446055889 CET	49709	4782	192.168.2.5	51.15.17.193
Dec 19, 2024 12:33:07.565675974 CET	4782	49709	51.15.17.193	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:21.347367048 CET	65333	53	192.168.2.5	1.1.1.1
Dec 19, 2024 12:31:21.485023975 CET	53	65333	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:21.347367048 CET	192.168.2.5	1.1.1.1	0x555c	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:21.485023975 CET	1.1.1.1	192.168.2.5	0x555c	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	108.181.61.49	443	6204	C:\Users\user\Desktop\O9MV0lNEO5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:31:23 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:31:24 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:31:24 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:31:24 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:31:12
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\O9MV0lNEO5.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\O9MV0lNEO5.exe"
Imagebase:	0x7ff646a80000
File size:	4'904'800 bytes
MD5 hash:	2884A477526C8308E9492845449E7E55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3375070273.00000192677B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3375070273.0000019267982000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3378444438.00000192777B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3370505588.00000192001AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.3371803708.00000192006D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8492723F1 Relevance: 71.2, Strings: 52, Instructions: 6199COMMON

Download Yara Rule

Strings

0!I, xrefs: 00007FF8492740D5
8 I, xrefs: 00007FF849274056
,I, xrefs: 00007FF84927483A
`9I, xrefs: 00007FF849275153
,I, xrefs: 00007FF8492747DB
P'I, xrefs: 00007FF849274448
8 I, xrefs: 00007FF849274091
-I, xrefs: 00007FF8492748B9
`9I, xrefs: 00007FF8492751ED
P'I, xrefs: 00007FF8492743E9
@$I, xrefs: 00007FF8492742B4
AI, xrefs: 00007FF849275545
8,I, xrefs: 00007FF8492747AB
@$I, xrefs: 00007FF849274255
0!I, xrefs: 00007FF84927415B
AI, xrefs: 00007FF8492755DF
8 I, xrefs: 00007FF849273FF7
-I, xrefs: 00007FF849274904
CI, xrefs: 00007FF8492756ED
8,I, xrefs: 00007FF849274770
p3I, xrefs: 00007FF849274E2B
8 I, xrefs: 00007FF84927400B
h4I, xrefs: 00007FF849274F8F
,I, xrefs: 00007FF849274875
80I, xrefs: 00007FF849274B17
0!I, xrefs: 00007FF849274120
CI, xrefs: 00007FF849275738
H, xrefs: 00007FF849273759
h4I, xrefs: 00007FF849274F54
8,I, xrefs: 00007FF849274725
p3I, xrefs: 00007FF849274E3F
80I, xrefs: 00007FF849274B9D
-I, xrefs: 00007FF8492748A5
AI, xrefs: 00007FF849275559
@$I, xrefs: 00007FF8492742EF
@$I, xrefs: 00007FF849274269
80I, xrefs: 00007FF849274B62
AI, xrefs: 00007FF8492755A4
P'I, xrefs: 00007FF849274483
h4I, xrefs: 00007FF849274EF5
P'I, xrefs: 00007FF8492743FD
CI, xrefs: 00007FF849275773
h4I, xrefs: 00007FF849274F09
`9I, xrefs: 00007FF8492751B2
p3I, xrefs: 00007FF849274E8A
80I, xrefs: 00007FF849274B03
0!I, xrefs: 00007FF8492740C1
CI, xrefs: 00007FF8492756D9
-I, xrefs: 00007FF84927493F
p3I, xrefs: 00007FF849274EC5
,I, xrefs: 00007FF8492747EF
8,I, xrefs: 00007FF849274711

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 0!I$0!I$0!I$0!I$8 I$8 I$8 I$8 I$8,I$8,I$8,I$8,I$80I$80I$80I$80I$@$I$@$I$@$I$@$I$H$P'I$P'I$P'I$P'I$`9I$`9I$`9I$h4I$h4I$h4I$h4I$p3I$p3I$p3I$p3I$,I$,I$,I$,I$-I$-I$-I$-I$AI$AI$AI$AI$CI$CI$CI$CI
API String ID: 0-3845385732
Opcode ID: 5eb2727bd9a47975b63d96071e126a20a7b20a381a718e15cde55f19dd65fb2b
Instruction ID: 8f95b1ba1d0dadc91a737fa5847106621a6752243233e5d781df27ca5181cbdc
Opcode Fuzzy Hash: 5eb2727bd9a47975b63d96071e126a20a7b20a381a718e15cde55f19dd65fb2b
Instruction Fuzzy Hash: AE83B321F1DD9B5FF7B5FA2C146523956D3EFA8690B5805BAC01ED36D6EE28EC024380

Function 00007FF8491B4E56 Relevance: 23.5, Strings: 17, Instructions: 2244COMMON

Download Yara Rule

Strings

P8{w, xrefs: 00007FF8491B60EF
p7{w, xrefs: 00007FF8491B504C
X8{w, xrefs: 00007FF8491B611B
7{w, xrefs: 00007FF8491B57B5
HAH, xrefs: 00007FF8491B6417
x7{w, xrefs: 00007FF8491B50B7
@8{w, xrefs: 00007FF8491B6097
H8{w, xrefs: 00007FF8491B60C3
7{w, xrefs: 00007FF8491B572B
:&I, xrefs: 00007FF8491B61BC
08{w, xrefs: 00007FF8491B603F
`8{w, xrefs: 00007FF8491B6147
HAH, xrefs: 00007FF8491B6372
88{w, xrefs: 00007FF8491B606B
(8{w, xrefs: 00007FF8491B6010
h7{w, xrefs: 00007FF8491B502A
(#I, xrefs: 00007FF8491B61FD

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: (8{w$(#I$08{w$88{w$:&I$@8{w$H8{w$HAH$HAH$P8{w$X8{w$`8{w$h7{w$p7{w$x7{w$7{w$7{w
API String ID: 0-2683685872
Opcode ID: 3b3fc79659423ffcd03623aaf74604d9013098033b4ded47b9e69ed7cae8ee0d
Instruction ID: 6968b0840f97942e70b382c9ed8fe96a39857dbc6c73e31811a065581bed3a7c
Opcode Fuzzy Hash: 3b3fc79659423ffcd03623aaf74604d9013098033b4ded47b9e69ed7cae8ee0d
Instruction Fuzzy Hash: CF03B670A1CA898FDBA5EF28C4547A977E2FF69350F1441B9D44ED7292CA39EC81CB40

Function 00007FF8491CBA79 Relevance: 17.1, Strings: 12, Instructions: 2106COMMON

Download Yara Rule

Strings

'{w, xrefs: 00007FF8491CCB2C
HAH, xrefs: 00007FF8491CBF21
HAH, xrefs: 00007FF8491CBFDF
HAH, xrefs: 00007FF8491CC76D
HAH, xrefs: 00007FF8491CBE29
HAH, xrefs: 00007FF8491CBF74
HAH, xrefs: 00007FF8491CBE40
HAH, xrefs: 00007FF8491CBECA
HAH, xrefs: 00007FF8491CC485
HAH, xrefs: 00007FF8491CBFAD
^._L, xrefs: 00007FF8491CC5D0
HAH, xrefs: 00007FF8491CBF38

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: '{w$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$^._L
API String ID: 0-737024067
Opcode ID: 505cdfda79f53be75647faedeb8099180e4a96d66520fc8577c0dd7493599e50
Instruction ID: 47e393186f0273f0dabf8631933016273329e045d823cc9455e05010ff24a043
Opcode Fuzzy Hash: 505cdfda79f53be75647faedeb8099180e4a96d66520fc8577c0dd7493599e50
Instruction Fuzzy Hash: 0CE2363191DAC64FE379EB2888566B57BE0EF55390F0405BEC48EC7593DE1CAC068B89

Function 00007FF8491B9621 Relevance: 12.5, Strings: 9, Instructions: 1222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491BA237
89{w, xrefs: 00007FF8491B9B41
HAH, xrefs: 00007FF8491BA270
HAH, xrefs: 00007FF8491BA1FD
P9{w, xrefs: 00007FF8491B9CC5
@9{w, xrefs: 00007FF8491B9BE4
H9{w, xrefs: 00007FF8491B9C0C
HAH, xrefs: 00007FF8491B99B0
HAH, xrefs: 00007FF8491BA3B1

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 89{w$@9{w$H9{w$HAH$HAH$HAH$HAH$HAH$P9{w
API String ID: 0-2187355302
Opcode ID: 2708dbdab6aa3b392d74411c4a18d9e09554a8cca21564ddc60cebcd84d5954b
Instruction ID: 30ebd3abb9d94fca781ed66a510c786d91c40e2be2afef3c9c19b5e8f69f0974
Opcode Fuzzy Hash: 2708dbdab6aa3b392d74411c4a18d9e09554a8cca21564ddc60cebcd84d5954b
Instruction Fuzzy Hash: D672D631A1CA894FE7A8FB2C945577977D2FFA9350F0440BAD44EC7293DE28AC428B41

Function 00007FF8491CE399 Relevance: 9.9, Strings: 7, Instructions: 1116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>._L, xrefs: 00007FF8491CE5D2
HAH, xrefs: 00007FF8491CE960
HAH, xrefs: 00007FF8491CE907
=#_L, xrefs: 00007FF8491CE770
8#_L, xrefs: 00007FF8491CEC72
HAH, xrefs: 00007FF8491CE999
HAH, xrefs: 00007FF8491CE8CE

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 8#_L$=#_L$>._L$HAH$HAH$HAH$HAH
API String ID: 0-3760220123
Opcode ID: e7b62f7fffc6605cd9c7b7e03fd9a0b5bac69b8fa01ed7dfaf9786e81ff8cddd
Instruction ID: 49ee95c2a80bb2e7246c348ab6aea22c68df5fd151eeeede899aa6abb898e785
Opcode Fuzzy Hash: e7b62f7fffc6605cd9c7b7e03fd9a0b5bac69b8fa01ed7dfaf9786e81ff8cddd
Instruction Fuzzy Hash: AE726031A1CA4A8FEB98EF18D49977977E1FF98740F540179D44AC7286CE38EC428B85

Function 00007FF8491BAA4D Relevance: 8.5, Strings: 6, Instructions: 979
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p9{w, xrefs: 00007FF8491BADD7
h9{w, xrefs: 00007FF8491BAD1D
89{w, xrefs: 00007FF8491BB083
`9{w, xrefs: 00007FF8491BACED
x9{w, xrefs: 00007FF8491BAF0C
X9{w, xrefs: 00007FF8491BACA5

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 89{w$X9{w$`9{w$h9{w$p9{w$x9{w
API String ID: 0-828421893
Opcode ID: b16abd5c852ac5ed1169cd144457432945f405f185eb90cdc3fc9adffcfb21df
Instruction ID: f62885b1fe14f2521f592d1d006cf5bbe1eaf1c9fc9638b9250f97d17220bbe7
Opcode Fuzzy Hash: b16abd5c852ac5ed1169cd144457432945f405f185eb90cdc3fc9adffcfb21df
Instruction Fuzzy Hash: 8262723060CA498FE798EB2CC459B6977E2FF99340F1445BED08DC76A6DE38E8418B41

Function 00007FF8491CEF79 Relevance: 5.5, Strings: 4, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491CF0FB
HAH, xrefs: 00007FF8491CF1A2
HAH, xrefs: 00007FF8491CF18B
HAH, xrefs: 00007FF8491CF135

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 53dc9d02fcedd51477c469936965d2a5ad9aebe40d3fead0d1941e7451d74b22
Instruction ID: e28af8b9775ae6d249b6a68cd1fc71248f5d963960992d7efaa8649ac74e4105
Opcode Fuzzy Hash: 53dc9d02fcedd51477c469936965d2a5ad9aebe40d3fead0d1941e7451d74b22
Instruction Fuzzy Hash: EBC1F531B1D9894FEBA8EF2C98596787BD2FF99781B0500BAD04EC73A2DD1C9C428745

Function 00007FF8491B5D35 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:&I, xrefs: 00007FF8491B61BC
8{w, xrefs: 00007FF8491B5D58
(#I, xrefs: 00007FF8491B61FD

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 8{w$(#I$:&I
API String ID: 0-2967527437
Opcode ID: 98f049dfb892aefa2d15c1a83b638d6cf2adf4063026ed0948c4fd7b9b17c40b
Instruction ID: 3f85c74b2c42659ee2f5ecff5910f721df18c125dd68d3c9cd82cd50e9866fd1
Opcode Fuzzy Hash: 98f049dfb892aefa2d15c1a83b638d6cf2adf4063026ed0948c4fd7b9b17c40b
Instruction Fuzzy Hash: DDC13230E1CA598FEBA4EF18C445779B3E2FFA8350F1445BDD04ED3696DA38A8818B41

Function 00007FF8491CB009 Relevance: 3.5, Strings: 2, Instructions: 990COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491CB70E
HAH, xrefs: 00007FF8491CB6D5

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: f111c19436d963f859cecdafcd73baa12c6250af915d8a2fe72cafafa96a642c
Instruction ID: c3eb485a80f0b6952cc620ea46afcee4225f2b87c531f3d7b416b0bff3483b45
Opcode Fuzzy Hash: f111c19436d963f859cecdafcd73baa12c6250af915d8a2fe72cafafa96a642c
Instruction Fuzzy Hash: 3862C331A1CA898FE7A8EF289445A75B7E1FF58350F44057DD44AC3692DF28B842CB85

Function 00007FF8491B76AE Relevance: 3.0, Strings: 2, Instructions: 456COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491B7918
HAH, xrefs: 00007FF8491B792F

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 854777579a75a3d54dd6907b375d53ba892cd235df6e005d32d01be1c67bf744
Instruction ID: af0fc3a4af4e62ce096e10bbd16826319e080212bb5524411b652524c5349369
Opcode Fuzzy Hash: 854777579a75a3d54dd6907b375d53ba892cd235df6e005d32d01be1c67bf744
Instruction Fuzzy Hash: DFC15731A0DA8A4FE7A8FB3C98596757BD2FFA9390B0501BAD04DC7693DD1CAC428741

Function 00007FF8491C7336 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc9141b8e9702a7484ef4a3f218df9b5322ab60649567db5e6a8d41de46e3b
Instruction ID: a970953775df7831c546d84db4318bba2ddad7484953951641909505be0d0d95
Opcode Fuzzy Hash: 07fc9141b8e9702a7484ef4a3f218df9b5322ab60649567db5e6a8d41de46e3b
Instruction Fuzzy Hash: ACF1A63090CA8E8FEBA8EF28D8557E937D1FF55350F04426EE84DC7291CB7898458B82

Function 00007FF8491C80E2 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cfc931c3c74b12bc92a0324e52fb549c5b7cbf37ce3aee54ff4d0826fb23ca
Instruction ID: b002870ce0277c8def1a7cc1ab693f9e54b3a3c7f8ee987284c4ead837158385
Opcode Fuzzy Hash: d8cfc931c3c74b12bc92a0324e52fb549c5b7cbf37ce3aee54ff4d0826fb23ca
Instruction Fuzzy Hash: 31E1A43090CA8E8FEBA8EF28C8557E977E1FF54350F14426ED84DC7291DB78A8458B85

Function 00007FF848F3295E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3381734664.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a2da3f94c5fd01959228fbc3accf064184324c7a17dbefa20559f86f5816ee
Instruction ID: d8da317d7838482d6c31eb6aed4b9eb60453834c81e4a1be17d68aae77a3d3dd
Opcode Fuzzy Hash: 64a2da3f94c5fd01959228fbc3accf064184324c7a17dbefa20559f86f5816ee
Instruction Fuzzy Hash: C4818E7028E7D22FE387A3B858264A97FE1DF46230B4D45FAD485CB9EBDA1C48078351

Function 00007FF8491CF6FD Relevance: 11.0, Strings: 8, Instructions: 1013
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@#_H, xrefs: 00007FF8491CFC60
HAH, xrefs: 00007FF8491CFEF4
HAH, xrefs: 00007FF8491CFE83
HAH, xrefs: 00007FF8491CFE00
, xrefs: 00007FF8491CFDDB
, xrefs: 00007FF8491CFAD0
HAH, xrefs: 00007FF8491CFE9A
8{w, xrefs: 00007FF8491CF8F3

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: $ $ 8{w$@#_H$HAH$HAH$HAH$HAH
API String ID: 0-3020917716
Opcode ID: 1e72f510ba16aa28dacd2e9ceec7542583f1206e7b758b67fdd3800f53014aca
Instruction ID: 5461a7d30171e22eada44ef7203bcbc54c5c1d81df14194749b2cfb77eb8ef22
Opcode Fuzzy Hash: 1e72f510ba16aa28dacd2e9ceec7542583f1206e7b758b67fdd3800f53014aca
Instruction Fuzzy Hash: 42627271A5C9498FEBA8EF2CC499A7877D1FF58341B1500B9E44EC73A2DE28EC418B45

Function 00007FF8491B6D81 Relevance: 6.6, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491B6FE3
HAH, xrefs: 00007FF8491B6F64
HAH, xrefs: 00007FF8491B6EF1
HAH, xrefs: 00007FF8491B6FAD
HAH, xrefs: 00007FF8491B6F2B

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH
API String ID: 0-3303410093
Opcode ID: 69a66590c857373b6b16cf04286c55f99266af6dea834268f1c21e729a664832
Instruction ID: a5f4fa055cd4c1744770dd857b08450d21f81a98c4d97c398a078baffa0406de
Opcode Fuzzy Hash: 69a66590c857373b6b16cf04286c55f99266af6dea834268f1c21e729a664832
Instruction Fuzzy Hash: 3391A231E1DA8A4FE7A9EB3C945567577D2FFA9790B0400BED00EC7696DE2CAC028740

Function 00007FF8491D332D Relevance: 5.6, Strings: 4, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`'{w, xrefs: 00007FF8491D36B6
${w, xrefs: 00007FF8491D37F8
HAH, xrefs: 00007FF8491D385C
HAH, xrefs: 00007FF8491D3759

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: ${w$HAH$HAH$`'{w
API String ID: 0-2144866399
Opcode ID: cabdd24d917a23706c734a3a2420273593f7763790685ea06fb0140875d7408c
Instruction ID: 53b3fdf3799332799d6fa7cadae61ee5624842093fa661d257bfb17cab572270
Opcode Fuzzy Hash: cabdd24d917a23706c734a3a2420273593f7763790685ea06fb0140875d7408c
Instruction Fuzzy Hash: 7F021531A1CA864FE7A5EB3884556B577E1FF99354B0806BAD04EC7692DE2CBC438B40

Function 00007FF8491C1B28 Relevance: 5.5, Strings: 4, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xC)I, xrefs: 00007FF8491C1F1A
x6{w, xrefs: 00007FF8491C1FF7
xC)I, xrefs: 00007FF8491C201D
x6{w, xrefs: 00007FF8491C1EF4

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x6{w$x6{w$xC)I$xC)I
API String ID: 0-2691722993
Opcode ID: 78bd6de88b6a47144d47546e450528cd5b9ae729001973e62686d04796083901
Instruction ID: ae2595ca51f5903a94cea463917f9f90345563e255d78a0d03eecc6e7949c6e5
Opcode Fuzzy Hash: 78bd6de88b6a47144d47546e450528cd5b9ae729001973e62686d04796083901
Instruction Fuzzy Hash: F3F17C72D4E6C64FE366AB3898565E97BE0EF46360B0801BEC18CCF1D3DA1C5846C799

Function 00007FF8491B4775 Relevance: 5.2, Strings: 4, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X7{w, xrefs: 00007FF8491B485C
`7{w, xrefs: 00007FF8491B4875
P7{w, xrefs: 00007FF8491B4843
H7{w, xrefs: 00007FF8491B47E5

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: H7{w$P7{w$X7{w$`7{w
API String ID: 0-4129764462
Opcode ID: f87f08c4cf26d48e2d9eeb863844c19c5defe537c90d14a0a0a707a4aa9b119a
Instruction ID: c4c03a8d34fb6515c2f17ed3255b656355d80f7bd1f1926d6e65db0dc63b9fea
Opcode Fuzzy Hash: f87f08c4cf26d48e2d9eeb863844c19c5defe537c90d14a0a0a707a4aa9b119a
Instruction Fuzzy Hash: 1A41293120DD8E5FEBB0FEACA455AB977D1EF59360B1900FAC448C75A2DA1DDC428780

Function 00007FF8491D05EC Relevance: 4.3, Strings: 3, Instructions: 545COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491D0F18
HAH, xrefs: 00007FF8491D0F3A
HAH, xrefs: 00007FF8491D0DFB

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: fd1903e1766a2bf6af65f116b8a65595dc69df0b4597c8ce5a7c9f75fd72aa54
Instruction ID: cfa0a1bd21773560268eafb40451ca102a903023bb6dc86625ae8f49245bda70
Opcode Fuzzy Hash: fd1903e1766a2bf6af65f116b8a65595dc69df0b4597c8ce5a7c9f75fd72aa54
Instruction Fuzzy Hash: 00F11631A0CA894FE7A9EB2CD4556A977D1FF99350F1502FED04DC72A2DE2CAC428B41

Function 00007FF8491D01FC Relevance: 4.2, Strings: 3, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!{w, xrefs: 00007FF8491D037A
HAH, xrefs: 00007FF8491D0475
('{w, xrefs: 00007FF8491D033C

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: !{w$('{w$HAH
API String ID: 0-586703220
Opcode ID: 6e4f0a26501cdd8d0d5ec8c13948989e0cbc921ef52749f0f17c94c53577b0f1
Instruction ID: 611c3af1fe32f5c71c8fdfd95ff5d1dfe931a33acc36710377d00910006c4ead
Opcode Fuzzy Hash: 6e4f0a26501cdd8d0d5ec8c13948989e0cbc921ef52749f0f17c94c53577b0f1
Instruction Fuzzy Hash: 0CD1F771A1DAC64FE376EB2898166B87BE0EF56250F0506BEC48DC75E3DA1C7C068742

Function 00007FF8491C9F8D Relevance: 4.2, Strings: 3, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491CA1DB
HAH, xrefs: 00007FF8491CA0A9
HAH, xrefs: 00007FF8491CA0E2

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: ffa75478d461fc8caef35fc0f378e7488a5ed7919d15fb39edfe6a18f860f550
Instruction ID: a16265fbd16102d2c4ee70528c536ee147381e5038ca9fa8f0c4d4cdeb47b322
Opcode Fuzzy Hash: ffa75478d461fc8caef35fc0f378e7488a5ed7919d15fb39edfe6a18f860f550
Instruction Fuzzy Hash: F4C1B031A08A8E8FDB95EF68D4556ED77E1FF99350F0401BAE40DD7286DF2898428B81

Function 00007FF8491B3F7E Relevance: 4.1, Strings: 3, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF8491B44B7
_, xrefs: 00007FF8491B3F8C
(7{w, xrefs: 00007FF8491B459B

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: (7{w$@$_
API String ID: 0-1570039009
Opcode ID: 857723357a67e92bc443c1d86f50afdced57746932e1403ccf28863c8f3f80a9
Instruction ID: c8062c2b2b1239601155b22100a9a5fac75b63b2538c58f29079981900206592
Opcode Fuzzy Hash: 857723357a67e92bc443c1d86f50afdced57746932e1403ccf28863c8f3f80a9
Instruction Fuzzy Hash: 61A11731B0DA8A4FE3A5AE1C944537977C6EFA5350F14427ED58EC72D2DE2CAC028782

Function 00007FF8491C9AE9 Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491C9C36
HAH, xrefs: 00007FF8491C9BFC
HAH, xrefs: 00007FF8491C9C4D

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: a382af54a05455ad1a8543a9d1757cc233a1345c64254bd6802504774e7e0fd0
Instruction ID: e3c31355ce1747515cfea128548d9d543545781039ec2999e05009c7d0be4b02
Opcode Fuzzy Hash: a382af54a05455ad1a8543a9d1757cc233a1345c64254bd6802504774e7e0fd0
Instruction Fuzzy Hash: 78613661A1EACA5FE766AF3844246B57BE0FF56291F0901FAC04DC71C3DE1CA8068799

Function 00007FF8491CA065 Relevance: 3.9, Strings: 3, Instructions: 139COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491CA0A9
HAH, xrefs: 00007FF8491CA06F
HAH, xrefs: 00007FF8491CA0E2

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: 22b4c4de53753ae57aef774579e557c08c2bd79b1a3aaf9a8d9cc4816b6ec22e
Instruction ID: 42785e1d2232d77651ca2c881607b09caa9e1cc6466bd67da42bdf5d09cd80a9
Opcode Fuzzy Hash: 22b4c4de53753ae57aef774579e557c08c2bd79b1a3aaf9a8d9cc4816b6ec22e
Instruction Fuzzy Hash: 8A31E522F0DE9E4FE7A6AA7C545A2B93BD1EF996A1B0401B7D40DC3287DE185C028785

Function 00007FF849275160 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

`9I, xrefs: 00007FF849275167
`9I, xrefs: 00007FF8492751ED
`9I, xrefs: 00007FF8492751B2

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: `9I$`9I$`9I
API String ID: 0-1207566838
Opcode ID: f491527d0f2bcb20d709c6ec78a6be4f26796983c16233b2f81d4c56eabac98d
Instruction ID: 24a7443b54453bb5c091e36735b5d4728c930ea78e41bd32c37778005bd349b2
Opcode Fuzzy Hash: f491527d0f2bcb20d709c6ec78a6be4f26796983c16233b2f81d4c56eabac98d
Instruction Fuzzy Hash: 0C21D321F0ED8B0FF6B6B62C145567596D3EFA8681B5801BAC01DD73DAEE1CEC024344

Function 00007FF8491BFFA7 Relevance: 3.0, Strings: 2, Instructions: 516COMMON

Download Yara Rule

Strings

@8)I, xrefs: 00007FF8491C0363
=$_H, xrefs: 00007FF8491C0170

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: =$_H$@8)I
API String ID: 0-3166064086
Opcode ID: 4d7374a3dbf5971e69953f497502faf1192e0068ca77770664355c4aa736ee9b
Instruction ID: 63606292e4ee0120e0ef6bd5d8754a925d9d4265ea165e39f1727ad55c2139d2
Opcode Fuzzy Hash: 4d7374a3dbf5971e69953f497502faf1192e0068ca77770664355c4aa736ee9b
Instruction Fuzzy Hash: 01020730A1DA8B5FEBA5EB2884546BAB7E1FF55350F1841B9C00DC7596DE2CEC428B84

Function 00007FF8491BC325 Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

X!)I, xrefs: 00007FF8491BC71B
`$_H, xrefs: 00007FF8491BC46D

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: X!)I$`$_H
API String ID: 0-489335329
Opcode ID: a17fb7ba944caae66c9c6484142bac3dbe3617e6226228d7728486073a9d75cc
Instruction ID: 1bdd542eaa2f817dbb15accb049c649c5f6f24fef2a7526f336c19a0dc662cbb
Opcode Fuzzy Hash: a17fb7ba944caae66c9c6484142bac3dbe3617e6226228d7728486073a9d75cc
Instruction Fuzzy Hash: 66E10632F0DECA4FE3A5EA3C94556B577D2EFA8390B5405BAC04DC7297DD29AC428B40

Function 00007FF8491CE401 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

>._L, xrefs: 00007FF8491CE5D2
=#_L, xrefs: 00007FF8491CE770

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: =#_L$>._L
API String ID: 0-3081118795
Opcode ID: 3ef1a4151155e174ce20ab62aa0824de8a4bebdecbe233c842ac335974862eb7
Instruction ID: 0bb792202bfac2dc38a10cdfadd76316d82d74bb80ce2e2a832f153811e06da7
Opcode Fuzzy Hash: 3ef1a4151155e174ce20ab62aa0824de8a4bebdecbe233c842ac335974862eb7
Instruction Fuzzy Hash: D7E1A230A1CA4A8FE758EF18D89966977E1FF98340F1441BDE44DC7296DE38AC42CB45

Function 00007FF8491BA609 Relevance: 2.9, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491BA98E
HAH, xrefs: 00007FF8491BA69A

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: bba85881b4b17c954ee4ce6430eeef9086de9a4ac1f8983afbcaacaf560dd6b9
Instruction ID: 03afe59b8076aa140b50b3fa3afeee154c7ccf2fb7975c9eb6034dc6b995826f
Opcode Fuzzy Hash: bba85881b4b17c954ee4ce6430eeef9086de9a4ac1f8983afbcaacaf560dd6b9
Instruction Fuzzy Hash: E8D1A530A1C9498FDBA4FF28C4557B977E2FFA9341F55417AD04EC3292DE38A8468B41

Function 00007FF8491CDDED Relevance: 2.8, Strings: 2, Instructions: 338COMMON

Download Yara Rule

Strings

(!{w, xrefs: 00007FF8491CE0DB
0'{w, xrefs: 00007FF8491CE09D

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: (!{w$0'{w
API String ID: 0-3916860119
Opcode ID: 37e87a48f4b03e548c93e0ebf42dc8b0cecfe6e930f4f69014b5396e10cb4f87
Instruction ID: 8132f94ff46ce8d3c1b537d2665c2c6bd77c8a8444db972fb2534b3e2040bf41
Opcode Fuzzy Hash: 37e87a48f4b03e548c93e0ebf42dc8b0cecfe6e930f4f69014b5396e10cb4f87
Instruction Fuzzy Hash: F9B1187190D7C64FE376AF24889A5A43BE0EF563A0F0501FAC48ECB5E3DA1C5C1A8B55

Function 00007FF8491C171C Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

0U)I, xrefs: 00007FF8491C180C
+$_^, xrefs: 00007FF8491C1901

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: +$_^$0U)I
API String ID: 0-2647879492
Opcode ID: 92783d42d3130d1edda840a53e259b6595b5ef1cb97a3c2808bd271d0556027b
Instruction ID: efdbadf13d90601f9cfc706d12d25fe985daab0e41ce1dcbb1f35cb2ba053c7f
Opcode Fuzzy Hash: 92783d42d3130d1edda840a53e259b6595b5ef1cb97a3c2808bd271d0556027b
Instruction Fuzzy Hash: 8191F82291E2D25FD361BB7CA4565E57BA0EF423B4F0806B7D1CC8E093DE1C6486C7A9

Function 00007FF8491BD9F4 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

PTI, xrefs: 00007FF8491BDA1A
PTI, xrefs: 00007FF8491BDA4B

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: PTI$PTI
API String ID: 0-2819014074
Opcode ID: b22894823a8c8efa9324f25b94dd40746703a4c6b48797c888b386bef9112378
Instruction ID: 75f9d1a0e2f82565b94b20ee01779dfa31a169a2a995296e0a3d7cc624dbd5d9
Opcode Fuzzy Hash: b22894823a8c8efa9324f25b94dd40746703a4c6b48797c888b386bef9112378
Instruction Fuzzy Hash: 05714AA2D0E6C15FE2296A3868161B57FE6EF92791F5840FFC04C8B197EC1D8C468793

Function 00007FF8491BCDE9 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

CI, xrefs: 00007FF8491BCEBC
CI, xrefs: 00007FF8491BCEF7

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: CI$CI
API String ID: 0-3839224169
Opcode ID: 2534cf4f2d49d99b55ae42107b4218d42e448fed1200cc15c2551b00080ae754
Instruction ID: 361829b927967d001d892bcc52ccd0bf6ab2b19c2cb3f487741abb22818c104c
Opcode Fuzzy Hash: 2534cf4f2d49d99b55ae42107b4218d42e448fed1200cc15c2551b00080ae754
Instruction Fuzzy Hash: 38413632D0DAC68FD3AADE3C98551B57FE2EF65790B0841BEC049C7197DE2CA8498781

Function 00007FF8491CA037 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491CA0A9
HAH, xrefs: 00007FF8491CA0E2

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 633cb7bb3c7f9360cbdfa4a557d7b7b32bdb39111b815e8951f5829d43689e32
Instruction ID: 606566410f5530de782298b072abd3720f3fa2c2e118272078c498832cc139cb
Opcode Fuzzy Hash: 633cb7bb3c7f9360cbdfa4a557d7b7b32bdb39111b815e8951f5829d43689e32
Instruction Fuzzy Hash: 5941E322F0DE9E4FE7A6AA7C645A2F927D1EF99AA0B0401B7D40DC3287DE185C024785

Function 00007FF8492701BA Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF8492701EC
"$_L, xrefs: 00007FF8492701D2

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: "$_L$x6{w
API String ID: 0-582180185
Opcode ID: 597905f4689f964bd4621b0555c6a6a44f717bc33c6845fe13757c9d9e868b0d
Instruction ID: 8357556b59c65dfac0f91c350c99d2634e4b18bc1ec8e8f0f29836dbb8ff85f2
Opcode Fuzzy Hash: 597905f4689f964bd4621b0555c6a6a44f717bc33c6845fe13757c9d9e868b0d
Instruction Fuzzy Hash: 09312932E5DAD61FF369EA6C182A2B577D2EB55220F0401FED48AC72D3DD0C5C468386

Function 00007FF849275566 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

AI, xrefs: 00007FF8492755A4
AI, xrefs: 00007FF8492755DF

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: AI$AI
API String ID: 0-3819236666
Opcode ID: 86772b4f513dc302045fd8c32b75c1f2ee32f517361cb310ae2a0371d20c8bf5
Instruction ID: 368bd8169d7ea062242f202b5a6825fb23dd79009f0b713074bfaa5c39142397
Opcode Fuzzy Hash: 86772b4f513dc302045fd8c32b75c1f2ee32f517361cb310ae2a0371d20c8bf5
Instruction Fuzzy Hash: 7A21C221F1DD8B0FF7A9B62C1455239A6D3EFA8690B5801BAD41ED33DADE2CDC024344

Function 00007FF8492748CD Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

-I, xrefs: 00007FF849274904
-I, xrefs: 00007FF84927493F

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: -I$-I
API String ID: 0-1773288320
Opcode ID: a4606b5860b76476b073143626bd531a5333ea7dc204bef722f6baf3abc36479
Instruction ID: e2c75439d04fa47f5172cddd061e2107666eb6efe1f2c6925d42dace70b1207c
Opcode Fuzzy Hash: a4606b5860b76476b073143626bd531a5333ea7dc204bef722f6baf3abc36479
Instruction Fuzzy Hash: B521AF21B1DD9B4FF6A9B63C1465235A6D3EF98690B6900BAC01ED32C7DE28EC424344

Function 00007FF8491D2356 Relevance: 1.9, Strings: 1, Instructions: 668COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491D2960

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 3ec088a03040fca5586f6de0c01734d24230c76f19c778c029212e2792659415
Instruction ID: caf89e04bf78a4cdb91f7a646e625bc86ff3116a8fc024e70769eaa619c6a578
Opcode Fuzzy Hash: 3ec088a03040fca5586f6de0c01734d24230c76f19c778c029212e2792659415
Instruction Fuzzy Hash: E3228530A1CA598FEBA8FF288455AA977E1FF59340F1446B9D04DD3296DE38BC41CB41

Function 00007FF8491B2440 Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF8491CAC99

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d46ce72152876e7c4bf94ff970ee19b742ec638a68c51fb0bf6d0870e1127dba
Instruction ID: fd5368cfcb6e1d8e4309c9f73dfe2b9492c576b9b05c2c04ac752cef556a6397
Opcode Fuzzy Hash: d46ce72152876e7c4bf94ff970ee19b742ec638a68c51fb0bf6d0870e1127dba
Instruction Fuzzy Hash: C2F10F30A1CA4A8FD769EF18C485575B3E1FF98351B2445BED44AC728ADE39EC42CB84

Function 00007FF848F336A9 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F33787

Memory Dump Source

Source File: 00000000.00000002.3381734664.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_O9MV0lNEO5.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d21efb9fc0594229928061e9b27efb779169fa5bf38a57f5a594c4d8b4641f04
Instruction ID: 99bf83486461694e482727c989ebb651c25b8568304b4a65e58b3494f7589f55
Opcode Fuzzy Hash: d21efb9fc0594229928061e9b27efb779169fa5bf38a57f5a594c4d8b4641f04
Instruction Fuzzy Hash: 7E41267180DA8C9FDB59EB6C98496E9BBF0EF55310F04426FC049C7692DB286846CB91

Function 00007FF848F336ED Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F33787

Memory Dump Source

Source File: 00000000.00000002.3381734664.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_O9MV0lNEO5.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 12a978a7d64d4be999c37851673eaf7895d04f8dd85055056b2b2d35d73e852c
Instruction ID: bd0857139c637e3d656f6939c2c5d2261291599736083015069bef7f165a7908
Opcode Fuzzy Hash: 12a978a7d64d4be999c37851673eaf7895d04f8dd85055056b2b2d35d73e852c
Instruction Fuzzy Hash: F231DE7180CA5C8FDB58DB589849AE9BBF0FF65321F04422BD049D3692DB78A8468B91

Function 00007FF8491CA9C1 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF8491CAC99

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4ef20c6adef88fb074ed855eb1de4cbda33c9d121ef5052f1d29bb8abc421de5
Instruction ID: eb392efdf1078c5948335f588b976461772966fe89999a481cdaf04beafa907b
Opcode Fuzzy Hash: 4ef20c6adef88fb074ed855eb1de4cbda33c9d121ef5052f1d29bb8abc421de5
Instruction Fuzzy Hash: AEA1EF30A1CA898FD769EF08C48557573E1FBA8351B2445BED44AC728ADA39FC43CB85

Function 00007FF8491D572C Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491D59D0

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: bb026952c24a6b4aaee9dc3f375a712f509bbf0b2d4691d97149225645bf1a6e
Instruction ID: 50dec31aed0d1a23f6c522bcaea7715ff1a09a0c4ad8ee281502776a647c4a9f
Opcode Fuzzy Hash: bb026952c24a6b4aaee9dc3f375a712f509bbf0b2d4691d97149225645bf1a6e
Instruction Fuzzy Hash: 8A917031B1CA598FEB68FB6894556BDB7E1FF98350F540179D00EC7296CE3CA8428B80

Function 00007FF8491B76BA Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491B76F0

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 9fbe7ba7646c88bfba6edf5ced93366257e35f4f172ee396b8751e7c692c13a2
Instruction ID: 7c67c4307b2f1f380004916be720fdda0d75aed9baff37617c7e0230db1b76ef
Opcode Fuzzy Hash: 9fbe7ba7646c88bfba6edf5ced93366257e35f4f172ee396b8751e7c692c13a2
Instruction Fuzzy Hash: 61716D32A1EA890FE3A8EA3C98495B17BD5FFA5360B1501FAD04DC7593ED1CAC428351

Function 00007FF8491CFF7B Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

`"{w, xrefs: 00007FF8491D004E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: `"{w
API String ID: 0-587333171
Opcode ID: 96dd2bb173a12bb5fea356861b3b47c88155650fd95f50df1c1be95c52e23f4e
Instruction ID: 2ba8c53c20d744e282939e17673cb28ff13e95c27698f0f9cd5f1dd7f132a215
Opcode Fuzzy Hash: 96dd2bb173a12bb5fea356861b3b47c88155650fd95f50df1c1be95c52e23f4e
Instruction Fuzzy Hash: A581F87190DBC54FD779EF3C94165A97BE1EF56340B1505FEC08ECB2A2DA2CA8068781

Function 00007FF8491CCD7E Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

x8{w, xrefs: 00007FF8491CCF08

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x8{w
API String ID: 0-2803738597
Opcode ID: 7a00ec0e44ba1693d8e9cbf5000849b82962d0dab04680b021c5f398ba19a826
Instruction ID: 3f4809f1a03735a19686edfafcfbf21790538d8b6c3a83d13d70b113153572cb
Opcode Fuzzy Hash: 7a00ec0e44ba1693d8e9cbf5000849b82962d0dab04680b021c5f398ba19a826
Instruction Fuzzy Hash: E671B631B1C99D8FDB65EB6CD4556A9BBE1FF99350F0401AAE00DC7692CE289C41CB81

Function 00007FF8491C2139 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FF8491C2201

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: 78859803a9a75f7622d195256ccfe09bd5abb2143e0831719182af7021668ac4
Instruction ID: c7dd4dca5d5b3c9ca4a2e01c0d72f213131da6975dedb9940581bb9588252158
Opcode Fuzzy Hash: 78859803a9a75f7622d195256ccfe09bd5abb2143e0831719182af7021668ac4
Instruction Fuzzy Hash: 8C61C47291E6998FD751FF28E8925E67770EF05364B0446B6D04CCF0A3CA2CA441CB99

Function 00007FF8491C2150 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FF8491C2201

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: d0b379cd20e46064df4a684f380ff1dc5eb402573069e9949eb2d4ce182356ab
Instruction ID: 08cc186a29074156c4f1d80fe69ed732b89f76f54664e1da61a598330c69c8e7
Opcode Fuzzy Hash: d0b379cd20e46064df4a684f380ff1dc5eb402573069e9949eb2d4ce182356ab
Instruction Fuzzy Hash: A451C37291A65A8FD755FF6CF8825EA77A0FF14368B044676D04C8F0A7CE2CA4418B98

Function 00007FF8491C3805 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF8491C3A01

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aaa08c5209c9bd4f660b883dfe1b9b81398dadf5e0377e6a77ee1d4aebd3495d
Instruction ID: 213a0287755bbc345f55bbbd5cb7e3e94aecba4c539a760a6a9f50a2cee1cee0
Opcode Fuzzy Hash: aaa08c5209c9bd4f660b883dfe1b9b81398dadf5e0377e6a77ee1d4aebd3495d
Instruction Fuzzy Hash: EA71607091DA599FEBA5EF6888557ACB7F1FF59340F5400B9C00DE7292CB38A846CB05

Function 00007FF8491C8C5D Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF8491C8C8C

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x6{w
API String ID: 0-2911079151
Opcode ID: ae2bfdb4d53fed88e74e3425de3ffd9a1ace2b5e09aa46a9cf5b8e37e7d2a783
Instruction ID: c769b69ff9ae91fd33e162fce3681b7bbcb48290d367989e351014fadd13c8af
Opcode Fuzzy Hash: ae2bfdb4d53fed88e74e3425de3ffd9a1ace2b5e09aa46a9cf5b8e37e7d2a783
Instruction Fuzzy Hash: B251E67094DA899FE751FF7888596FD7BE0EF59350B0801FAD409DB2A2DA2C9C41CB44

Function 00007FF8491BE3A9 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

X7)I, xrefs: 00007FF8491BE504

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: X7)I
API String ID: 0-1168076187
Opcode ID: 323f84af9479f69c1980417ffc92d389794960c8f34791d84f0936877a6d1f56
Instruction ID: c26964edaaf95300379135a431aac0f286a14654453be6b1c89ce3918561a011
Opcode Fuzzy Hash: 323f84af9479f69c1980417ffc92d389794960c8f34791d84f0936877a6d1f56
Instruction Fuzzy Hash: 1E412771A6EACA1FDB85FB7894554EA7BE1FF55350B0405BAD40AC718BDE2CE8038780

Function 00007FF8491C89BD Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF8491C89EA

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x6{w
API String ID: 0-2911079151
Opcode ID: 47f03aa4f8c717c205034c7d6cc638af567625ddff4ff2fa1e69f465dd10cfc6
Instruction ID: 7008988ba82f1f99e391d994efe606a273cfa06a4cee3cf743b982d5f7f3887e
Opcode Fuzzy Hash: 47f03aa4f8c717c205034c7d6cc638af567625ddff4ff2fa1e69f465dd10cfc6
Instruction Fuzzy Hash: 8A51A37090DA8A5FEB95EF78885A2AD7BE1EF45344F4800BAD409C71E2DB2C9841CB40

Function 00007FF8491C10F2 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FF8491C116E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 77707b92abbca863fc1117ed8edd96caeb6ae626516d818033a893e96ac6c351
Instruction ID: 898b26aa51d63fec392c3e660afc719bf4e19740a1caaf0fb5b61d8c2301920e
Opcode Fuzzy Hash: 77707b92abbca863fc1117ed8edd96caeb6ae626516d818033a893e96ac6c351
Instruction Fuzzy Hash: 0C41F42391E6A95FDB41BB68B8911EA3B60FF05334B0416B7D08C8F0A3CE6C6855C7D9

Function 00007FF8491C9FCF Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491CA0E2

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 8d6197a25fd08fbc5f673d0d9a8356f4d4771c1c6eaf7ff152107f8dd4830cf7
Instruction ID: 93713adefaa16fabb895a81b1fb3335c6b7be19b8111beb30b5e80ba1bcb2e04
Opcode Fuzzy Hash: 8d6197a25fd08fbc5f673d0d9a8356f4d4771c1c6eaf7ff152107f8dd4830cf7
Instruction Fuzzy Hash: 50313B31B0DE8E0FE7A2AB7CA8551F977D1EF992A1B4401B7D409C7286DE1C9C428785

Function 00007FF8491C8F1D Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF8491C8F4A

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x6{w
API String ID: 0-2911079151
Opcode ID: 781c67129398f7224a756783386ebee7e86f72a5ecd5cda17c7d69747299bc8a
Instruction ID: c428a49a6dee49f221597a1ca69f63353c74311c2e3ff68e57341cef4f245f19
Opcode Fuzzy Hash: 781c67129398f7224a756783386ebee7e86f72a5ecd5cda17c7d69747299bc8a
Instruction Fuzzy Hash: 8D41A370A5DA8A9FEB95EF6888592FD77E1FF09350F4404BAD009C72A2DB2C9C41CB45

Function 00007FF8491C1148 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FF8491C116E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 87d8d98684aae0562d80d67a9de3f370e4372cbd56619a0190a0dbe455796d8c
Instruction ID: 73b3ddb011727e44f08239c9f2cfe77e9569f3968486189c24445cfa02d458fc
Opcode Fuzzy Hash: 87d8d98684aae0562d80d67a9de3f370e4372cbd56619a0190a0dbe455796d8c
Instruction Fuzzy Hash: 4C31043291EAA94FCB41FF68B8911EA77A0FF45334B0416B7D44C8F193CA6C685687D4

Function 00007FF8491BCA76 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Y$_H, xrefs: 00007FF8491BCB6E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: Y$_H
API String ID: 0-3978426673
Opcode ID: 636b9394518c9e094dde96c65551fded60dfd7fddbf4e3767d53a380ac6c9714
Instruction ID: cd500dc274872f4861886685fa9969bf65dafc3745f4bac5d576ba7d3230706d
Opcode Fuzzy Hash: 636b9394518c9e094dde96c65551fded60dfd7fddbf4e3767d53a380ac6c9714
Instruction Fuzzy Hash: E8310771D1D9CA5FE799EB3858591BE7BE2FFA4390B0444B9C46DC7182DE2C68068700

Function 00007FF8491BC776 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

`")I, xrefs: 00007FF8491BC79E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: `")I
API String ID: 0-1793973326
Opcode ID: 9cda2962eb12b99c3f49cdfd3f5aa9bd9f27f1895a0f32af3fb1591ae740efdb
Instruction ID: a3de50549095767f73b1db2ee216efce36f140a8418cd62bc9f2aec60c91d37c
Opcode Fuzzy Hash: 9cda2962eb12b99c3f49cdfd3f5aa9bd9f27f1895a0f32af3fb1591ae740efdb
Instruction Fuzzy Hash: 8C21D662E2EACA1FE399EA3C54596B667D2FFA8350B0445BBC04EC7183DD1CA8058740

Function 00007FF849270732 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF84927074D

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: x6{w
API String ID: 0-2911079151
Opcode ID: 633ad26a335392af0ad5014bc28667af541c4fc52a37c3c73301349568a43064
Instruction ID: 5ed971b9c9a10f7a12b079cbc8f70d0339876e959f982111ba181d018f2b9e45
Opcode Fuzzy Hash: 633ad26a335392af0ad5014bc28667af541c4fc52a37c3c73301349568a43064
Instruction Fuzzy Hash: 35213821D6EA965FF3A8EA6C481A17537C2EF29720F0801FEC449C71E3DD0C6C058286

Function 00007FF8491CD411 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23276d15d52a4fbb3b74a7bcae50ce030bbacc01cf561f42982d78682178092e
Instruction ID: 486770573e4bd0e0bfc356e510c8f619657710a1b9f98411a187b17523be88cb
Opcode Fuzzy Hash: 23276d15d52a4fbb3b74a7bcae50ce030bbacc01cf561f42982d78682178092e
Instruction Fuzzy Hash: D4325134A1C98A8FDB99FF28C495AA977E1FF59340F1401A9D40DC7296CE39EC42CB84

Function 00007FF8491CD446 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adf45942983a770e575fc717af948103dbcd36d56dd95470a31df44a2d0b06f
Instruction ID: 7e531d30ca9360f05a4073f28b1809b67828e1a33fdb1c88127ea7ff95fe4bb7
Opcode Fuzzy Hash: 9adf45942983a770e575fc717af948103dbcd36d56dd95470a31df44a2d0b06f
Instruction Fuzzy Hash: 01325134A1C98A8FDB99FF28C495AA977E1FF59340F1401A9D40DC7296CE39EC52CB84

Function 00007FF8491CD3FC Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28de0acc623435378f0df767edbb1486bd658baace50ef04322180ffa759d05
Instruction ID: dfd215ed379591c3a652eeea055b472af279e21cb09a39e588b7fb585103a913
Opcode Fuzzy Hash: d28de0acc623435378f0df767edbb1486bd658baace50ef04322180ffa759d05
Instruction Fuzzy Hash: 86324030A1C98E8FDB95EF28C495AA977E1FF59344F1401A9E40DC7296CE39EC52CB84

Function 00007FF8491B8C79 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c03278d1b2f441f821d51c6a95eea31d9851f9ccab60a148d0492a74578eb6
Instruction ID: cf093b5b4c45b05532936b15c103ad2372e05eb13ab78a59c40b592b53615909
Opcode Fuzzy Hash: 20c03278d1b2f441f821d51c6a95eea31d9851f9ccab60a148d0492a74578eb6
Instruction Fuzzy Hash: 6EF1B330A0CA494FEB69EE2884457B977E6FF69350F1441BED44ED76D2CE3CA8428B41

Function 00007FF8491D4A39 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73e502e9ff7e974357415f1038958d70f61a239150bdd2b61836cb3e5f2a9d3
Instruction ID: 724d99907941b0aa09213e6528e895b69059fbde2e3fde6d3ef39e7df8004d12
Opcode Fuzzy Hash: a73e502e9ff7e974357415f1038958d70f61a239150bdd2b61836cb3e5f2a9d3
Instruction Fuzzy Hash: BDC19430B1CA498FEB68EF6C9455AB977E1FF59750F140279D04EC32D2DE28AC428B85

Function 00007FF8491D2399 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8410bfc5cd5ed86353ffb00f8a9f479549082a3a9319a639f91159a962d34e10
Instruction ID: b379f091c79a5cfd7c4fc9b77b25794e274c498cf7142e4a1d622881114bf797
Opcode Fuzzy Hash: 8410bfc5cd5ed86353ffb00f8a9f479549082a3a9319a639f91159a962d34e10
Instruction Fuzzy Hash: 48D18530A1CA994FEBA9EF28C455BA977E1FF59340F1406A9D40DC3296DE38BC41CB81

Function 00007FF8491B2D79 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da38616869d7b02eba68148de57390d6a601976555563f9cae60a33d30d5a54e
Instruction ID: 162acd8a93df4213336c8a4238993c46aaf4ec1830226573366f4ce5af35ca17
Opcode Fuzzy Hash: da38616869d7b02eba68148de57390d6a601976555563f9cae60a33d30d5a54e
Instruction Fuzzy Hash: ADB14771A1EACA4FE365FF3898551A97BE1EF69350B0405BAD049CB592DE2C9C0ACB40

Function 00007FF8491B8DFC Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9167c9164a7cf84a64ef0566a7ff367237a2bfdcb78e5316f4c9ba26fbd6f098
Instruction ID: 9dbe6d7116c0281fc4376165f26c6b7394ca472cfb03aa29e5ca554b21762008
Opcode Fuzzy Hash: 9167c9164a7cf84a64ef0566a7ff367237a2bfdcb78e5316f4c9ba26fbd6f098
Instruction Fuzzy Hash: C1B12430A0CA864FF769AB2884443B977D6EF65394F1441FDD48EC76D3DE2CA8868710

Function 00007FF8491B3180 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e82c89c5a9f8be587dc449116947bdb4cc87b03692389ddb30002e71b371a1c
Instruction ID: 7208efe0973f90b7d9c132919935c45d6dc68e427f152720a0d32954a3875e75
Opcode Fuzzy Hash: 1e82c89c5a9f8be587dc449116947bdb4cc87b03692389ddb30002e71b371a1c
Instruction Fuzzy Hash: C6A19F31A1DA4A4FDBA9FF2894512FD77E2EF98350F54417AD44EC72C2DE2CA8128B44

Function 00007FF8491C7CF6 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8f7be6d8d443e470d2d59af69e102aee9211e60c4062c550a6c45b007c2db5
Instruction ID: 25488fb69bcc3abb85a3cd2b0d599b86d5614dbd0fbd83d50770e8704e37cdd9
Opcode Fuzzy Hash: 8e8f7be6d8d443e470d2d59af69e102aee9211e60c4062c550a6c45b007c2db5
Instruction Fuzzy Hash: 64B1A33050CA8D4FEBA8EF28D8557F93BE1FF55350F14426AE84DC7291CA789845CB86

Function 00007FF8491B34A1 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9317467acf1e2e1066a184b7eecd6147b331c331e242261000f19f8f6731ca9a
Instruction ID: b97ea35a3d4aeb9551ac2d465665c0a58f47cad702eaafcb49d53fb73aed98c5
Opcode Fuzzy Hash: 9317467acf1e2e1066a184b7eecd6147b331c331e242261000f19f8f6731ca9a
Instruction Fuzzy Hash: A5912831A0EB894FD7AAEF2884155B5BBE5EF65350F0405BEC04DC7293DE2CA8568780

Function 00007FF8491D2FAC Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40cd7172550ada3d3258e02f4a9f8bb9d2a980e78018dc6fa0731a2e30c7aeb
Instruction ID: 502ddcae520ef5202c317eab5222096893774f7278c78adbe9e938d70131bda4
Opcode Fuzzy Hash: a40cd7172550ada3d3258e02f4a9f8bb9d2a980e78018dc6fa0731a2e30c7aeb
Instruction Fuzzy Hash: DFA1DB31A1C94E8FDF94FF68C895EA977A1FF68384F540564E40DD7296CA28EC42CB84

Function 00007FF8491B9000 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6190cb240a752d06b3263f7c20526dad73c7bbdf59791362ecc3e6f8c3b2ee
Instruction ID: 2b945e6d531af6260680ddd75bd3755207dc49bf08c8c9fcc0a0e6842c31a4f5
Opcode Fuzzy Hash: 1f6190cb240a752d06b3263f7c20526dad73c7bbdf59791362ecc3e6f8c3b2ee
Instruction Fuzzy Hash: C2A1C130A0CA494FEB64EB2C84457A9B7E2EF59354F1441BDD48EC76D3CE3CA8868B41

Function 00007FF8491D38B4 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d342185af0cff00c95499e06fc0eda842c623f6612e259976342c7065be1d1a3
Instruction ID: cae07819e63c218c6c60d15a99de69d9203dd2152b4bf834ada600bc68705a8c
Opcode Fuzzy Hash: d342185af0cff00c95499e06fc0eda842c623f6612e259976342c7065be1d1a3
Instruction Fuzzy Hash: B1815031B1CE594FDBA8EF289455AB977E1FF59744F040279E04EC3696CE28BC428B81

Function 00007FF8491CC1CA Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc3d7735074921f5a6ece0dde1aabb5f83b303295245c65026dd3594375bb1f
Instruction ID: 6a81a70c3d1fd3f2a97a4935d00fdc6413521d1bcc077f976a799834b962bc21
Opcode Fuzzy Hash: dcc3d7735074921f5a6ece0dde1aabb5f83b303295245c65026dd3594375bb1f
Instruction Fuzzy Hash: 2E812431F0DACA0FE7A5EA7C98561B87BD1EF99360B0406BAC04DC72D6DE1C9C068785

Function 00007FF8491CD8DF Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079bb9d28586deda7f2d6313f0717f6f69b2415152c7fb2d5a28c003706d9b56
Instruction ID: d4efee31b6fab48e999e36e93f2df5b8328ed21df319f4486b7d139ad23acc35
Opcode Fuzzy Hash: 079bb9d28586deda7f2d6313f0717f6f69b2415152c7fb2d5a28c003706d9b56
Instruction Fuzzy Hash: 1C916231A0C94A8FDB95EF2CD495AA977E1FF99340F1501A9D40DC7296CE39EC82CB80

Function 00007FF84927214D Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344e4286d5ffecbf56bb6ba6f8554c2ba6a1b33620ff97cd006d2a1895c099df
Instruction ID: b47d8f1f51da204d05cc746020ae217bb983aabc121f4356951a9c97f8ef677a
Opcode Fuzzy Hash: 344e4286d5ffecbf56bb6ba6f8554c2ba6a1b33620ff97cd006d2a1895c099df
Instruction Fuzzy Hash: DA816920B2CE9A0FF795BB6D8496376A696FF98240F8441BAD109C72C7DE1CEC058395

Function 00007FF8491B8E4D Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26f880e616dc5236f8c75cddb587007ac8ba2e72271eb125220b2808f44a69b
Instruction ID: a443bfceec96a47207e5f4209205a95992c4342d9435e3aba1d759f94a01e32f
Opcode Fuzzy Hash: e26f880e616dc5236f8c75cddb587007ac8ba2e72271eb125220b2808f44a69b
Instruction Fuzzy Hash: 4A91F430A0CA8A4FF769AB2C84547B977D6EF65354F1441BDD88EC76D3CE2CA8868710

Function 00007FF8491B8F42 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84abfd996e34ae1a3c6035ae9b4b848b34ba447202f137ec9b30d2d776c9d7f
Instruction ID: 24e81c3032a67486881ba64023d31be922686caac0d592ff6c9d0511dc55cb02
Opcode Fuzzy Hash: a84abfd996e34ae1a3c6035ae9b4b848b34ba447202f137ec9b30d2d776c9d7f
Instruction Fuzzy Hash: 2981D130A0CA894FE7A9AB2C84547B977D6EF59344F1441BDD88EC76D3CE2CAC868710

Function 00007FF8491B8F7D Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaaedb01ec4cd9555a307f5ddf4176796a789c81520bee9072f29f88b64cbd7
Instruction ID: b2b0e2df0a77d5b729957285a466ea5d076e9a83e6da7415d93a96dd853b4d8e
Opcode Fuzzy Hash: 2aaaedb01ec4cd9555a307f5ddf4176796a789c81520bee9072f29f88b64cbd7
Instruction Fuzzy Hash: F481C030A0CA494FE7A8EA2D84447B977D6EF59344F1440BDD88EC76D3CE2CE8868700

Function 00007FF8491B8EEB Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f650d609153160f13271b28d6e645b2ed54a6410b6e7feb85e83af9424a58b6
Instruction ID: 2caa1fdc13940011fb6c9784d6c0ad27a40c611cc365c7d3933f4dc01a7b7fb4
Opcode Fuzzy Hash: 0f650d609153160f13271b28d6e645b2ed54a6410b6e7feb85e83af9424a58b6
Instruction Fuzzy Hash: 4781BF30A0CA494FEBA8EA2D84547B977D6EF59344F5440BDD88EC76D3CE2CA8868750

Function 00007FF8491B8ECD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b98fc63dbffb605f6038e6ac7ad136d7c474bdca9994b57823cdf166bc86512
Instruction ID: b464954e3a21d3223bfe7e3fbd4e6bb91d1c41164ff5b2598cb3cb3aad1b9f37
Opcode Fuzzy Hash: 4b98fc63dbffb605f6038e6ac7ad136d7c474bdca9994b57823cdf166bc86512
Instruction Fuzzy Hash: 3481B030A0CA494FE7A8EB2D84447B977D6EF59354F5440BDD88EC76D3CE2CA8868750

Function 00007FF8491B8DDD Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79e19101f1c35792e6700f55a38adf8e9e4982331427b04f0ef39fa53422b9a
Instruction ID: bbe2578d381bf422d45308f8707fed1677a66400ee1f555eff3a19e675341f08
Opcode Fuzzy Hash: e79e19101f1c35792e6700f55a38adf8e9e4982331427b04f0ef39fa53422b9a
Instruction Fuzzy Hash: 9081B030A0CA494FE7A9EA2D84447B977D6EF59344F5440BDD88EC76D3CE2CA8868750

Function 00007FF8491B8F26 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef6f02d18931654e1ec7417661be6a6c3f802740a7b6c43782648006d780368
Instruction ID: 28c80e33f47f4a81d02a6f9c1cfefe7f03f646ad7b3c3773516b07d5e31cdc22
Opcode Fuzzy Hash: 8ef6f02d18931654e1ec7417661be6a6c3f802740a7b6c43782648006d780368
Instruction Fuzzy Hash: 2781B030A0CA894FE7A9AB2D84547B977D6EF59344F5440BDD88EC76D3CE2CE8868710

Function 00007FF8491B8F08 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552af13be0adf8c1e06ae53f5a30e55bc437128d5446c2bc07cd55283cd2e4f3
Instruction ID: fa68cec09e07fe99b090db33d188952e5bc056110baaa0b984d7ad5d7eede37a
Opcode Fuzzy Hash: 552af13be0adf8c1e06ae53f5a30e55bc437128d5446c2bc07cd55283cd2e4f3
Instruction Fuzzy Hash: 0081B130A0CA494FE7A8EB2D84447B977D6EF59344F5441BDD88EC76D3CE2CA8868710

Function 00007FF8491D4820 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742c0d6b62f101319e4bf37717aad4bf6436ae99cbf0010f8c697229f0bbb8e9
Instruction ID: c00b42b351e45b853f14981c6efa057c5c212576af588f189bb61d7558d27f5b
Opcode Fuzzy Hash: 742c0d6b62f101319e4bf37717aad4bf6436ae99cbf0010f8c697229f0bbb8e9
Instruction Fuzzy Hash: C9610330B1DA854FE799EB3C9459A647BE1EF99340B1402BEE04DC72E3CE1CAC428781

Function 00007FF8491B8FD5 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e59c2ecd0c760de655bcdc1877bfa4c046e4edb7ec8c56cba9203fcad040bb
Instruction ID: 44e7c58dd6126d1e91d713733bb3aadedf6c6a4611ce35a57289fd94a8f7913a
Opcode Fuzzy Hash: 48e59c2ecd0c760de655bcdc1877bfa4c046e4edb7ec8c56cba9203fcad040bb
Instruction Fuzzy Hash: 2D71BE30A0CA494FEBA8EA2D84447B977D6EF59344F5440BDD88EC76D3CE2CA8868710

Function 00007FF8491C4BD7 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e653400da69d4f9589c2dddd21a4d05b7846552e4e169baf41c60402c18807
Instruction ID: 493a5e6c89ee6985917e97d4574993196516f3555dd07c4fd1430b88e29bc833
Opcode Fuzzy Hash: b3e653400da69d4f9589c2dddd21a4d05b7846552e4e169baf41c60402c18807
Instruction Fuzzy Hash: 9F616F3090CA5C8FDB64EF18D8457E9BBF1EF59310F0482AAD44DD3252CE34A9848F85

Function 00007FF8491D20A8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549f2ac0125e0cb35a2b020bb3b0177e2823bf0179753007c315a516b89ee15f
Instruction ID: 55e2be5f16045e08e5632302da0cfeee0e4bb0353b649b661df77d3bdd9a8200
Opcode Fuzzy Hash: 549f2ac0125e0cb35a2b020bb3b0177e2823bf0179753007c315a516b89ee15f
Instruction Fuzzy Hash: B3717131A0D9994FEBA4FE289851BA873A1EF5A350F0445F9D01DD3292CE38AD86CF41

Function 00007FF8491C0007 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25800706b6f6e4524da3593ae11389fa3f85f3d0a40aa0006863e941ea528865
Instruction ID: 20f8baa02f898716a891b028177e3a137625b204d21369aa7aa6c7703a5ba69c
Opcode Fuzzy Hash: 25800706b6f6e4524da3593ae11389fa3f85f3d0a40aa0006863e941ea528865
Instruction Fuzzy Hash: EF718320A1D9878FEBA4EB19C050675A7E2FF95380F648276C00EC25C6DF3DE9918B84

Function 00007FF8491D0C6D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44f44277aa37a976059a35faf716e14a71c57737a53a86f707f3f71e1954c52
Instruction ID: 169bb996c0f4fd2856a6c76bf56a1cdb73c9408a42a9ffc3f4bdb904960b1a1b
Opcode Fuzzy Hash: d44f44277aa37a976059a35faf716e14a71c57737a53a86f707f3f71e1954c52
Instruction Fuzzy Hash: 1F61077280DAC64FE776EB38641A1A87FE0EF46254F1906FEC489CB193DA1C780AC741

Function 00007FF8491B7750 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d85387b1997e992e2d75afe1b5eb5986e53408e85c09741259a308a4339a295
Instruction ID: 71baf99bb5a99de5b00bd977cc5569da9f3ad5d7169a8f2fcf91e5adc0c35576
Opcode Fuzzy Hash: 3d85387b1997e992e2d75afe1b5eb5986e53408e85c09741259a308a4339a295
Instruction Fuzzy Hash: CF517D32A0EA8D1FE368FA2C984A5717BD5FFA5360B1501BED44DC3693ED1CAC428791

Function 00007FF8491BD5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fb1d82b85e1011bd9e010b039b1e46f65f863efa84488611d3670f0093d154
Instruction ID: 6754f574c8f75a9b679da3b7e2ad2c254895d5e0f876a384a2b20b9097c7d64d
Opcode Fuzzy Hash: 56fb1d82b85e1011bd9e010b039b1e46f65f863efa84488611d3670f0093d154
Instruction Fuzzy Hash: AB517F71A1D9898FDB98EF2CD454AA977E2FF68354F1405B9E04EC7296CE28EC41CB40

Function 00007FF8491C14BE Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c9ae9b71f0b961e61391d57f91e83fde2ae7b58ec1502891510395e3e1f0e9
Instruction ID: 0fc8a7034017b042359cd3b9fffbcb015001a95808d35b73c71a2914cbda0bc1
Opcode Fuzzy Hash: 87c9ae9b71f0b961e61391d57f91e83fde2ae7b58ec1502891510395e3e1f0e9
Instruction Fuzzy Hash: 4151283160DAC94FD765EF3884A5AB57BE1EF56350B0801FEC449CB193DE1DA886CB41

Function 00007FF8491B3751 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78799de7c8174fe8dea70df57f9bbde25399122848dabdf2c68c9edb54e7732
Instruction ID: fa920dd1cb314f3afe6179a3b8b7c454953470443a9c6db23383d5c441013f91
Opcode Fuzzy Hash: a78799de7c8174fe8dea70df57f9bbde25399122848dabdf2c68c9edb54e7732
Instruction Fuzzy Hash: 3E51577150EACA1FE766BA3858042B57BD1DF52364F1406BED4C9C74E3EE1DA8438782

Function 00007FF8491B91FD Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77637ff84f5affb6019161caa07f129ae83a200e11341cd9fb9b4940b7c7cc23
Instruction ID: ffdbb528dc73d05410d3332522bbc38411dfd3bf897339ee88d9ef4df3b04e71
Opcode Fuzzy Hash: 77637ff84f5affb6019161caa07f129ae83a200e11341cd9fb9b4940b7c7cc23
Instruction Fuzzy Hash: B451C220A0CA460FE79DAA2980453B9B7C2FF99354F1441BDD88FC7AD3CE2CEC464654

Function 00007FF8491D0061 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b9bf9c8ed42474ab270460a94f7676b3a260c3ee7ce809207b527ed212656b
Instruction ID: 441a3335adde1e4c277acbfdc3682a48068b4e3953514f7916ca866d8e83104b
Opcode Fuzzy Hash: 31b9bf9c8ed42474ab270460a94f7676b3a260c3ee7ce809207b527ed212656b
Instruction Fuzzy Hash: C751E87091DBC54FD779EF2898175657BE0EF56340F1406BEC08AC75A2DA1CF80A8B82

Function 00007FF8491CDC9C Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f4b303c18cbdb0aebf39eeb43ff6cf0572f81ca8a980cd802f037c8125897c
Instruction ID: 39b8ac8d6d977521f15b896695b065c29be67e40c9cb798e0f92c4afa6200c0f
Opcode Fuzzy Hash: 60f4b303c18cbdb0aebf39eeb43ff6cf0572f81ca8a980cd802f037c8125897c
Instruction Fuzzy Hash: E9411331B1DA8A0FD7A5FB2894906B177E1EF99360B1501BAD04DC72C2DE19EC428784

Function 00007FF8491BD470 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cd05c386cc1cfae5aebcfa8ef648c5d01d51f024011f472ee96beae6817c5f
Instruction ID: 5910d3df0986eed5332342acf10f80f14229494c286d7679ff80afd24bc9ff57
Opcode Fuzzy Hash: 28cd05c386cc1cfae5aebcfa8ef648c5d01d51f024011f472ee96beae6817c5f
Instruction Fuzzy Hash: FB41687490CAC74FE37EEA2888592B57BE6EF65390F0800BAD44EC7592DD1CAC81CB51

Function 00007FF8491B7A72 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ef4a9f629427e7d12caad813924982a6d648d3ffa660fb9a4a3206ab290a03
Instruction ID: 7ab9be676c900dff1e47e7c40d6c7ca6ebaf567487bb6a3e6c4887da52f6d29d
Opcode Fuzzy Hash: f3ef4a9f629427e7d12caad813924982a6d648d3ffa660fb9a4a3206ab290a03
Instruction Fuzzy Hash: 3D41B53050C7C84FDB69AF2C94557B57BE5EF96350F28016EE48AC3292CA29E841CB41

Function 00007FF8491B20B0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ffbc195e537bb17bf6e6c89d22cfa6918b35bb92e2a5e31a67e0f379f1d71a
Instruction ID: c35315e85da195177d4ad31883156c2c0bbe4b817d37145fb4101e86b3b79eeb
Opcode Fuzzy Hash: 49ffbc195e537bb17bf6e6c89d22cfa6918b35bb92e2a5e31a67e0f379f1d71a
Instruction Fuzzy Hash: AC41977382F5959ED2817BB8B8421E53760EF2166CF0D46B6D09DCE0D3DF1C648486A9

Function 00007FF8491CEFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f5301d74a1e6df647731ed0459170ee7768131d3fe9ac472dd5f3d37175490
Instruction ID: 7ff5bd9a2cff7a3a3c308cf7fc3bd599356ff21f8bf878f3201bc02761f7aeac
Opcode Fuzzy Hash: 66f5301d74a1e6df647731ed0459170ee7768131d3fe9ac472dd5f3d37175490
Instruction Fuzzy Hash: 0331E521B0C9594FEAA8EF2D985567827C3EF99B84F0540B9E48EC33D7DD2CAC028745

Function 00007FF8491C28A3 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620ab2e441ac94f31f67544b2a83b1119953824d4bc35b111be93800c04c2dfa
Instruction ID: 178cf1ea8971e0b8a7b2a05556ef427a711188ee8f84bbd7f4b5d6e708e81cad
Opcode Fuzzy Hash: 620ab2e441ac94f31f67544b2a83b1119953824d4bc35b111be93800c04c2dfa
Instruction Fuzzy Hash: 17418952D1F6D24FE3265A3828151B46FB0FF62B5079D48F5C1448F19BE82CDC0ACB96

Function 00007FF8491BD099 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0e27227853caacac19d246a09cdac9a72fd10421de462386362e75b7b3a32b
Instruction ID: 05a0f82308aa18845bd22eb70833bb7374319c70e52c2ff6e89a7f06541579a6
Opcode Fuzzy Hash: 6b0e27227853caacac19d246a09cdac9a72fd10421de462386362e75b7b3a32b
Instruction Fuzzy Hash: 52414D7461DA8A8FDB99EF28C451BA937A2FF55344F5400B9E40ECB1D2CB39E856CB01

Function 00007FF848E1EA00 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3381327395.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e1d000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead26bf25a92b45e57266f3c87c1e40a66462345e230892e4d9e7ca7e7266228
Instruction ID: fa6df1bd2c543c70284d5200deba4cd95ed08005a1afdebaefee156c92851570
Opcode Fuzzy Hash: ead26bf25a92b45e57266f3c87c1e40a66462345e230892e4d9e7ca7e7266228
Instruction Fuzzy Hash: 7A41C47180DBC54FD796DB2898559623FF0FF56320B1906DFE088CB1A3DA35A846C7A2

Function 00007FF8491D2185 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ffdb5ed7f6cd74afec0b629be50c4b5359cc28145056f96d84cd7eb406eebd
Instruction ID: b22975b13c9394449fcb33f251e07b00251d361471ddcf77c16cc0a9ed8bccb7
Opcode Fuzzy Hash: 60ffdb5ed7f6cd74afec0b629be50c4b5359cc28145056f96d84cd7eb406eebd
Instruction Fuzzy Hash: 4041FE30A0D95D8FDBA8EF18C891B6873A1FF9A350F1441A8D05DD7692CE38AD86CF44

Function 00007FF8491B2EEE Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ca354d4cd32981e5553f35d874299e1a3dd03c43f522f3a1617c8fc9d81605
Instruction ID: 64d4edc443c57657ab2ff105f7154618ef72b7347e8c9a3e13c2af4126054fb7
Opcode Fuzzy Hash: 63ca354d4cd32981e5553f35d874299e1a3dd03c43f522f3a1617c8fc9d81605
Instruction Fuzzy Hash: C231373191EBC65FE3AAAB3898955657BE1EF6A26070901FFC009CB197CE5D8C4AC740

Function 00007FF8491D04B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4214a84361c91f0b3188cfe611692cf25eda3b8eed0e608c469fce990a72f62
Instruction ID: aa417ebe2c0965a90340eaebcdc16400558e1aba8806ec438061800399b6f964
Opcode Fuzzy Hash: a4214a84361c91f0b3188cfe611692cf25eda3b8eed0e608c469fce990a72f62
Instruction Fuzzy Hash: 0A310431B0CD994FD799FF3C98596A9B7E1EF99310B1402BAD04DC7692CE6CAC428781

Function 00007FF8491B3780 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598099f48573c36bdd049fdc20fea2b6e32465586d39fc05fea2acd7f370ff81
Instruction ID: 69fa65619952c986359457418a74f04b5d573c8f1154c1b7cd5a0354402c4f90
Opcode Fuzzy Hash: 598099f48573c36bdd049fdc20fea2b6e32465586d39fc05fea2acd7f370ff81
Instruction Fuzzy Hash: 6631697150DA4A2FF758FA38880967A37D6EF96360F0405BDD88DC31A2EE2DAC034381

Function 00007FF8491C9A09 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36784bd34ce6cb0650abad6a5184ede69dbef036e629bb25966894aebb645bf6
Instruction ID: 4fc0f7bb4e69e876764c84f0915d286170fb134ed984a0ca43d9a4c8e99b567c
Opcode Fuzzy Hash: 36784bd34ce6cb0650abad6a5184ede69dbef036e629bb25966894aebb645bf6
Instruction Fuzzy Hash: 43310932E0D6C94FD765BF3D58554A87BA0EF96260B0401FFD049C7293DD1D68068789

Function 00007FF8491CF6F0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de812b9b7ea207458565fbc333666d7f3522d7f2a540828adb8d37b774f9a756
Instruction ID: 3db41aa7e9153e6bad64bcf0bae650119f5157217e6e960753df9a9a5ee444de
Opcode Fuzzy Hash: de812b9b7ea207458565fbc333666d7f3522d7f2a540828adb8d37b774f9a756
Instruction Fuzzy Hash: D731C73150CA494FE7B8EF1CD446AA977D1FF58351F140679D48EC73A1DA28AC068B85

Function 00007FF8491BD295 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73837e6c1999d72c72fec869a2c63dd92c4153f5ee8399e214c77c56f04bbfbc
Instruction ID: 4c556d0c8f59ac173667e7c1a4f97bb59f2bebbee8095b4c32978d9d89cee96f
Opcode Fuzzy Hash: 73837e6c1999d72c72fec869a2c63dd92c4153f5ee8399e214c77c56f04bbfbc
Instruction Fuzzy Hash: D331C27154E7C55FC306DB7488245AA7FF0EF9A254B0902EBE089CB2A3CA2D9946C751

Function 00007FF8491B2DBA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18750d4df743ce67a360e73f3c6008d0734fef31ec8bcb0d9fa35be65855e397
Instruction ID: ee504c81b829da76f978465cb3757337642491a41a53c3488e0e9c811d824e54
Opcode Fuzzy Hash: 18750d4df743ce67a360e73f3c6008d0734fef31ec8bcb0d9fa35be65855e397
Instruction Fuzzy Hash: B131C371B0D9CA4FD7A1EE1E99495A9B7E5FFB835070405B4E048CBAA1D92C9C0BCB40

Function 00007FF8491C0C78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbacf696cf95161789e64f1d578a93525359ad0082731560a20eeb1ab7663fd
Instruction ID: 4960c7c2ab91521a197872a3dd331a57dfe4ba2bd8959eb0d6296bf9e3594536
Opcode Fuzzy Hash: afbacf696cf95161789e64f1d578a93525359ad0082731560a20eeb1ab7663fd
Instruction Fuzzy Hash: 5B31CF32A1D6558FDB9CEE1CA0552FA73E1FF483A5F14463FD04EC6282DE28A8418788

Function 00007FF8492757AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61792a195bb30feaa918247bf79ca35587612328bac580b8c0e4866472b3925
Instruction ID: 7330a8d66b51829760c9a9db40d462eff1e0efef5a1ec1d3cf49a73ca4b03648
Opcode Fuzzy Hash: b61792a195bb30feaa918247bf79ca35587612328bac580b8c0e4866472b3925
Instruction Fuzzy Hash: C5218221B1DD9B4FF7A9BA2C1455639A6C3EF98690B5902BAC41DC72DAED18DC420384

Function 00007FF849275098 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2f7446d015899718ef4225e876913927c9c65a913b9c30dfc15316c51003c9
Instruction ID: dd6942b95426065c6e0ecb8d01583605d089220a92f518faaa9a9bc1d39e6256
Opcode Fuzzy Hash: 2d2f7446d015899718ef4225e876913927c9c65a913b9c30dfc15316c51003c9
Instruction Fuzzy Hash: 8E31C521F0ED9B1FF7B5B63C1455679AAC3EFA9690B5800BAC41DC32CAEE19EC454384

Function 00007FF8491B7390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dd6cf8f3a18e49d70517826fdcf8cacf09581cfb831b00c9e3d127909d55e6
Instruction ID: 5844526fe49b16963a2752ed6e22a4eff9b78e1eff6527209d56efb73aa2c2a3
Opcode Fuzzy Hash: 91dd6cf8f3a18e49d70517826fdcf8cacf09581cfb831b00c9e3d127909d55e6
Instruction Fuzzy Hash: E231E221B1CA890FE792FB2CA45417977D2FFA8255F4406BBD84CC36E2DE2CAD858741

Function 00007FF84927522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a76ef8b79dd627b00764d41203e27ff2123ba4ced35759dd8370f5dc4ca844
Instruction ID: 9c35e05cf3c94a5ee968672a89a393f373fedf23c4c1d70b382994fd68afd829
Opcode Fuzzy Hash: 17a76ef8b79dd627b00764d41203e27ff2123ba4ced35759dd8370f5dc4ca844
Instruction Fuzzy Hash: 41218D21F0DD9B0FF6A9BA2C1455639A6D2EFA8690F5805BAC01ED3296EE19EC424344

Function 00007FF8491CAE7D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbccacb092b8919a6bd8413a7f486b78f606e5ae985a057796080040891730b
Instruction ID: 8dc262e8921a5b97bda953287c06e85f778fe75b7d525e082f91bfc15e560998
Opcode Fuzzy Hash: 4cbccacb092b8919a6bd8413a7f486b78f606e5ae985a057796080040891730b
Instruction Fuzzy Hash: 52316E3051CA8E8FDB94FF28C4547AA77A1FF58304F5045AAE41AC7286DB39E851CB40

Function 00007FF8491B3169 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b01ecdd48c829d53ccd68aba834de441985a51abb20447331a9bcc157fb887
Instruction ID: db4a6d33fa8746edc7b304650789fe970c6a8fb062c47f8ed33cd705bf439151
Opcode Fuzzy Hash: 56b01ecdd48c829d53ccd68aba834de441985a51abb20447331a9bcc157fb887
Instruction Fuzzy Hash: 4F31D13190DB889FD759EF68C8151A97BF2FF9A351F0400BED449C7282DB39A812CB40

Function 00007FF8491C0CD3 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a174587647923ff8ad8aed91be571068030a89faaab31e3ed9056c345463cd7e
Instruction ID: 23f22eb008cd79d0532855a3df129e2d93fff386e2ac3ebb63ae4dc6efc17992
Opcode Fuzzy Hash: a174587647923ff8ad8aed91be571068030a89faaab31e3ed9056c345463cd7e
Instruction Fuzzy Hash: AC31F532A0D7884FD79DEF2894592B9BBE0FF55360F1441BFD08DC7292CA2958458749

Function 00007FF8491B3FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afc98261fb46145a0aa12ef0690aee4ca9bc9794ffcc5b555ec609a62725b39
Instruction ID: b4b105269b95a5a8003bee223d85b7dec25bccdb699b1c5bddf18443b9d3a798
Opcode Fuzzy Hash: 9afc98261fb46145a0aa12ef0690aee4ca9bc9794ffcc5b555ec609a62725b39
Instruction Fuzzy Hash: BC21FB31B0CB850FF2A8A61C684A6B537D6DBA6260F0841BFE58DC31D3DD196C478782

Function 00007FF849275958 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7adc08c99bc0194ba13bf04293e993ac8bcd5d5ec818b3cedae94db429f91fc
Instruction ID: 7f9c63b2862616363362b9903d5cda72e8cd85b484897637a30fd186f2d20687
Opcode Fuzzy Hash: e7adc08c99bc0194ba13bf04293e993ac8bcd5d5ec818b3cedae94db429f91fc
Instruction Fuzzy Hash: 7F21B621F0DD9B4FF7A5B62C1455239A6C3EF98691B5501BAC01EC32DADE1CDC420384

Function 00007FF8492739C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca9bc263b00016aa373e92ba224c95825b83773344d05a00bddcdc08cde53ae
Instruction ID: 217ff5156863ece23327ef4a18244a5cf9d2f21c527d5539d182219f61209b46
Opcode Fuzzy Hash: bca9bc263b00016aa373e92ba224c95825b83773344d05a00bddcdc08cde53ae
Instruction Fuzzy Hash: FA21B321F1DD9B0FF7A5B62C245567A56D3EFA8690B5801BAC01EC33DAED2DDC420340

Function 00007FF8491CEEA9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a69403fe8f1a5d5c65ddb7db81e6ee818b1fe67555511a4343232e9b1058d9
Instruction ID: fb53204b0ec379a8877dfb065a2a42919561868516f753e02fae71630470fa04
Opcode Fuzzy Hash: 71a69403fe8f1a5d5c65ddb7db81e6ee818b1fe67555511a4343232e9b1058d9
Instruction Fuzzy Hash: 6B21573191EAC60FD716A7288845AA67FE0EF66250F0802BEE089C31D3CE1DA406C355

Function 00007FF84927286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb116bde2d5b6a4ba6fa41ef557674944b80d66f5f4f12ff7c700d0c951870c4
Instruction ID: 8b21b79feebafda5c396f24279897021c00eb2ad52d6e4940fa9eda30cf1037d
Opcode Fuzzy Hash: fb116bde2d5b6a4ba6fa41ef557674944b80d66f5f4f12ff7c700d0c951870c4
Instruction Fuzzy Hash: D621B021B0DD8A0FF7A5BA3C145427566D3EFA8680B5801BAC00DC32D6DE2DEC424380

Function 00007FF8491D0D65 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbc1043a147391813e9f8db6c77c07bba5e97535606f5cfc20099ad92a93924
Instruction ID: 7ffd93079fafc4f0656618c7247a640dcb25db8e1c145ece430fb380ae326227
Opcode Fuzzy Hash: fcbc1043a147391813e9f8db6c77c07bba5e97535606f5cfc20099ad92a93924
Instruction Fuzzy Hash: 3B21353191DEC64FDBB5EA28641A2A8BBD0EF85251F1406FFC08DC7192DA2C7D468781

Function 00007FF849274668 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff35ff6e41faabbdc26e561dd80d7093bc6a51332f3b5b4145f891a52eb6d2f
Instruction ID: bab7b7617a5bb8a8c0066c3b970ecb36380bfda06df2567aeb1676fca3983881
Opcode Fuzzy Hash: cff35ff6e41faabbdc26e561dd80d7093bc6a51332f3b5b4145f891a52eb6d2f
Instruction Fuzzy Hash: 5D21B021F1DD8B0FF7A9BA2C146523966D3EFA8790B5805BAC41EC72DAED2CDC424344

Function 00007FF8492739B2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97344d7f720b946b75853d2f219b1b847a6b1e1dc35f1f36cd56c7dfb7015306
Instruction ID: 92370e2c68904077ba2c49462defff029f59a7e5fa46fdcdef5edd72574553ea
Opcode Fuzzy Hash: 97344d7f720b946b75853d2f219b1b847a6b1e1dc35f1f36cd56c7dfb7015306
Instruction Fuzzy Hash: CA21A122F1D99B4EF3B5BA2C245567A56D2EFA8690B5801FAC01ED72C6ED2DEC420340

Function 00007FF84927369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c11f178cedb807fc40bbb54f5bcc38f5a5e9b4431e96a4c4b4cafdfc3ace727
Instruction ID: 17a0ebebd0bdf4cfa6723671b0ec09904960c17e15e75578db3531990f5201a0
Opcode Fuzzy Hash: 0c11f178cedb807fc40bbb54f5bcc38f5a5e9b4431e96a4c4b4cafdfc3ace727
Instruction Fuzzy Hash: 18218321F1DD8B1FF7A9B62C145527666D3EFA8690B9801BAC11EC33DAEE1DEC414344

Function 00007FF8491D0F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad34a7ee89a8b075795248acfcca2e9a730ba843c9b3c9db1bd671d503515c9
Instruction ID: 3ee986ae287fe765949cc6754d97bd8a49eb5333d4a8bd8ae39ae2c5308ee687
Opcode Fuzzy Hash: fad34a7ee89a8b075795248acfcca2e9a730ba843c9b3c9db1bd671d503515c9
Instruction Fuzzy Hash: 46213E7061CE898FD794FB2CD484A6977D1FF98351F5405BEE44EC32A6CE28E8418B46

Function 00007FF849273A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3041bba50f99e53f5b2666db60962b5b5827a5d4f4e210c0cbcced067461d0f6
Instruction ID: 37ef60856cb3f5a50d6269272ed91eec8664c806f433bfea37c87d24d09c5a97
Opcode Fuzzy Hash: 3041bba50f99e53f5b2666db60962b5b5827a5d4f4e210c0cbcced067461d0f6
Instruction Fuzzy Hash: 6721A121B0D99A4FF7A5BA2C145523666D3EF98690B5901BAD01DC32CADE29DC424344

Function 00007FF8492726EA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2003a2230b7924a8eeffe7bd2738b7d8625bc5cb9377cf7c5be93f2ad53554a9
Instruction ID: 151dc332203430e1bdcd443052f5a5267ac7e2a6f1739e06928ec1a450e65dc1
Opcode Fuzzy Hash: 2003a2230b7924a8eeffe7bd2738b7d8625bc5cb9377cf7c5be93f2ad53554a9
Instruction Fuzzy Hash: 46219F21F1DE9B5FF3B9BA2C145523665D3EF98691B5801BAC11EC32DADD2CDC420244

Function 00007FF849272566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29e95bf53ca15e4983b39155ad0334606c8a159d4ca1f9a8fe787d8cdab8ce2
Instruction ID: 6519dfe6f888cdb7e7946732e041288e3c330c5763c7cfab2b8eb8102e2d7062
Opcode Fuzzy Hash: a29e95bf53ca15e4983b39155ad0334606c8a159d4ca1f9a8fe787d8cdab8ce2
Instruction Fuzzy Hash: F6219F21F1DD9B1FF2A9BA2C146523565D3EFD8690B5801BAC51EC32DADD2CDC460384

Function 00007FF8492732B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efffcb1b0498383be8dbc0d7ec3211d888b842443985a047fd29abdd99680344
Instruction ID: 67797ceb42dff0c8c24c5e38d97c288316c187168499c6674464d4cfb3aac7c1
Opcode Fuzzy Hash: efffcb1b0498383be8dbc0d7ec3211d888b842443985a047fd29abdd99680344
Instruction Fuzzy Hash: CC21B021F1DD9B0FF6B5BA2C145523AA6D3EF98690F5900BAC01ED32CADE2CEC020344

Function 00007FF849273CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc421e6109ead30802359e7436c5c8b2fb03273c454e2d24f05def975b36819
Instruction ID: dd5faf8a3ecfc30320800f23134d94a0531fd72870e1cb55365e12dd90e4a707
Opcode Fuzzy Hash: ccc421e6109ead30802359e7436c5c8b2fb03273c454e2d24f05def975b36819
Instruction Fuzzy Hash: 5F217131B1DE9B4FF7A5BA3C145523666D3EF98690B5901BAD01DC32DAEE28EC424344

Function 00007FF8491B2952 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465bf89971125c3c7fd89f5a33e7973da26df44edda374e320a942041d38d14d
Instruction ID: 636b6b2a5bf545068abb4dd4ea24808fe6c9b56d3d32b1bbb5636d802252f057
Opcode Fuzzy Hash: 465bf89971125c3c7fd89f5a33e7973da26df44edda374e320a942041d38d14d
Instruction Fuzzy Hash: 2B212960B3DA9A5FE799B72884112FA77E1EF69390F848476C04EC76C7CD5C98078391

Function 00007FF8491BA6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction ID: 43ce4751dc918caa4f6abb959986b52eef29c324cf6f4ae516a420b259494a60
Opcode Fuzzy Hash: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction Fuzzy Hash: F121837190CA1C4FDB68EE18DC4A5FAB7E8EBA5321F10413FD44ED3211DA31A5458B82

Function 00007FF8491B3FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b9947458239f660cf3db0a2742813622b397275442597c475511b9dd063bde
Instruction ID: 7a63cba47b52bf2fc8863ab5022ee27a9179d9bfbf7577e3b5b651e31f8ba8a4
Opcode Fuzzy Hash: 36b9947458239f660cf3db0a2742813622b397275442597c475511b9dd063bde
Instruction Fuzzy Hash: B911CF3171CA491FF6A8B61C684A7F533DADB99260F04417EE54DC32D2DD19AC428686

Function 00007FF8491CAEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction ID: 4132da68d2f20cc03a8e4927ec7f6b9a69303f826cc24956165ab665e5b41b5e
Opcode Fuzzy Hash: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction Fuzzy Hash: E421FD34618A8E8FDB98FF28C4547AA77A1FF58304F50456AE41EC7285DF39E951CB40

Function 00007FF8491B7065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc38fd0108e58e00c4d26b80ebb77b31a94f4962b6faa213d1c49df28333cf8
Instruction ID: a9fd9674005dd5b2f7df981d864c82aa069ad2171da830daf999d1cf8d179fc7
Opcode Fuzzy Hash: dbc38fd0108e58e00c4d26b80ebb77b31a94f4962b6faa213d1c49df28333cf8
Instruction Fuzzy Hash: B7212920A1CA950FE755AB2CA4586B17FD2DBF5250F0809BAD4C9C71F2D92DE9C58701

Function 00007FF8491C95DD Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388ed9128ecff653423ca025f60aba984e1d46abb9b79fa8fdf5591a908d98b9
Instruction ID: 553f005ffd3d104e6c14211cbad1787869a3135d658214929fef667917978cf5
Opcode Fuzzy Hash: 388ed9128ecff653423ca025f60aba984e1d46abb9b79fa8fdf5591a908d98b9
Instruction Fuzzy Hash: EE31497090CA8E8FEB94EF6484457AD77A1FF48380F80047AE40DC62C2DF39A9808B45

Function 00007FF8491D351E Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c267980571028ed17d4f1f1cf7d7d4e85860ee5837fdb88a4ee19d940fbef67f
Instruction ID: 96ead1d3761159c65b3ef01b4be1b03e5b587bef9ff35d1e9648838988283957
Opcode Fuzzy Hash: c267980571028ed17d4f1f1cf7d7d4e85860ee5837fdb88a4ee19d940fbef67f
Instruction Fuzzy Hash: 2F21323061DA8A4FE799FB28849567973D1FF44354F9845BDD04AC7692CE2DB842CB00

Function 00007FF8491C96D5 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15926fb84e5e0d6ff819e8c41a6ffb19c0e73c4fa5d0864a854f1a486b88cff1
Instruction ID: 3cbc3124362c0494946490831d7975a07bab5f746a535ca8f3eadcf3d3e8f4d2
Opcode Fuzzy Hash: 15926fb84e5e0d6ff819e8c41a6ffb19c0e73c4fa5d0864a854f1a486b88cff1
Instruction Fuzzy Hash: 3621C031A0DA8D8FDB95FF2C94112AD77A1FF99310F4502BAD00DC7286CE28AC418B85

Function 00007FF8491BE521 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d5a0e17bd2a3afb106e10098fb5df93cb3e7ecd42c0cca82de842981ee1944
Instruction ID: 6c36cd2b3b23ae165fad6f603cc047af8bce3f403c824e5daef9efa545b49dd7
Opcode Fuzzy Hash: 08d5a0e17bd2a3afb106e10098fb5df93cb3e7ecd42c0cca82de842981ee1944
Instruction Fuzzy Hash: D021D17080D7CA5FE356AF7898582AABFE0EF59300F1805BFE089CB193DA6C14448B42

Function 00007FF8491BCFC5 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e7a3ac05fb53916f3c290784f03cf5876eaa8a3c4b38eb962d11fa06a2b37
Instruction ID: 72e293f835fdabeab5065236f5d58c4869221030b091adf1c10cb3f39fff57a3
Opcode Fuzzy Hash: d02e7a3ac05fb53916f3c290784f03cf5876eaa8a3c4b38eb962d11fa06a2b37
Instruction Fuzzy Hash: 7111CE1148FACA1FE3066BB44C295E63FE5DF9B16071D42EBE085CB4A3C84C498B8362

Function 00007FF849272964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03d9bc6946eb61cff5c464d7290d6d6e49d7254c447991f167e0a8a332302fe
Instruction ID: 351c8966e7aa69210c52858bd5fb58c36b30e790843d876cf7aa9ba0dfb0035e
Opcode Fuzzy Hash: f03d9bc6946eb61cff5c464d7290d6d6e49d7254c447991f167e0a8a332302fe
Instruction Fuzzy Hash: DB119D21B0D98B4EF7AAF62C0454239A6D2EF98290F6901BAC01ED32C6EE2CD8414340

Function 00007FF849275A50 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdbc98dcfe7e716134f72c047a3b5f712fe9e52e56a3994fc09feee65167c48
Instruction ID: 5c3312dfb01edb93b007d8053108e38e4d8bf6f94b82ac7f7059b1030940edb1
Opcode Fuzzy Hash: 0bdbc98dcfe7e716134f72c047a3b5f712fe9e52e56a3994fc09feee65167c48
Instruction Fuzzy Hash: 1811B221F0DD8B0FF7B5B62C0454639A6D3EF98290B5901BAC01DC32C6DD1CDC014344

Function 00007FF849272C8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f1450bd195070c1a137655b98f9511ddfaed0d64f4ecd619b980ef5253e505
Instruction ID: 957b4881a4c13551f35b82bfbd8956fa3e3eaa06835a943bf66c92f1df7f0844
Opcode Fuzzy Hash: d1f1450bd195070c1a137655b98f9511ddfaed0d64f4ecd619b980ef5253e505
Instruction Fuzzy Hash: 23119022B0D98B0EF7B9B62C1454239A6D3EFA8690F5901FAC41DC728AEE1CDC414344

Function 00007FF849274A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3317f64bae06a788ad6a146d3a21f98ab6d05a78dd2405709409392d9a4bac
Instruction ID: 1cedcb35799e7123ab8da0f4162f9565ac48fef5fd1e5712a2aef84621bd3a80
Opcode Fuzzy Hash: 1b3317f64bae06a788ad6a146d3a21f98ab6d05a78dd2405709409392d9a4bac
Instruction Fuzzy Hash: A7118221B0DD8B0FF7B6BA2C1465279A6D3EF98690B5901BAC41DD32DADE1CDC414344

Function 00007FF8491B65F1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3d608e21d2368dc1b7d3e1f6b8019a1b48b06424059ac82d2cf5759a5019d6
Instruction ID: ff479f4ec4f94c777cd82ac53a5391f7cae5fce6412b5109a881104a707ff68a
Opcode Fuzzy Hash: 0d3d608e21d2368dc1b7d3e1f6b8019a1b48b06424059ac82d2cf5759a5019d6
Instruction Fuzzy Hash: BC119D3180D68A8FC751EFA4C815AEABBF0EF5A350B0405AAD058C70A2DB6C9944CB91

Function 00007FF8491C159D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3b11c3af35da594fb974a64261ca3940e8549628d44628b962771a52ab3bb0
Instruction ID: 4989de3e16581fc51e168d6bf8c76587fe698221ba0d6364d257a808069f9b11
Opcode Fuzzy Hash: 8c3b11c3af35da594fb974a64261ca3940e8549628d44628b962771a52ab3bb0
Instruction Fuzzy Hash: 3911E63191DAC94FD7A8EF3884A5A657BE0FF69340B4804EDD44ACB2D3DE18E844CB55

Function 00007FF8491C15B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486b0f1b14d9be0fd77f166815a6467674f1a6827548f2060490dadd57da86ba
Instruction ID: 3df516ec0a0bec347cb87fecfc08820c2b91a4bfc4e9f95d5eb374b865e0c289
Opcode Fuzzy Hash: 486b0f1b14d9be0fd77f166815a6467674f1a6827548f2060490dadd57da86ba
Instruction Fuzzy Hash: 5F11C230A29A894FDBA8EB388498E6577E0FF69740B4804ACD44ECB292DD18A845CB50

Function 00007FF8491C99AA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d176768177701785a2d45194e20de4fe117b6d9d8be194b48da64cae2bd49644
Instruction ID: 3a284ba7fe302afbd2ad0c673abbce5106fb7beed38331c193cf86fe68dbb643
Opcode Fuzzy Hash: d176768177701785a2d45194e20de4fe117b6d9d8be194b48da64cae2bd49644
Instruction Fuzzy Hash: B0118E2288E3C60FE763AFB458654947FA09E53270B0A41EFC5898A1A3D45E484AC716

Function 00007FF8491D4A60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b26b8e576d48a4e727ac4c04bcfc7c2370eab3be7d20ac167c1f2407e81e0c
Instruction ID: bc6fec7308bc233679d1ab4fec9b6fcc948b085588f751b7e205a11d972f599f
Opcode Fuzzy Hash: 77b26b8e576d48a4e727ac4c04bcfc7c2370eab3be7d20ac167c1f2407e81e0c
Instruction Fuzzy Hash: BDF0F67260C61C2EA72CA92DAC4B5F673D9EB96671B00023FE48AC3593ED21B81346D5

Function 00007FF8491D0D42 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27c88d8a04e5f91780e7dee4fcb8d94be86d6a71da8a36355d7ca588c9217d7
Instruction ID: 966e71387d1724c8870538687b4768636204639c1afc49f13fde281466e3214b
Opcode Fuzzy Hash: d27c88d8a04e5f91780e7dee4fcb8d94be86d6a71da8a36355d7ca588c9217d7
Instruction Fuzzy Hash: DA01D421A0CDDA0FE76ABB3864692B87BC1DF85254B5401FAC04DC71D6DE2DBC418740

Function 00007FF8491B4CF1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb981a9f92d65b558277cd14f58cb7852655271bfacccaded2133d938252281
Instruction ID: 17656c4e40e94fd4c6878b17ad9fe1c0301347567de339ccddb8b104c774bfa0
Opcode Fuzzy Hash: dfb981a9f92d65b558277cd14f58cb7852655271bfacccaded2133d938252281
Instruction Fuzzy Hash: 4201683180CA954FE766F73884452F97FD1DFA8290F094A7ED08CC64E2DE5C4AC6838A

Function 00007FF8491B223A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a57d6498f401037fdb6f4097a540d85c8ca8b624c36b64b285166eed7e5c140
Instruction ID: 5a3457f5d5ca1df7781ae0128ed70ea105b6c6a3c5b82adb8d77fbc98fa5ccf6
Opcode Fuzzy Hash: 0a57d6498f401037fdb6f4097a540d85c8ca8b624c36b64b285166eed7e5c140
Instruction Fuzzy Hash: 01F0283185DBC92FD716A73458162E67FF4EF66200F4904E7D468CB593DE5C5908C312

Function 00007FF8491C990B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978d8b75a426f5b23e174b3e1e08e0538d75fa69a8cff076ea55102679f53a3c
Instruction ID: a8bfcc886070565a6ce756b2856904041b5e2b4e52ffea033bbce03ad402f7be
Opcode Fuzzy Hash: 978d8b75a426f5b23e174b3e1e08e0538d75fa69a8cff076ea55102679f53a3c
Instruction Fuzzy Hash: 0E01F630B189098FDB84FF6CD895AA9B3E1FF9835170045B9D44AD72A6CE24EC82CB40

Function 00007FF8491D1616 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d56ae42b125181c1305944e4fd57bc1ee3fccd6cf98299e1ee9e742f7d4329e
Instruction ID: f34cff9c8ac3566faee491f29ec8617ba18072ea13564ea984013dda5863d5ed
Opcode Fuzzy Hash: 0d56ae42b125181c1305944e4fd57bc1ee3fccd6cf98299e1ee9e742f7d4329e
Instruction Fuzzy Hash: 6AF02B22F0CE490FD5B8A92C68445B573C2EF84650F48027AC10CC3286CE28B8464782

Function 00007FF8491B6620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc2ce0b5a3b2f8534339443bb838cb9cbfc435d4c24545384ac506ac8f0e4c2
Instruction ID: bb0140cc7249914124356de9d570be1a6eec2539eb399c0b97d28137369c0bd6
Opcode Fuzzy Hash: ffc2ce0b5a3b2f8534339443bb838cb9cbfc435d4c24545384ac506ac8f0e4c2
Instruction Fuzzy Hash: 00F03C30D09A1E8EDB91FF68D8056EEB7F1EF18344F40097AD41DD2191DB7969408B80

Function 00007FF8491B22AD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca9f96ba2132fa1620a1b072c0d4a052d01d9352fce3ff67c15c52d49fb7553
Instruction ID: bfb7f1d6fc2876b89306d554841dc2134d55abeb378ae23c159bd85fd5361a64
Opcode Fuzzy Hash: 5ca9f96ba2132fa1620a1b072c0d4a052d01d9352fce3ff67c15c52d49fb7553
Instruction Fuzzy Hash: C0F02271A5D2C91FE359EB74081A4EA3FE0EF64210F4904EAD418C7083EE6C54058300

Function 00007FF8491B345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction ID: 42ccb56a38fe8e08daf249a20ce73667e1ff37fa02f87b46ba5c2a1367af0e85
Opcode Fuzzy Hash: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction Fuzzy Hash: 43F0A77150D64D5FDB18FF45EC465EA77A8FF85224F00013AF44D82192D6396863C750

Function 00007FF8491B3050 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a981be8f506658d99fdcde240a3f0a8266c9b685338de4eb2ebf1569626557
Instruction ID: 15e18f4543baf481f04b705e284f7b2ae22c72ae27d2c81d7a9ebcaddee9b490
Opcode Fuzzy Hash: d6a981be8f506658d99fdcde240a3f0a8266c9b685338de4eb2ebf1569626557
Instruction Fuzzy Hash: B3F0B431A1CA854FE799FF3C540427533D5FF55205F5005BED84AC7692DF28DC128640

Function 00007FF8491C8912 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30bedde1a6e4de0f9222c35a666309cd3fb7d7d562e10deee6ea80abd10ffd8
Instruction ID: 6610d8c1ef0dd733b0fa004b340caa95d918f28d4773a317554df1755882c8b1
Opcode Fuzzy Hash: c30bedde1a6e4de0f9222c35a666309cd3fb7d7d562e10deee6ea80abd10ffd8
Instruction Fuzzy Hash: 8CF0A020B5DA1B1FE695B37C581A1AC6AC1EF892A0F4406FAE44AC32E7DD1C9C425384

Function 00007FF8491C978A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8457d353a7497c073002be87a07f43eb98e9fb9a58b7d6c9f98fcda4213699c
Instruction ID: bede6ec83ac740cbcaee70732e258323154f27b771ddb73d99325611b3f17d50
Opcode Fuzzy Hash: a8457d353a7497c073002be87a07f43eb98e9fb9a58b7d6c9f98fcda4213699c
Instruction Fuzzy Hash: 5AE0C23290CE9D8FDB95FE6CB8018E6BBA0FB89308F00019AE95CC7145D62A9951CB85

Function 00007FF8491C97F7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29a18b4368dd41f6e063a0b3d951d4de7d8950856c45f67753a1139f48aff0c
Instruction ID: e6cd3943f05d9922cd50913fb8e205bb3c83163859b335b4133e693410068c90
Opcode Fuzzy Hash: a29a18b4368dd41f6e063a0b3d951d4de7d8950856c45f67753a1139f48aff0c
Instruction Fuzzy Hash: 0FE0C234148A4C8FCB54FF28E80099673A5FB85308B0009BEE81DC7141C736D962CB80

Function 00007FF8491B2D3B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e0b988d57d606d0ccdbfad37fdb3cd9d326658bf9e934c6da5baa99cb29058
Instruction ID: a35d0761635f1c3e367292d02103614384049f1bd7a64794a0fb638aa3d56fee
Opcode Fuzzy Hash: d2e0b988d57d606d0ccdbfad37fdb3cd9d326658bf9e934c6da5baa99cb29058
Instruction Fuzzy Hash: FDE08C2079E9861BE285A22C48123BE66D3DFC9710F9840B8D109C76CBCD1C5C0242A2

Function 00007FF8491BC749 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272eea4483ef77a89877e2820f5455a5c6286289554607702ac3fba2fe3857d0
Instruction ID: b3005a70939daac52e1841d5de2f55426ece5556730342722f583d3139b530af
Opcode Fuzzy Hash: 272eea4483ef77a89877e2820f5455a5c6286289554607702ac3fba2fe3857d0
Instruction Fuzzy Hash: 91D05E23A2D4C94FE640BA2C78A01FAB396FBE52547608A76C099E7186CE29950A4280

Function 00007FF849270FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3384230445.00007FF849270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849270000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: 0198f9dbfde541ac9088efef9bdf3ffd249db5141e4198759475764be5065ec7
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: 2FD0C92172D4220BF654328D78423B9B286DB88754F601437E50DC22C7CCCE6C8112D6

Function 00007FF8491D1481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction ID: ba818ab518343e39bb5e3f235b868d010b830cc46863bdfe37823f0c296cba64
Opcode Fuzzy Hash: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction Fuzzy Hash: 6FD0A73275D54D4DC635AA3878001AAB381DBC1121F50077BC10DC1585CD2A50924641

Function 00007FF8491C93C6 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbe140ab3a71e78b8260993e78f76f97e404c8ee53aa87f3675d30da8c3b2b3
Instruction ID: 2a8fdc18ac0fc64dbb8f54023b07377d0b92ed76f7d2f548f87a6084d758bea9
Opcode Fuzzy Hash: 5dbe140ab3a71e78b8260993e78f76f97e404c8ee53aa87f3675d30da8c3b2b3
Instruction Fuzzy Hash: CBC04C12B4E85E5DDAA5BA6874132FDB261DF85290FC12535E11DC21C7CE5E3C144AC5

Non-executed Functions

Function 00007FF8491B11F2 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

2%_^, xrefs: 00007FF8491B1201

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 2%_^
API String ID: 0-4094711381
Opcode ID: 2bf0583a0bf784ce5925b830cd9cd287a44b9df90a23e55a6c22a1885249322f
Instruction ID: e887fa26906c2478bdafac46d17e63e549e5d03876188a9996a6101055cb341b
Opcode Fuzzy Hash: 2bf0583a0bf784ce5925b830cd9cd287a44b9df90a23e55a6c22a1885249322f
Instruction Fuzzy Hash: 68C1BB63C2F5E29AE25577B8B8924E63B70EF122ACF0D47B6D0DD4D093DE0C644285AD

Function 00007FF8491C0EFA Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

5$_^, xrefs: 00007FF8491C0F01

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 5$_^
API String ID: 0-1745159387
Opcode ID: f00019eef78408df7af03c6468be9fe1f066794a285df0d679a53b09e82d1e68
Instruction ID: 976e32f2d7c71276d6daa92f79ee04dde1d064e5015a7fe6279b67461ce6d9b9
Opcode Fuzzy Hash: f00019eef78408df7af03c6468be9fe1f066794a285df0d679a53b09e82d1e68
Instruction Fuzzy Hash: 485106A7D1F1A19BE650BB7CB4560E63BA0EF0537CF085277D0CC4E053EA4C648A869C

Function 00007FF8491BBDA5 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea057c093e8088d78cf02e2cc330362bd97e57cc92d791967f24566dd74322be
Instruction ID: 7632deb22e345ba48602fc176547c56dc53d868fdeab2cc1476ad8864ab37c6b
Opcode Fuzzy Hash: ea057c093e8088d78cf02e2cc330362bd97e57cc92d791967f24566dd74322be
Instruction Fuzzy Hash: A1F1D531A0DA894FEBA5EF2C9858B7577E2EF59340F0500BAD44DCB1A2DE2DDC458B41

Function 00007FF8491B10D1 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b263d204e358d108e680dcd4a8c48465b02b9ede12ce7358e2aed6f05bead0f
Instruction ID: 112a65e52d4edde55afafffda9cdfa6e3aa8570462b952417cfca33936ac1b62
Opcode Fuzzy Hash: 3b263d204e358d108e680dcd4a8c48465b02b9ede12ce7358e2aed6f05bead0f
Instruction Fuzzy Hash: BCE19963C2F4E29AE65177B8B8924E73B70EF122ACF0D47B6D0DD4D0939E0C244285AD

Function 00007FF8491C0E0F Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed2022c333e624bd38ffdbc27fc8aa4e449971fce8eabc7d77583983cb63483
Instruction ID: 4e6964b09d563209d49095b6550989793ddeeef04cc30954543542a237ae05e5
Opcode Fuzzy Hash: 1ed2022c333e624bd38ffdbc27fc8aa4e449971fce8eabc7d77583983cb63483
Instruction Fuzzy Hash: 7191E867D1F1659AE651BB7CB4960E63BA0EF0137CF085677D0CC4E093DE1C648A86AC

Function 00007FF8491BB3C1 Relevance: 6.5, Strings: 5, Instructions: 285COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491BB5C1
HAH, xrefs: 00007FF8491BB510
HAH, xrefs: 00007FF8491BB5E9
HAH, xrefs: 00007FF8491BB470
HAH, xrefs: 00007FF8491BB436

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH
API String ID: 0-3303410093
Opcode ID: 7f23a118f1a0e17b9ef9c566afe59d880c0b8cb0dbd19acb003c16e5796f3d75
Instruction ID: 38cdfd201540213d6281fda70af9877fc422fdf99a8113358bed59bb5bdd4363
Opcode Fuzzy Hash: 7f23a118f1a0e17b9ef9c566afe59d880c0b8cb0dbd19acb003c16e5796f3d75
Instruction Fuzzy Hash: 83817A22E4DACB4FE766AB3894159B07BE1FF65390B0941BAC04EC7583DE1C9D478B41

Function 00007FF8491B39D0 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF8491B3F8C
HAH, xrefs: 00007FF8491B3F82
7{w, xrefs: 00007FF8491B3AAB
$_L, xrefs: 00007FF8491B3A6E

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 7{w$HAH$_$$_L
API String ID: 0-421166064
Opcode ID: aabaaa8e569d107a9ee74e02ad3eb5ddfc1f69754eeabe776d03b8be86a1a5df
Instruction ID: 5d5f79ee0eeef291db071cb11318da4dbc2acb70d1b1c748171ed724b8a8fff7
Opcode Fuzzy Hash: aabaaa8e569d107a9ee74e02ad3eb5ddfc1f69754eeabe776d03b8be86a1a5df
Instruction Fuzzy Hash: C281D331A1DA458FE768EF28D84567573E2FFA9340B1480BDE44DC7296DE28AC53CB41

Function 00007FF8491D4DFC Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491D4FA6
HAH, xrefs: 00007FF8491D4E9A
HAH, xrefs: 00007FF8491D4EB1
HAH, xrefs: 00007FF8491D4F70

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: b06111bdd0c63cba092aaf0f22e7214d51fb41aadccea3ff29f0ee93157c9188
Instruction ID: 211e5a21c616ca3738a73d11fdda23db14ce08a14a39026a916695177257b173
Opcode Fuzzy Hash: b06111bdd0c63cba092aaf0f22e7214d51fb41aadccea3ff29f0ee93157c9188
Instruction Fuzzy Hash: 82612521E0DAC75FE765AA3CA8952B077D0FF45794B5842BAC048C71C7DE2DAC838781

Function 00007FF8491C130A Relevance: 5.2, Strings: 4, Instructions: 201COMMON

Download Yara Rule

Strings

x6{w, xrefs: 00007FF8491C1453
he)I, xrefs: 00007FF8491C13D6
xf)I, xrefs: 00007FF8491C143D
x6{w, xrefs: 00007FF8491C13EC

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: he)I$x6{w$x6{w$xf)I
API String ID: 0-3525836379
Opcode ID: a5ceaa3d04900abf8b177cc46e4385e78d380e450636cad4290cf6d9419a6316
Instruction ID: e4173b9efb97160ba52339303da6eeac6d6f6190bc5e12f5e5dc47dbb8da020b
Opcode Fuzzy Hash: a5ceaa3d04900abf8b177cc46e4385e78d380e450636cad4290cf6d9419a6316
Instruction Fuzzy Hash: 4A514561A5FBCA2FD3A3AB3844155A67FF1EF5632070941FAC089CB5A7DE1C980AC351

Function 00007FF8491BB543 Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491BB5C1
HAH, xrefs: 00007FF8491BB576
HAH, xrefs: 00007FF8491BB54E
HAH, xrefs: 00007FF8491BB5E9

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 46770dbbb0be5a896c69324c510524f5251e421ada02f5a912c5428d86f8f4ae
Instruction ID: eccb299ab9a382db22ef847b8405c4e9ace02ea1ad0853dfb8a2243b92fc1d21
Opcode Fuzzy Hash: 46770dbbb0be5a896c69324c510524f5251e421ada02f5a912c5428d86f8f4ae
Instruction Fuzzy Hash: 7C412B71A1D9CA5FE795E7388055A757BD2FF69340B0540B9C04DC7293DE2CEC428741

Function 00007FF8491B9A18 Relevance: 5.0, Strings: 4, Instructions: 3COMMON

Download Yara Rule

Strings

89{w, xrefs: 00007FF8491B9B41
P9{w, xrefs: 00007FF8491B9CC5
@9{w, xrefs: 00007FF8491B9BE4
H9{w, xrefs: 00007FF8491B9C0C

Memory Dump Source

Source File: 00000000.00000002.3383872143.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491b0000_O9MV0lNEO5.jbxd

Similarity

API ID:
String ID: 89{w$@9{w$H9{w$P9{w
API String ID: 0-1215247077
Opcode ID: 7297d27324b1929f9d630e1399258b27f82f9643896342c2ac66ace0809060a4
Instruction ID: 5165bee2a83fda4ec34d37da912eee662bcbdfd2fe181292a5a95a454a766316
Opcode Fuzzy Hash: 7297d27324b1929f9d630e1399258b27f82f9643896342c2ac66ace0809060a4
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O9MV0lNEO5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
O9MV0lNEO5.exe

Function 00007FF8491B9621 Relevance: 12.5, Strings: 9, Instructions: 1222
COMMON

Function 00007FF8491CE399 Relevance: 9.9, Strings: 7, Instructions: 1116
COMMON

Function 00007FF8491BAA4D Relevance: 8.5, Strings: 6, Instructions: 979
COMMON

Function 00007FF8491CEF79 Relevance: 5.5, Strings: 4, Instructions: 455
COMMON

Function 00007FF8491B5D35 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Function 00007FF8491CF6FD Relevance: 11.0, Strings: 8, Instructions: 1013
COMMON

Function 00007FF8491B6D81 Relevance: 6.6, Strings: 5, Instructions: 332
COMMON

Function 00007FF8491D332D Relevance: 5.6, Strings: 4, Instructions: 615
COMMON

Function 00007FF8491C1B28 Relevance: 5.5, Strings: 4, Instructions: 468
COMMON

Function 00007FF8491B4775 Relevance: 5.2, Strings: 4, Instructions: 173
COMMON

Function 00007FF8491D01FC Relevance: 4.2, Strings: 3, Instructions: 429
COMMON

Function 00007FF8491C9F8D Relevance: 4.2, Strings: 3, Instructions: 408
COMMON

Function 00007FF8491B3F7E Relevance: 4.1, Strings: 3, Instructions: 331
COMMON