Edit tour

Windows Analysis Report
kqeGVKtpy2.exe

Overview

General Information

Sample name:	kqeGVKtpy2.exe renamed because original name is a hash value
Original sample name:	0fa0a6df35785b0dd29b7191158f0730984ee72cde5562ee48cb8cc9d637a1dd.exe
Analysis ID:	1578204
MD5:	b76667c1f978c6c98bbba2dfd7e315d2
SHA1:	570de2264b32de819e7f02d6d5c8d4ce15277107
SHA256:	0fa0a6df35785b0dd29b7191158f0730984ee72cde5562ee48cb8cc9d637a1dd
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

kqeGVKtpy2.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\kqeGVKtpy2.exe" MD5: B76667C1F978C6C98BBBA2DFD7E315D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4", "StartupKey": "Quasar Client Startup", "Tag": "Staking", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: kqeGVKtpy2.exe PID: 7340	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a06:$x4: Uninstalling... good bye :-( 0x2ab1fb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb8:$f1: FileZilla\recentservers.xml 0x2a8ff8:$f2: FileZilla\sitemanager.xml 0x2a903a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9286:$b1: Chrome\User Data\ 0x2a92dc:$b1: Chrome\User Data\ 0x2a95b4:$b2: Mozilla\Firefox\Profiles 0x2a96b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb634:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9808:$b4: Opera Software\Opera Stable\Login Data 0x2a98c2:$b5: YandexBrowser\User Data\ 0x2a9930:$b5: YandexBrowser\User Data\ 0x2a9604:$s4: logins.json 0x2a933a:$a1: username_value 0x2a9358:$a2: password_value 0x2a9644:$a3: encryptedUsername 0x2fb578:$a3: encryptedUsername 0x2a9668:$a4: encryptedPassword 0x2fb596:$a4: encryptedPassword 0x2fb514:$a5: httpRealm
0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9af0:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab806:$x4: Uninstalling... good bye :-( 0x2acffb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb8:$f1: FileZilla\recentservers.xml 0x2aadf8:$f2: FileZilla\sitemanager.xml 0x2aae3a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab086:$b1: Chrome\User Data\ 0x2ab0dc:$b1: Chrome\User Data\ 0x2ab3b4:$b2: Mozilla\Firefox\Profiles 0x2ab4b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab608:$b4: Opera Software\Opera Stable\Login Data 0x2ab6c2:$b5: YandexBrowser\User Data\ 0x2ab730:$b5: YandexBrowser\User Data\ 0x2ab404:$s4: logins.json 0x2ab13a:$a1: username_value 0x2ab158:$a2: password_value 0x2ab444:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab468:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f0:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a06:$x4: Uninstalling... good bye :-( 0x2ab1fb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb8:$f1: FileZilla\recentservers.xml 0x2a8ff8:$f2: FileZilla\sitemanager.xml 0x2a903a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9286:$b1: Chrome\User Data\ 0x2a92dc:$b1: Chrome\User Data\ 0x2a95b4:$b2: Mozilla\Firefox\Profiles 0x2a96b0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb634:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9808:$b4: Opera Software\Opera Stable\Login Data 0x2a98c2:$b5: YandexBrowser\User Data\ 0x2a9930:$b5: YandexBrowser\User Data\ 0x2a9604:$s4: logins.json 0x2a933a:$a1: username_value 0x2a9358:$a2: password_value 0x2a9644:$a3: encryptedUsername 0x2fb578:$a3: encryptedUsername 0x2a9668:$a4: encryptedPassword 0x2fb596:$a4: encryptedPassword 0x2fb514:$a5: httpRealm
0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9af0:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:18.412122+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.6	49718	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:31:18.412122+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.6	49718	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4", "StartupKey": "Quasar Client Startup", "Tag": "Staking", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: kqeGVKtpy2.exe	Virustotal: Detection: 35%			Perma Link
Source: kqeGVKtpy2.exe	ReversingLabs: Detection: 50%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kqeGVKtpy2.exe PID: 7340, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: kqeGVKtpy2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.6:49718
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.6:49718

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 51.15.17.193:4782

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: kqeGVKtpy2.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: kqeGVKtpy2.exe, 00000000.00000002.3445850892.0000013F4DB33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kqeGVKtpy2.exe, 00000000.00000002.3438449785.0000013F33999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: kqeGVKtpy2.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: kqeGVKtpy2.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: kqeGVKtpy2.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: kqeGVKtpy2.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: kqeGVKtpy2.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: kqeGVKtpy2.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F3552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F3552A000.00000004.00000800.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35401000.00000004.00000800.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: kqeGVKtpy2.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.6:49719 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kqeGVKtpy2.exe PID: 7340, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3437295E	0_2_00007FFD3437295E
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34373CAD	0_2_00007FFD34373CAD
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD343795FD	0_2_00007FFD343795FD
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34374EFA	0_2_00007FFD34374EFA
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD343753D0	0_2_00007FFD343753D0
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3437BFF3	0_2_00007FFD3437BFF3
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F4D78	0_2_00007FFD345F4D78
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F9621	0_2_00007FFD345F9621
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3460EF79	0_2_00007FFD3460EF79
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3460B009	0_2_00007FFD3460B009
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD346080E2	0_2_00007FFD346080E2
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345FAA4D	0_2_00007FFD345FAA4D
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3460C295	0_2_00007FFD3460C295
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34607336	0_2_00007FFD34607336
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3460E399	0_2_00007FFD3460E399
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F1CCF	0_2_00007FFD345F1CCF
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F5D35	0_2_00007FFD345F5D35
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F1CE0	0_2_00007FFD345F1CE0
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34600E50	0_2_00007FFD34600E50
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34600E0F	0_2_00007FFD34600E0F
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34600EB8	0_2_00007FFD34600EB8
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34600EFA	0_2_00007FFD34600EFA
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F07F2	0_2_00007FFD345F07F2
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F10D1	0_2_00007FFD345F10D1
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F11F2	0_2_00007FFD345F11F2
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3460E401	0_2_00007FFD3460E401
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD346B23F1	0_2_00007FFD346B23F1
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD346B0848	0_2_00007FFD346B0848

Source: kqeGVKtpy2.exe

Static PE information: invalid certificate

Source: kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs kqeGVKtpy2.exe
Source: kqeGVKtpy2.exe, 00000000.00000000.2159484517.00007FF61A604000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs kqeGVKtpy2.exe
Source: kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs kqeGVKtpy2.exe
Source: kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs kqeGVKtpy2.exe
Source: kqeGVKtpy2.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs kqeGVKtpy2.exe

Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Info_BVBcln
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ficha_uzDiJFOR
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Var_UxBfKZ

Source: kqeGVKtpy2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kqeGVKtpy2.exe	Virustotal: Detection: 35%
Source: kqeGVKtpy2.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: kqeGVKtpy2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: kqeGVKtpy2.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: kqeGVKtpy2.exe

Static file information: File size 6150496 > 1048576

Source: kqeGVKtpy2.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x286600
Source: kqeGVKtpy2.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e000

Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kqeGVKtpy2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kqeGVKtpy2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: kqeGVKtpy2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: kqeGVKtpy2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kqeGVKtpy2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kqeGVKtpy2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kqeGVKtpy2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kqeGVKtpy2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: kqeGVKtpy2.exe

Static PE information: real checksum: 0x5e17f4 should be: 0x5de9f8

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD3425D2A5 pushad ; iretd	0_2_00007FFD3425D2A6
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD34612DFA push esp; iretd	0_2_00007FFD34612DFB
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Code function: 0_2_00007FFD345F2BA0 push eax; ret	0_2_00007FFD345F2C0C

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

File opened: C:\Users\user\Desktop\kqeGVKtpy2.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Memory allocated: 13F351D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Memory allocated: 13F4D3C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Window / User API: threadDelayed 925	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Window / User API: threadDelayed 495	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Window / User API: threadDelayed 799	Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: kqeGVKtpy2.exe, 00000000.00000002.3445850892.0000013F4DB65000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kqeGVKtpy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kqeGVKtpy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kqeGVKtpy2.exe PID: 7340, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f4e100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kqeGVKtpy2.exe.13f453c9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kqeGVKtpy2.exe PID: 7340, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kqeGVKtpy2.exe	35%	Virustotal		Browse
kqeGVKtpy2.exe	50%	ReversingLabs	Win64.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high
ax-0001.ax-msedge.net	150.171.28.10	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35401000.00000004.00000800.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F35544000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	kqeGVKtpy2.exe, 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, kqeGVKtpy2.exe, 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ipwho.is	kqeGVKtpy2.exe, 00000000.00000002.3439789147.0000013F3552A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578204
Start date and time:	2024-12-19 12:30:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kqeGVKtpy2.exe renamed because original name is a hash value
Original Sample Name:	0fa0a6df35785b0dd29b7191158f0730984ee72cde5562ee48cb8cc9d637a1dd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 169 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 104.85.16.144, 40.126.53.18, 20.223.36.55, 13.107.246.63, 4.245.163.56, 20.223.35.26, 2.16.158.192, 150.171.28.10, 2.16.158.33, 20.105.99.58
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e15275.d.akamaiedge.net, tile-service.weather.microsoft.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	RegAsm.exe	Get hash	malicious	Quasar	Browse
51.15.17.193	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
ax-0001.ax-msedge.net	22054200882739718047.js	Get hash	malicious	Strela Downloader	Browse	150.171.27.10
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://pdf.ac/4lLzbt	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse	150.171.28.10
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	150.171.27.10
	tasktow.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	150.171.27.10
	bGcxY1mXHe.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	download.ps1	Get hash	malicious	Unknown	Browse	150.171.27.10
	PyIsvSahWy.exe	Get hash	malicious	Unknown	Browse	150.171.27.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
OnlineSASFR	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138
	https://antiphishing.vadesecure.com/v4?f=M2FwZHlGNnU1aUlkc09ZNMiasRwGBdZehRVCQSRcBe4&i=WjB4M1dJWGJJMnNGTHV5MsMuKUIodncDHGeRU4kVkuY&k=CXOq&r=Skk2OVhvdXl2cm1uOWJtRKZOD61t44mSShExmLHL82awntC61WSfAdSPd_A2w4Sr0ol-2lJuHE1y6ZnIh9tzeQ&s=c0986918e90c31f67e295092df95ad67b5167b30a053715360f0707a34067922&u=https%3A%2F%2Fgeomesure-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fjeason_geomesure_fr%2FEjezfvLh_FRNp0BDRFgaob0B5QrN_MFtVHWEoF2b4R1bRw%3Fe%3DomoERY	Get hash	malicious	Unknown	Browse	163.172.240.109
	801.ps1	Get hash	malicious	AsyncRAT	Browse	163.172.125.253
	BA9qyj2c9G.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.159.4.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.250192152721609
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kqeGVKtpy2.exe
File size:	6'150'496 bytes
MD5:	b76667c1f978c6c98bbba2dfd7e315d2
SHA1:	570de2264b32de819e7f02d6d5c8d4ce15277107
SHA256:	0fa0a6df35785b0dd29b7191158f0730984ee72cde5562ee48cb8cc9d637a1dd
SHA512:	6748b3cbd7ba55896d9ca767e83503cbfabbcfa0e47f83a4034a2a7ef255ec9adcdca38f5d5a0ee86cfcfd2cebd75990d740ec87a1554f4d4c96995748b8a77e
SSDEEP:	98304:6+MUi7WbyjWfmd5hjVAlVZCBLJ/KwiNElydmw+q2Sg4:TMVzjWyj51TiNEmmwOSg4
TLSH:	7756AD25531881A0CEE57534A0471762DB30BF0C913CA7E58FF44BA659FFB61A9AE23C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..o"..o"..o"...!..o"...'.Co"...&..o"...!..o"...&..o"..=...o"...#..o"..o#.Ko"...'..o"...+..o"... ..o".Rich.o"................

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x140275fb0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x673964F0 [Sun Nov 17 03:37:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F8638EB4324h
dec eax
add esp, 28h
jmp 00007F8638EB3E37h
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F8638EB46AFh
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F8638EB3FD3h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F8638EB5947h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b28dc	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d7000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5d4000	0x198c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5d9200	0x4760	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d6000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b02a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b0160	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x288000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2864b0	0x286600	af50c5029c29ced34b3fe390c86f9c8d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x288000	0x2b43e	0x2b600	037fdf7480f8d9eab392f3d973af9bb9	False	0.5410043677953891	OpenPGP Secret Key	6.881698776055387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b4000	0x31f1e0	0x31e000	b86fa857f30457f9aa75cc3211bb9a7a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5d4000	0x198c	0x1a00	fd19fc647b36b2a5a58a66f285a14382	False	0.4827223557692308	data	5.469415454435121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5d6000	0x68c	0x800	cdcbae01c279ba8e1a6f10c6d0cccca4	False	0.50439453125	data	4.933775156933927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x5d7000	0x6f58	0x7000	ac5cf922255e83445a9096310e06d172	False	0.38570731026785715	data	6.017665190816656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5d7328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x5d7990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x5d7c78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x5d7da0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x5d8c48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x5d94f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x5d9a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x5dc000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x5dd0a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x5dd510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x5dd7f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x5ddae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x5ddb64	0x14	data			1.25
RT_GROUP_ICON	0x5ddb78	0x14	data			1.25
RT_VERSION	0x5ddb8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:31:18.412122+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.6	49718	TCP
2024-12-19T12:31:18.412122+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.6	49718	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:16.919409990 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:17.039406061 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:17.039519072 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:17.146312952 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:17.266067982 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:18.288505077 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:18.288583994 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:18.288639069 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:18.292453051 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:18.412122011 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:18.684809923 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:18.733988047 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:19.281821966 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:19.281935930 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:19.282016993 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:19.287353039 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:19.287393093 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:21.873970985 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:21.874053001 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:21.877019882 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:21.877047062 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:21.877325058 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:21.881320953 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:21.923336029 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:22.515964985 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:22.516150951 CET	443	49719	108.181.61.49	192.168.2.6
Dec 19, 2024 12:31:22.516969919 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:23.859273911 CET	49719	443	192.168.2.6	108.181.61.49
Dec 19, 2024 12:31:24.949373007 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:25.069194078 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:25.072334051 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:25.192034006 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:25.463016987 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:25.515238047 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:25.655287027 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:31:25.702756882 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:50.655936003 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:31:50.780613899 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:32:15.796601057 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:32:15.916285038 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:32:40.921644926 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:32:41.154449940 CET	4782	49718	51.15.17.193	192.168.2.6
Dec 19, 2024 12:33:06.156088114 CET	49718	4782	192.168.2.6	51.15.17.193
Dec 19, 2024 12:33:06.275644064 CET	4782	49718	51.15.17.193	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:31:19.018521070 CET	60352	53	192.168.2.6	1.1.1.1
Dec 19, 2024 12:31:19.267225027 CET	53	60352	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:19.018521070 CET	192.168.2.6	1.1.1.1	0x246f	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:31:19.267225027 CET	1.1.1.1	192.168.2.6	0x246f	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:32:09.511066914 CET	1.1.1.1	192.168.2.6	0x3dd4	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 12:32:09.511066914 CET	1.1.1.1	192.168.2.6	0x3dd4	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:32:09.511066914 CET	1.1.1.1	192.168.2.6	0x3dd4	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	108.181.61.49	443	7340	C:\Users\user\Desktop\kqeGVKtpy2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:31:21 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:31:22 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:31:22 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:31:22 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:31:10
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\kqeGVKtpy2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\kqeGVKtpy2.exe"
Imagebase:	0x7ff61a030000
File size:	6'150'496 bytes
MD5 hash:	B76667C1F978C6C98BBBA2DFD7E315D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3439789147.0000013F353C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3439789147.0000013F35592000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3446683343.0000013F4DBDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.3450940407.0000013F4E100000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3443888411.0000013F453C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD346B23F1 Relevance: 71.2, Strings: 52, Instructions: 6199COMMON

Download Yara Rule

Strings

-N4, xrefs: 00007FFD346B4904
-N4, xrefs: 00007FFD346B48A5
p3N4, xrefs: 00007FFD346B4E3F
8 N4, xrefs: 00007FFD346B400B
P'N4, xrefs: 00007FFD346B43E9
h4N4, xrefs: 00007FFD346B4EF5
AN4, xrefs: 00007FFD346B55A4
8,N4, xrefs: 00007FFD346B47AB
CN4, xrefs: 00007FFD346B56D9
p3N4, xrefs: 00007FFD346B4E8A
80N4, xrefs: 00007FFD346B4B03
CN4, xrefs: 00007FFD346B56ED
@$N4, xrefs: 00007FFD346B42B4
8 N4, xrefs: 00007FFD346B4056
`9N4, xrefs: 00007FFD346B5153
0!N4, xrefs: 00007FFD346B4120
8 N4, xrefs: 00007FFD346B4091
h4N4, xrefs: 00007FFD346B4F54
P'N4, xrefs: 00007FFD346B4483
0!N4, xrefs: 00007FFD346B415B
8 N4, xrefs: 00007FFD346B3FF7
CN4, xrefs: 00007FFD346B5738
0!N4, xrefs: 00007FFD346B40D5
-N4, xrefs: 00007FFD346B493F
@$N4, xrefs: 00007FFD346B4269
80N4, xrefs: 00007FFD346B4B62
,N4, xrefs: 00007FFD346B483A
,N4, xrefs: 00007FFD346B4875
h4N4, xrefs: 00007FFD346B4F09
0!N4, xrefs: 00007FFD346B40C1
AN4, xrefs: 00007FFD346B5545
8,N4, xrefs: 00007FFD346B4770
@$N4, xrefs: 00007FFD346B4255
CN4, xrefs: 00007FFD346B5773
P'N4, xrefs: 00007FFD346B43FD
`9N4, xrefs: 00007FFD346B51B2
AN4, xrefs: 00007FFD346B5559
`9N4, xrefs: 00007FFD346B51ED
,N4, xrefs: 00007FFD346B47DB
8,N4, xrefs: 00007FFD346B4711
-N4, xrefs: 00007FFD346B48B9
@$N4, xrefs: 00007FFD346B42EF
P'N4, xrefs: 00007FFD346B4448
80N4, xrefs: 00007FFD346B4B17
h4N4, xrefs: 00007FFD346B4F8F
8,N4, xrefs: 00007FFD346B4725
80N4, xrefs: 00007FFD346B4B9D
H, xrefs: 00007FFD346B3759
p3N4, xrefs: 00007FFD346B4E2B
AN4, xrefs: 00007FFD346B55DF
p3N4, xrefs: 00007FFD346B4EC5
,N4, xrefs: 00007FFD346B47EF

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0!N4$0!N4$0!N4$0!N4$8 N4$8 N4$8 N4$8 N4$8,N4$8,N4$8,N4$8,N4$80N4$80N4$80N4$80N4$@$N4$@$N4$@$N4$@$N4$H$P'N4$P'N4$P'N4$P'N4$`9N4$`9N4$`9N4$h4N4$h4N4$h4N4$h4N4$p3N4$p3N4$p3N4$p3N4$,N4$,N4$,N4$,N4$-N4$-N4$-N4$-N4$AN4$AN4$AN4$AN4$CN4$CN4$CN4$CN4
API String ID: 0-1113793192
Opcode ID: 0019fc1201d055036cc98a69f770af01c9e7b574ee891d6a0a4f98afbe1072ca
Instruction ID: 82bd215a656c227651f40b97d7f6296ea5172b35d1267f02a6d58ae83ad8b778
Opcode Fuzzy Hash: 0019fc1201d055036cc98a69f770af01c9e7b574ee891d6a0a4f98afbe1072ca
Instruction Fuzzy Hash: 7C832512F19E5B0BFBE5AA2D04F42B956C2EFDA604B58017BD14ED32D6ED6CEC426340

Function 00007FFD345F4D78 Relevance: 32.4, Strings: 24, Instructions: 2358COMMON

Download Yara Rule

Strings

x7<E, xrefs: 00007FFD345F50B7
xML4, xrefs: 00007FFD345F4E0D
7<E, xrefs: 00007FFD345F572B
hqnE, xrefs: 00007FFD345F53AF
H8<E, xrefs: 00007FFD345F60C3
P8<E, xrefs: 00007FFD345F60EF
HA&4, xrefs: 00007FFD345F6417
p7<E, xrefs: 00007FFD345F504C
`8<E, xrefs: 00007FFD345F6147
08<E, xrefs: 00007FFD345F603F
@8<E, xrefs: 00007FFD345F6097
(8<E, xrefs: 00007FFD345F6010
(~K4, xrefs: 00007FFD345F6565
X8<E, xrefs: 00007FFD345F611B
(g4, xrefs: 00007FFD345F61FD
88<E, xrefs: 00007FFD345F606B
:j4, xrefs: 00007FFD345F61BC
hqnE, xrefs: 00007FFD345F530D
`9L4, xrefs: 00007FFD345F64C0
`9L4, xrefs: 00007FFD345F4DA0
h7<E, xrefs: 00007FFD345F502A
HA&4, xrefs: 00007FFD345F6372
hqnE, xrefs: 00007FFD345F5BB2
7<E, xrefs: 00007FFD345F57B5

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (8<E$(~K4$(g4$08<E$88<E$:j4$@8<E$H8<E$HA&4$HA&4$P8<E$X8<E$`8<E$`9L4$`9L4$h7<E$hqnE$hqnE$hqnE$p7<E$x7<E$xML4$7<E$7<E
API String ID: 0-3924021778
Opcode ID: 28d936628e8020ad59adbd1b1550f8c7ba75b31a73c5060303e7f4d152cbb1ef
Instruction ID: d960930c729fc999412ace16fcf848f0a2bc46ae4eeba86b40605e50aa86cf0c
Opcode Fuzzy Hash: 28d936628e8020ad59adbd1b1550f8c7ba75b31a73c5060303e7f4d152cbb1ef
Instruction Fuzzy Hash: 7803F571E08A4A8FDB95DF28C4A4BA97BE1FF5A300F1441B9D04DD7692DA39EC42CB41

Function 00007FFD345F9621 Relevance: 13.7, Strings: 10, Instructions: 1223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA&4, xrefs: 00007FFD345FA3B1
P9<E, xrefs: 00007FFD345F9CC5
HA&4, xrefs: 00007FFD345FA1FD
@9<E, xrefs: 00007FFD345F9BE4
HA&4, xrefs: 00007FFD345FA237
HA&4, xrefs: 00007FFD345FA270
hqnE, xrefs: 00007FFD345F9AD8
H9<E, xrefs: 00007FFD345F9C0C
89<E, xrefs: 00007FFD345F9B41
HA&4, xrefs: 00007FFD345F99B0

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 89<E$@9<E$H9<E$HA&4$HA&4$HA&4$HA&4$HA&4$P9<E$hqnE
API String ID: 0-1969397718
Opcode ID: ea0913c6ac3861bd8498c9c1dc731494257a969a5e2d1fa5bafb0ceb9fa7fb27
Instruction ID: f59832b3239010581c9979e6e489e0b6536507b0a560338e08ddba23640b848e
Opcode Fuzzy Hash: ea0913c6ac3861bd8498c9c1dc731494257a969a5e2d1fa5bafb0ceb9fa7fb27
Instruction Fuzzy Hash: 85720A31B1CE498FEB99EB1C94A56B577D1FF9A310F0440BAD44EC7693DE29AC028742

Function 00007FFD3460E399 Relevance: 11.1, Strings: 8, Instructions: 1119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA&4, xrefs: 00007FFD3460E907
HA&4, xrefs: 00007FFD3460E999
8#_L, xrefs: 00007FFD3460EC72
HA&4, xrefs: 00007FFD3460E960
0K4, xrefs: 00007FFD3460E5C8
>._L, xrefs: 00007FFD3460E5D2
=#_L, xrefs: 00007FFD3460E770
HA&4, xrefs: 00007FFD3460E8CE

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0K4$8#_L$=#_L$>._L$HA&4$HA&4$HA&4$HA&4
API String ID: 0-2766439932
Opcode ID: b96cb40d0b3a57613dc920d1ba1e51578fd189ec7a3d3ef60e56b16b8d299e8a
Instruction ID: 4c3a8be883e1a7a5910ca225c7a9b49a8f0333ea4330568b78cf5f27de17aa83
Opcode Fuzzy Hash: b96cb40d0b3a57613dc920d1ba1e51578fd189ec7a3d3ef60e56b16b8d299e8a
Instruction Fuzzy Hash: CF727D71B1CA5A8FEB98DF18C4A56A977E1FF9A300F140179E45AC7292CE39EC42C741

Function 00007FFD3437295E Relevance: 10.3, Strings: 8, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(pnE, xrefs: 00007FFD34372B44
pnE, xrefs: 00007FFD34372B1D
onE, xrefs: 00007FFD34372A45
8pnE, xrefs: 00007FFD34372B90
onE, xrefs: 00007FFD34372A5A
0pnE, xrefs: 00007FFD34372B68
(pnE, xrefs: 00007FFD34372B2F
pnE, xrefs: 00007FFD34372B08

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: pnE$ pnE$(pnE$(pnE$0pnE$8pnE$onE$onE
API String ID: 0-347256618
Opcode ID: b6534b212bd7e311879d4e1e78893951516750f4fbf4a93fb0214dcfc269004a
Instruction ID: 7fc92e0ed2f22a43980d9303d3a3ced9605f48096d3a9c6026a8aae56c284f90
Opcode Fuzzy Hash: b6534b212bd7e311879d4e1e78893951516750f4fbf4a93fb0214dcfc269004a
Instruction Fuzzy Hash: 42818C6064FAC36FE393A6B858A65A97FE0DF4712178989EAC0C5CB1A3D92D0806D711

Function 00007FFD3460C295 Relevance: 10.1, Strings: 7, Instructions: 1320COMMON

Download Yara Rule

Strings

'<E, xrefs: 00007FFD3460CB2C
HA&4, xrefs: 00007FFD3460C485
HA&4, xrefs: 00007FFD3460C76D
^._L, xrefs: 00007FFD3460C5D0
hqnE, xrefs: 00007FFD3460C547
(`E4, xrefs: 00007FFD3460C65E
xhL4, xrefs: 00007FFD3460C2FD

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: '<E$(`E4$HA&4$HA&4$^._L$hqnE$xhL4
API String ID: 0-3521182041
Opcode ID: 8f4f2c6c4294f40a816a0c75641db610f4bf243462d0b3bf9eb6631888f34c2e
Instruction ID: 28b8ea5d3e8c1f6268b1cecdbebeaf013f45fc2d38a5ab1e6781637eb5dd4da1
Opcode Fuzzy Hash: 8f4f2c6c4294f40a816a0c75641db610f4bf243462d0b3bf9eb6631888f34c2e
Instruction Fuzzy Hash: 5592F771A0DA964FE76D9F2888A65E43BE0EF57310B0405FED58DCB1E3EA1C6C0A9741

Function 00007FFD3460B009 Relevance: 9.6, Strings: 7, Instructions: 888
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA&4, xrefs: 00007FFD3460B6D5
hqnE, xrefs: 00007FFD3460B59D
^L4, xrefs: 00007FFD3460B12B
pL4, xrefs: 00007FFD3460B2AE
HA&4, xrefs: 00007FFD3460B70E
^L4, xrefs: 00007FFD3460B486
pqnE, xrefs: 00007FFD3460B3B1

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: ^L4$ ^L4$HA&4$HA&4$hqnE$pL4$pqnE
API String ID: 0-1503313731
Opcode ID: 34847ae942aa64d49bd61fc7541f54dc0c9edbe576f7d74cbfb2a0f9858b731f
Instruction ID: 2217ceaa1ebb1afd12355f47628dbb757a605c46ec4b0b2a18a89f04d0213b1d
Opcode Fuzzy Hash: 34847ae942aa64d49bd61fc7541f54dc0c9edbe576f7d74cbfb2a0f9858b731f
Instruction Fuzzy Hash: F552E231B1CA1A4FEB98DF5884A56B5B3E1FF9A704F04457DD54AC3692CE28FC428781

Function 00007FFD345FAA4D Relevance: 8.5, Strings: 6, Instructions: 978
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p9<E, xrefs: 00007FFD345FADD7
`9<E, xrefs: 00007FFD345FACED
h9<E, xrefs: 00007FFD345FAD1D
x9<E, xrefs: 00007FFD345FAF0C
89<E, xrefs: 00007FFD345FB083
X9<E, xrefs: 00007FFD345FACA5

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 89<E$X9<E$`9<E$h9<E$p9<E$x9<E
API String ID: 0-1724146032
Opcode ID: e854466de411c08bea9ff217eb9868e0dd81193f51d9cca588d10fb1309917cd
Instruction ID: 6d2adf36f3cac4120976656828d7cde87c71e40374db12b8ffd6b768d352b04b
Opcode Fuzzy Hash: e854466de411c08bea9ff217eb9868e0dd81193f51d9cca588d10fb1309917cd
Instruction Fuzzy Hash: FE627230B08A498FEB95EB28C4A97A577E1FF9A300F1545B9D44DC72A6DE39EC41C702

Function 00007FFD3460EF79 Relevance: 5.3, Strings: 4, Instructions: 311COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD3460F135
HA&4, xrefs: 00007FFD3460F1A2
HA&4, xrefs: 00007FFD3460F0FB
HA&4, xrefs: 00007FFD3460F18B

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4$HA&4$HA&4
API String ID: 0-346238700
Opcode ID: d972bc7cacfe4ca7c0b30f0640ce1988127b13277bc40c9580cd1184ebb53420
Instruction ID: 6d385ab07be735dfe6a1c43537d254f24ae2885a135b4d9b67153aee45446134
Opcode Fuzzy Hash: d972bc7cacfe4ca7c0b30f0640ce1988127b13277bc40c9580cd1184ebb53420
Instruction Fuzzy Hash: FC81F721B0D9554FEBA9DB2C94B52B83BD6EF9B740B0400FAD18EC7293DD5DAC429341

Function 00007FFD3460E401 Relevance: 4.2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

Strings

0K4, xrefs: 00007FFD3460E5C8
>._L, xrefs: 00007FFD3460E5D2
=#_L, xrefs: 00007FFD3460E770

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0K4$=#_L$>._L
API String ID: 0-365393850
Opcode ID: b6545e447924388484bfd8b315f2af4becfeb7f53c0b0e0bb9f2b5e383ba4226
Instruction ID: 3a0757eb50a4a74a220354439dbc32829a25e3c5d7a87fc2983e66d8484a0a79
Opcode Fuzzy Hash: b6545e447924388484bfd8b315f2af4becfeb7f53c0b0e0bb9f2b5e383ba4226
Instruction Fuzzy Hash: 27E17E31B1CA5A8FEB98DF18D8A56A977E1FF99300F14417DE44AC7292DE28EC42C741

Function 00007FFD345F5D35 Relevance: 4.1, Strings: 3, Instructions: 349COMMON

Download Yara Rule

Strings

(g4, xrefs: 00007FFD345F61FD
:j4, xrefs: 00007FFD345F61BC
8<E, xrefs: 00007FFD345F5D58

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 8<E$(g4$:j4
API String ID: 0-3239388416
Opcode ID: 233318c1d2eef0ac38fc2b36aea243f2e39d9a2f2ce91ee8c259136e5a4d4dc2
Instruction ID: e1d3cf3924b60b0f8f5156ccad4ae79e00c5e091b7e88a73acca8a4bbd1132e5
Opcode Fuzzy Hash: 233318c1d2eef0ac38fc2b36aea243f2e39d9a2f2ce91ee8c259136e5a4d4dc2
Instruction Fuzzy Hash: B1C16031E18A198FEBA4DF58C4917A9B3E2FF99300F10457DD14ED3696CA38BC828B41

Function 00007FFD34607336 Relevance: 3.0, Strings: 2, Instructions: 471COMMON

Download Yara Rule

Strings

f, xrefs: 00007FFD346073AD
f, xrefs: 00007FFD346077D0

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: f$f
API String ID: 0-3861007179
Opcode ID: c6014a1610d6b668a7bad594f3c0055da7522abb5392b170e2fdc191f283b0d6
Instruction ID: b13ac5db2fd74c58cfcd3dcd7b585f1b24df3d8cca381141fb0a73e2444ffcbb
Opcode Fuzzy Hash: c6014a1610d6b668a7bad594f3c0055da7522abb5392b170e2fdc191f283b0d6
Instruction Fuzzy Hash: 67F1A530A1CA8D8FEBA8DF28C8557E937D1FF56311F14426AD84DC7291DF78A9418B82

Function 00007FFD346080E2 Relevance: 3.0, Strings: 2, Instructions: 457COMMON

Download Yara Rule

Strings

f, xrefs: 00007FFD3460815D
f, xrefs: 00007FFD3460854C

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: f$f
API String ID: 0-3861007179
Opcode ID: 96a0432ee26d5d1d52d7bb9fe7f9f9ed0a8b210abffc8b88a07f1785a9558626
Instruction ID: e4c9ce42f4578182ac379f624a7201cfdefeb2a54653732a33080da5f1a3bcdb
Opcode Fuzzy Hash: 96a0432ee26d5d1d52d7bb9fe7f9f9ed0a8b210abffc8b88a07f1785a9558626
Instruction Fuzzy Hash: 07E19430A0CA4E8FEBA8DF28C8657E977D1FF56310F14426ED84DC7291DA78A9458B81

Function 00007FFD3460F6FD Relevance: 12.3, Strings: 9, Instructions: 1015
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD3460FAD0
, xrefs: 00007FFD3460FDDB
HA&4, xrefs: 00007FFD3460FEF4
HA&4, xrefs: 00007FFD3460FE83
H2L4, xrefs: 00007FFD3460FA86
8<E, xrefs: 00007FFD3460F8F3
HA&4, xrefs: 00007FFD3460FE9A
HA&4, xrefs: 00007FFD3460FE00
@#_H, xrefs: 00007FFD3460FC60

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: $ $ 8<E$@#_H$H2L4$HA&4$HA&4$HA&4$HA&4
API String ID: 0-2425554197
Opcode ID: 583d3c06742e23589b3d43a1be65458c72a6a7eeffa4d298a217d444562823ad
Instruction ID: 139dbdafc91f204f2477c9c39879db336b6b32933164f535cc26b6ff0379f377
Opcode Fuzzy Hash: 583d3c06742e23589b3d43a1be65458c72a6a7eeffa4d298a217d444562823ad
Instruction Fuzzy Hash: BB62B57171C9198FEBA8EF2CC4A5AB837D1FF5A300B1500B9E54EC72A2DE69EC419741

Function 00007FFD3460BA79 Relevance: 11.9, Strings: 9, Instructions: 699
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA&4, xrefs: 00007FFD3460BF38
HA&4, xrefs: 00007FFD3460BF74
HA&4, xrefs: 00007FFD3460BFDF
HA&4, xrefs: 00007FFD3460BF21
@qnE, xrefs: 00007FFD3460BD06
HA&4, xrefs: 00007FFD3460BFAD
HA&4, xrefs: 00007FFD3460BECA
HA&4, xrefs: 00007FFD3460BE40
HA&4, xrefs: 00007FFD3460BE29

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: @qnE$HA&4$HA&4$HA&4$HA&4$HA&4$HA&4$HA&4$HA&4
API String ID: 0-1545013629
Opcode ID: 9162fd85652363edc41deda4ea435977b836d348bea4efbf8c68f4be1e9ff159
Instruction ID: 15750413b93a46eccae9d5dde293c7dfffbf3ca5b1d38bbe4bdf67c08034af88
Opcode Fuzzy Hash: 9162fd85652363edc41deda4ea435977b836d348bea4efbf8c68f4be1e9ff159
Instruction Fuzzy Hash: D5222530B1CA5A4FE359EF6884A56B977D1FF9A704F4441BDD58EC3286DE2CB8028781

Function 00007FFD34601B28 Relevance: 11.7, Strings: 9, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xCm4, xrefs: 00007FFD34601F1A
xCm4, xrefs: 00007FFD3460201D
hWqE, xrefs: 00007FFD34601CB4
x6<E, xrefs: 00007FFD34601EF4
xWqE, xrefs: 00007FFD34601D79
pWqE, xrefs: 00007FFD34601CC5
pWqE, xrefs: 00007FFD34601DB2
hWqE, xrefs: 00007FFD34601C98
x6<E, xrefs: 00007FFD34601FF7

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: hWqE$hWqE$pWqE$pWqE$x6<E$x6<E$xCm4$xCm4$xWqE
API String ID: 0-696561175
Opcode ID: ca2d8a11959d4ae1e56c008265fb1249b155670d0323d3167d08852ef73a7f0d
Instruction ID: ff1eebe16ad7dd634eb46f03eb8bd84e188be8e2f4b39944fbbeac3f22d044ca
Opcode Fuzzy Hash: ca2d8a11959d4ae1e56c008265fb1249b155670d0323d3167d08852ef73a7f0d
Instruction Fuzzy Hash: B7E13C62A0E7964FD3669B7898F60E57BE0EF47320B4841BFC18DCB1E3D91D68468341

Function 00007FFD345FFFA7 Relevance: 8.0, Strings: 6, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PonE, xrefs: 00007FFD345FFFB7
p!K4, xrefs: 00007FFD34600375
@8m4, xrefs: 00007FFD34600363
=$_H, xrefs: 00007FFD34600170
HonE, xrefs: 00007FFD345FFFDD
XonE, xrefs: 00007FFD345FFFF3

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: =$_H$@8m4$HonE$PonE$XonE$p!K4
API String ID: 0-3355037008
Opcode ID: 55dc5bd3e2822ded8e9a51e069afd33eb083ea4645657cfa0f145baed4db0419
Instruction ID: f1b8b1bd6a83d850edb873a3382c6a21f76e8b976cf34aed8d0d1564ec44a73d
Opcode Fuzzy Hash: 55dc5bd3e2822ded8e9a51e069afd33eb083ea4645657cfa0f145baed4db0419
Instruction Fuzzy Hash: 67F10530A0DE5B8FE7A5EF6890A56E5B7E1FF56310B1485BAC04DC7596CA3CEC418780

Function 00007FFD345F6D81 Relevance: 7.8, Strings: 6, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HA&4, xrefs: 00007FFD345F6FAD
hqnE, xrefs: 00007FFD345F6E91
HA&4, xrefs: 00007FFD345F6F2B
HA&4, xrefs: 00007FFD345F6F64
HA&4, xrefs: 00007FFD345F6EF1
HA&4, xrefs: 00007FFD345F6FE3

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4$HA&4$HA&4$HA&4$hqnE
API String ID: 0-2756815528
Opcode ID: beaf983a5ad28f994df867ff467aa86bc9860a2c7c1fe3cb451007d0f3dc7dd3
Instruction ID: cf37ebf4a7b77b5f60149c29cd264a4533c2038a792f6afaa3fb3745b57e22f3
Opcode Fuzzy Hash: beaf983a5ad28f994df867ff467aa86bc9860a2c7c1fe3cb451007d0f3dc7dd3
Instruction Fuzzy Hash: 8F910A22B1D9498FE7A6EB2C84A567537D1FF9A340B4400BAD14EC76A7DD2DEC038741

Function 00007FFD34609F8D Relevance: 6.7, Strings: 5, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(~K4, xrefs: 00007FFD3460A092
HA&4, xrefs: 00007FFD3460A0A9
HA&4, xrefs: 00007FFD3460A0E2
HA&4, xrefs: 00007FFD3460A1DB
(~K4, xrefs: 00007FFD3460A0CB

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (~K4$(~K4$HA&4$HA&4$HA&4
API String ID: 0-4116923365
Opcode ID: 3a26fba642aab51656bed275f49ce959a5879b2dbc7371f9420b6389647ef7ad
Instruction ID: 837b10a93c46854245bbe4020a2ea2bf75a53f75864cdcc3f88f4576639741d0
Opcode Fuzzy Hash: 3a26fba642aab51656bed275f49ce959a5879b2dbc7371f9420b6389647ef7ad
Instruction Fuzzy Hash: FDC1D431B08A5D8FDF95EF58D8A56ED77E1FFAA310F0401BAD409D7282DE38A8058781

Function 00007FFD34609AE9 Relevance: 6.5, Strings: 5, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xpnE, xrefs: 00007FFD34609CAF
0uK4, xrefs: 00007FFD34609B35
HA&4, xrefs: 00007FFD34609BFC
HA&4, xrefs: 00007FFD34609C36
HA&4, xrefs: 00007FFD34609C4D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0uK4$HA&4$HA&4$HA&4$xpnE
API String ID: 0-1798612924
Opcode ID: 35e4401f0bafe61cc784b7bf7eb0786654d62c186263b28c51a297476a379339
Instruction ID: 076cb9e9a692193752d285c1c4cc2c172902e00a32026a06d87167271c23014d
Opcode Fuzzy Hash: 35e4401f0bafe61cc784b7bf7eb0786654d62c186263b28c51a297476a379339
Instruction Fuzzy Hash: E96136A1B0DA8A0FE7669B3844B42E67BD1EF57220B0401FBD58EC71D3DE1CA80A8741

Function 00007FFD3460A059 Relevance: 6.4, Strings: 5, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(~K4, xrefs: 00007FFD3460A092
HA&4, xrefs: 00007FFD3460A0A9
HA&4, xrefs: 00007FFD3460A0E2
HA&4, xrefs: 00007FFD3460A06F
(~K4, xrefs: 00007FFD3460A0CB

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (~K4$(~K4$HA&4$HA&4$HA&4
API String ID: 0-4116923365
Opcode ID: aaa4851b497373cd1f8213d0f33c55d36abb314ad9c97cb5f587348c7d7d3cbe
Instruction ID: 7d5a0fbc52b1f7693fb5fdb8ce621a6f2db2254da528419500e9d8b4d8e42df4
Opcode Fuzzy Hash: aaa4851b497373cd1f8213d0f33c55d36abb314ad9c97cb5f587348c7d7d3cbe
Instruction Fuzzy Hash: DC312922B0CD9E0FEB929B2C58B92ED7BD1EF9A25070401F7D589D7283DE1C5C068381

Function 00007FFD346B01BA Relevance: 6.4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

0'K4, xrefs: 00007FFD346B01C8
0%K4, xrefs: 00007FFD346B024B
0'K4, xrefs: 00007FFD346B021F
x6<E, xrefs: 00007FFD346B01EC
"$_L, xrefs: 00007FFD346B01D2

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: "$_L$0%K4$0'K4$0'K4$x6<E
API String ID: 0-3695735371
Opcode ID: cb799001b4c3afde956e696fbbf3de8ac072da0d331b089b7fec2d509bc23257
Instruction ID: baf9143b1327090c21961767e2d501817f9035abeff05a446287529fccb83e6b
Opcode Fuzzy Hash: cb799001b4c3afde956e696fbbf3de8ac072da0d331b089b7fec2d509bc23257
Instruction Fuzzy Hash: BB31F572B1DE850FE7699B6C587A2B47BC1EB5A220B4401BED48AC3292EC5D6C468342

Function 00007FFD34613429 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

H2L4, xrefs: 00007FFD34613534
xBK4, xrefs: 00007FFD34613497
HA&4, xrefs: 00007FFD34613759
`'<E, xrefs: 00007FFD346136B6

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: H2L4$HA&4$`'<E$xBK4
API String ID: 0-2026318048
Opcode ID: 94ac2444da59a0b10287225694df229a0e0b21d072c3dd19329bf6e2bd74c98f
Instruction ID: 08927eec319c09cc904a2ca43418313ce4a55e02e1b87df894a8edd11194ee73
Opcode Fuzzy Hash: 94ac2444da59a0b10287225694df229a0e0b21d072c3dd19329bf6e2bd74c98f
Instruction Fuzzy Hash: B8B10631B1CA564FFB95EB3884A56B577E1FF8A310B5404B9D14EC72A2CE2DAC82D740

Function 00007FFD345F4788 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

H7<E, xrefs: 00007FFD345F47E5
`7<E, xrefs: 00007FFD345F4875
X7<E, xrefs: 00007FFD345F485C
P7<E, xrefs: 00007FFD345F4843

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: H7<E$P7<E$X7<E$`7<E
API String ID: 0-1984398560
Opcode ID: bcc2e216351da377681dac17db8c416ed66969fc94e52987628c756079ae9342
Instruction ID: 4853a22944f4ccd81127a291e29fd46c18549882a1fae998b5a0c8942f3e637f
Opcode Fuzzy Hash: bcc2e216351da377681dac17db8c416ed66969fc94e52987628c756079ae9342
Instruction Fuzzy Hash: 1F41D532B0CD4A9FEAA1EB6CA4A5AB577D0EF5B321B4400FAD549C7252D91AEC428341

Function 00007FFD34610C69 Relevance: 4.3, Strings: 3, Instructions: 546COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD34610F3A
HA&4, xrefs: 00007FFD34610DFB
HA&4, xrefs: 00007FFD34610F18

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4$HA&4
API String ID: 0-2690743811
Opcode ID: 251a440e9831a4b5a570ad4426be2ea8236e10f1ea83a626f460591c54cd9cb5
Instruction ID: 95d8edbf6e3ac533d80f27cd208a01eceb91248e51585e20597d960d7ea8e627
Opcode Fuzzy Hash: 251a440e9831a4b5a570ad4426be2ea8236e10f1ea83a626f460591c54cd9cb5
Instruction Fuzzy Hash: 1BF12771B0DE954FEBA5DB2884A66A87BD1EF9B310B0400FAD58DC7693DD2CAC42C741

Function 00007FFD346017E5 Relevance: 4.0, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

pWqE, xrefs: 00007FFD34601820
0Um4, xrefs: 00007FFD3460180C
+$_^, xrefs: 00007FFD34601901

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: +$_^$0Um4$pWqE
API String ID: 0-1121137231
Opcode ID: 22f2068e73e309a8f0d46f09a45960005ab1cda47748bcc49132d0e85bbd6b03
Instruction ID: 0041eb303a51f28f293eac54f80df09c3a03a57f148660b626215215bf941de1
Opcode Fuzzy Hash: 22f2068e73e309a8f0d46f09a45960005ab1cda47748bcc49132d0e85bbd6b03
Instruction Fuzzy Hash: 4261C517A0E2A24AD32277BCB4BA1E63FA4DF07234B0D45B7D1CC9E493DD0D258A8795

Function 00007FFD345FE3A9 Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

h^I4, xrefs: 00007FFD345FE43D
X7m4, xrefs: 00007FFD345FE504
(pnE, xrefs: 00007FFD345FE4E0

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (pnE$X7m4$h^I4
API String ID: 0-709774915
Opcode ID: fabf815ea1b3bc744f13bee813940b0b9c8fae44bee3ed49e2ce7b0ce041d430
Instruction ID: f310f6e4e39314fbf4a2cbc7093d444f19c99aa20ae4cf26f7ff4cef45564cb7
Opcode Fuzzy Hash: fabf815ea1b3bc744f13bee813940b0b9c8fae44bee3ed49e2ce7b0ce041d430
Instruction Fuzzy Hash: DD412762B1EACB4FDB95EB7484A91E97BE0EF1A31470441BBE44AC7187DD2DE8038341

Function 00007FFD346B5160 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

`9N4, xrefs: 00007FFD346B51B2
`9N4, xrefs: 00007FFD346B51ED
`9N4, xrefs: 00007FFD346B5167

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: `9N4$`9N4$`9N4
API String ID: 0-4235221624
Opcode ID: 62767f050258986b46708cbd6ae9e70fab8fea40f85ec6ca358c247e3cef02ce
Instruction ID: 35e641d91c60ecb7c6b517148eb02197cbdd474158cdfbd282c7867da7781338
Opcode Fuzzy Hash: 62767f050258986b46708cbd6ae9e70fab8fea40f85ec6ca358c247e3cef02ce
Instruction Fuzzy Hash: 69210512B0EE4B0BFBE6A62D04F42B556C2DFDA25875801BAD24DD7396ED6CEC025340

Function 00007FFD345FCA76 Relevance: 3.9, Strings: 3, Instructions: 104COMMON

Download Yara Rule

Strings

Y$_H, xrefs: 00007FFD345FCB6E
hrnE, xrefs: 00007FFD345FCB51
prnE, xrefs: 00007FFD345FCB80

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: Y$_H$hrnE$prnE
API String ID: 0-937594210
Opcode ID: 0cc715af5c132c97cf519c6609f983e72b249ef17150edae4e13b16fd1d9b032
Instruction ID: 8615637d917d40841e3cb045033f26b26916bb59ec0252e44c23feffe4b858d4
Opcode Fuzzy Hash: 0cc715af5c132c97cf519c6609f983e72b249ef17150edae4e13b16fd1d9b032
Instruction Fuzzy Hash: AE315B72F19A8E8FE796EB7444AA1F977E1FF99300B4444BAD45DC3192DE2C6802C302

Function 00007FFD345FE521 Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

X#K4, xrefs: 00007FFD345FE551
HonE, xrefs: 00007FFD345FE5B4
PonE, xrefs: 00007FFD345FE56D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HonE$PonE$X#K4
API String ID: 0-1734171959
Opcode ID: 88b8dc363ea098a54f8e02314aa8f9c20eb9842d31b763392da4468ebfd527ba
Instruction ID: a1e19965fa9fcf844361a54dc98853551d16068420d8f7e044124dc0e7189586
Opcode Fuzzy Hash: 88b8dc363ea098a54f8e02314aa8f9c20eb9842d31b763392da4468ebfd527ba
Instruction Fuzzy Hash: 8721F37190D7C98FD7469F3898652AABFF0FF4A300F0445AFE089C7293DA685845C702

Function 00007FFD343736A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFD34373787

Strings

H%74, xrefs: 00007FFD343736DA

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID: DeleteFile
String ID: H%74
API String ID: 4033686569-4040261444
Opcode ID: 5f4d41b3320c861883d0e63d93fee3839a8c1662c6a2ffd36d473a053e015f11
Instruction ID: 5151e77c1aead27c4d5fdf1a984ddf6efd68681fcdf714d7cb644c4946d7f225
Opcode Fuzzy Hash: 5f4d41b3320c861883d0e63d93fee3839a8c1662c6a2ffd36d473a053e015f11
Instruction Fuzzy Hash: 0A414A7190DA4C8FDB55DF6888996E97FF0EF16320F04816FC049D7692CB38A806CB81

Function 00007FFD346137A1 Relevance: 2.9, Strings: 2, Instructions: 412COMMON

Download Yara Rule

Strings

$<E, xrefs: 00007FFD346137F8
HA&4, xrefs: 00007FFD3461385C

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: $<E$HA&4
API String ID: 0-3493971752
Opcode ID: 62142a66638a525ac5393acc89b7ec0e28ec853ddffb49ed565b8c815d08adcc
Instruction ID: a9c831b23a24d0ddfaf490258258356391a2b9152cfa2f7d777d461e10fc32dd
Opcode Fuzzy Hash: 62142a66638a525ac5393acc89b7ec0e28ec853ddffb49ed565b8c815d08adcc
Instruction Fuzzy Hash: 8BC1A831B1CA594FEB94EF2C84A56B877E1FF9A300B0401BAD14EC7696DE28AC41D781

Function 00007FFD345FA659 Relevance: 2.9, Strings: 2, Instructions: 397COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD345FA98E
HA&4, xrefs: 00007FFD345FA69A

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4
API String ID: 0-2887866287
Opcode ID: 1beb2e7bafd15097ad51fce5dcc6fcfc30bf2845960fc8e30138a299cfea8586
Instruction ID: dc88ce0270d15e00cfbece35b1a62b953b4141ae914180b63e59ceb6d8a0feef
Opcode Fuzzy Hash: 1beb2e7bafd15097ad51fce5dcc6fcfc30bf2845960fc8e30138a299cfea8586
Instruction Fuzzy Hash: 40D1B431F08A098FDBA5EB68C4A57B977E1FF99700F144179D44ED3692DE38AC428B42

Function 00007FFD345FC425 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

`$_H, xrefs: 00007FFD345FC46D
X!m4, xrefs: 00007FFD345FC71B

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: X!m4$`$_H
API String ID: 0-450028884
Opcode ID: 8becc3df8b35097ad525c63f09b6ad8c342f3e413e589c4ec40de6dce9aee796
Instruction ID: 68d7f96a1b41fdfc9b1a1c6489f46b312a88f8af4bc18e1b3336998cea70b59d
Opcode Fuzzy Hash: 8becc3df8b35097ad525c63f09b6ad8c342f3e413e589c4ec40de6dce9aee796
Instruction Fuzzy Hash: 9FB1D572F09E494FEBD6EA3C40A46B573D2FF9A254B1005BFD48EC3696DD28E8428741

Function 00007FFD3460DDED Relevance: 2.8, Strings: 2, Instructions: 342COMMON

Download Yara Rule

Strings

(!<E, xrefs: 00007FFD3460E0DB
0'<E, xrefs: 00007FFD3460E09D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (!<E$0'<E
API String ID: 0-1451749316
Opcode ID: 8f4f62b13a9319251b9a6d63023cbc8567e2a8e2606578e42eaaa9c7f897a311
Instruction ID: ac82b1a4ba3c27cfd07ce75a749ecb234d3b40be668f57ae64021c93692b6df3
Opcode Fuzzy Hash: 8f4f62b13a9319251b9a6d63023cbc8567e2a8e2606578e42eaaa9c7f897a311
Instruction Fuzzy Hash: A1B1F771A0D7A64FE366DB24C8A65E83BE0EF57320B0501FEC58DCB5A3EA1C5C0A9751

Function 00007FFD34607CF6 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

f, xrefs: 00007FFD34608011
f, xrefs: 00007FFD34607D6D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: f$f
API String ID: 0-3861007179
Opcode ID: 5949520d8b8965feca298cc965ddd3e542e7e4de43a8e620b4c95f94c2fd628c
Instruction ID: c43c2a1012b6a4cb3a4bc803fb88b8e352e6825a3418486085ba42846bc7ba09
Opcode Fuzzy Hash: 5949520d8b8965feca298cc965ddd3e542e7e4de43a8e620b4c95f94c2fd628c
Instruction Fuzzy Hash: A3B1C73060CA8D4FEB68DF28D8557E93BD1FF56311F14426EE84DC7292DA78A845CB82

Function 00007FFD345F3FA6 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFD345F44B7
(7<E, xrefs: 00007FFD345F459B

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (7<E$@
API String ID: 0-44362346
Opcode ID: dda4713fd5b5a126d464f0b889293bdf661753ebf412a372229c9badf40f1984
Instruction ID: 0b83ed1a4903445ff6de8c1ff84a9596258ff3923bf27e9e44d2980bce7da898
Opcode Fuzzy Hash: dda4713fd5b5a126d464f0b889293bdf661753ebf412a372229c9badf40f1984
Instruction Fuzzy Hash: 1781E932F0D60A8BE795DA1894A537977C1EF57315F14027ED98EC76C2DE2CA8429383

Function 00007FFD346120A8 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

@lL4, xrefs: 00007FFD34612337
@lL4, xrefs: 00007FFD34612310

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: @lL4$@lL4
API String ID: 0-813690858
Opcode ID: 13107e98efc678ac15414b2f1ce8f2cc4abb78a19a60611609befcde4d3748f4
Instruction ID: 831d3abe8e430b5abe6f24fd2bac6973e413ef3200b597f9e9ec436fc3070f47
Opcode Fuzzy Hash: 13107e98efc678ac15414b2f1ce8f2cc4abb78a19a60611609befcde4d3748f4
Instruction Fuzzy Hash: 08718431B0D9294FDB94EF2888A1BE877A1EF5A310F4441F9D14DE3292CE38AD85DB41

Function 00007FFD345FCDE9 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

CN4, xrefs: 00007FFD345FCEBC
CN4, xrefs: 00007FFD345FCEF7

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: CN4$CN4
API String ID: 0-3932141731
Opcode ID: 016e2ebc269ad59a73549e4ab2abbb197750fce84401494203322dd7b854a46f
Instruction ID: aa61af8728f01d0e403bc5a9c386545e1a424fe3a5ed9f0582e7b0247aa90245
Opcode Fuzzy Hash: 016e2ebc269ad59a73549e4ab2abbb197750fce84401494203322dd7b854a46f
Instruction Fuzzy Hash: 3641F573E0DA854FD7A7CB2894A51A57BE0FF96210B0441BFD189C7593DE1CA849C782

Function 00007FFD34609FCF Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD3460A0E2
(~K4, xrefs: 00007FFD3460A0CB

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (~K4$HA&4
API String ID: 0-1187953407
Opcode ID: 37dd0fd4c42f30d73acd0935bc18615444e1d202c92a0eedb4ce3555d6cbde94
Instruction ID: 649c376c5fa48d5037aceb0f7369186df78fcea6ecb144260b5d94a968d24419
Opcode Fuzzy Hash: 37dd0fd4c42f30d73acd0935bc18615444e1d202c92a0eedb4ce3555d6cbde94
Instruction Fuzzy Hash: 79313D22B0DA5E0FE7929B6C6CA51F97BD1EF9B22070401F7D549C7292DD2C9C468381

Function 00007FFD345FD9F4 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

PTN4, xrefs: 00007FFD345FDA4B
PTN4, xrefs: 00007FFD345FDA1A

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: PTN4$PTN4
API String ID: 0-358577487
Opcode ID: e2cc35219832bc7e6d723a117dd8599431c15a87f11c23ba15cdee4d5b49f66f
Instruction ID: fe3853d121e18bb3937e12f7f71bda013dbdd1e4ea81d7410e2592285089b5e9
Opcode Fuzzy Hash: e2cc35219832bc7e6d723a117dd8599431c15a87f11c23ba15cdee4d5b49f66f
Instruction Fuzzy Hash: 71212772B0DB480BE7599A2C546A1B5BBC2EFDA325715427FD48EC7293DC2DAC438381

Function 00007FFD346B5566 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

AN4, xrefs: 00007FFD346B55DF
AN4, xrefs: 00007FFD346B55A4

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: AN4$AN4
API String ID: 0-3979263216
Opcode ID: 09a0f51a955cab02fdbed63a47525e956933d1fade90f446b3ff45a98c9baf8b
Instruction ID: c3d88b6f593fe68bcfc0b5bff23842cea68c3b0c329417ce1b734b72b03e376a
Opcode Fuzzy Hash: 09a0f51a955cab02fdbed63a47525e956933d1fade90f446b3ff45a98c9baf8b
Instruction Fuzzy Hash: AA210412B19E5A0FEBE5A62D18B82B956C2DFDE215B5841BAD10ED3396EC6DEC025300

Function 00007FFD346B48CD Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

-N4, xrefs: 00007FFD346B4904
-N4, xrefs: 00007FFD346B493F

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: -N4$-N4
API String ID: 0-1731750474
Opcode ID: 3a7f6db5283a41925180788ea0970acea7cda11c1b0d86dd2c7582a056417526
Instruction ID: cb4a739d83c9423061457ee16845b76f1dc59a886885ea3b1c81b4f4cdbd01ec
Opcode Fuzzy Hash: 3a7f6db5283a41925180788ea0970acea7cda11c1b0d86dd2c7582a056417526
Instruction Fuzzy Hash: 28210412B19E5A0BEBE5E62D08B42B566C2EF8A21076800BAD24DD32D7EC6DEC425340

Function 00007FFD3460D381 Relevance: 2.0, Strings: 1, Instructions: 783COMMON

Download Yara Rule

Strings

H2L4, xrefs: 00007FFD3460D98D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: H2L4
API String ID: 0-628320908
Opcode ID: f92b9b93698504716dc4cf95dc17cb58adf38721ea1c929a59ec015eadb1478a
Instruction ID: 41f0fec7f19164eb3db4d47eda9cc8f14decb54c4e54994676a5589d73ee71d0
Opcode Fuzzy Hash: f92b9b93698504716dc4cf95dc17cb58adf38721ea1c929a59ec015eadb1478a
Instruction Fuzzy Hash: AA425230A1C9598FDB94EF18C8A5AE977E1FF5A304F1401B9E54DC7296DA39EC42CB80

Function 00007FFD34612356 Relevance: 1.9, Strings: 1, Instructions: 669COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD34612960

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4
API String ID: 0-3973463976
Opcode ID: 7e5aa8c52ea7b3f5f6aa223bacf349aff585a7b98f4b2216cf304232f04b882e
Instruction ID: b575d1ebcf526b47f33a88bf09fbfb9758ae83590e1700e025f2016edddcbcbf
Opcode Fuzzy Hash: 7e5aa8c52ea7b3f5f6aa223bacf349aff585a7b98f4b2216cf304232f04b882e
Instruction Fuzzy Hash: F9228670B1CA594FDB98EF2888A56A977E1FF5A300F1441BED14ED3296DE38AC41CB41

Function 00007FFD345F2440 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3460AC99

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ab5865694460797d71b8e1c4bab4ae713b6de5977cc2e5b4dd6afd1c941c8dee
Instruction ID: 18f6b3f5f4296c5b6d82eb1140f635e8028df59205453183d2203fe1e83fb6cc
Opcode Fuzzy Hash: ab5865694460797d71b8e1c4bab4ae713b6de5977cc2e5b4dd6afd1c941c8dee
Instruction Fuzzy Hash: 33F1EF30B1CA0A8FD758DF1888A55B573E1FFAA340B2445BED54AC7296DE39EC42C781

Function 00007FFD345F8C79 Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

^L4, xrefs: 00007FFD345F909A

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: ^L4
API String ID: 0-2586609444
Opcode ID: 7422fb3cd8dce5829adb6fbede0b7d044f4974a105b021712f519c3961957fc3
Instruction ID: 6a5156af547a4b2974f897134b7b058d7b73dcd5f309db9208d9df987bb3b800
Opcode Fuzzy Hash: 7422fb3cd8dce5829adb6fbede0b7d044f4974a105b021712f519c3961957fc3
Instruction Fuzzy Hash: 6CF1F631B08A498FEB59EA2884957B977E1FF5A310F1441BDD58EC36D2CF38AC429B41

Function 00007FFD343736ED Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFD34373787

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9337eb0350f3ffaa23f0e66f71e141fa0a296de81051cc83e0fd05b01c870c86
Instruction ID: 0c058e539dd58626242de3708fdbe127332ca56e0a4e92895e29bb7d72294e89
Opcode Fuzzy Hash: 9337eb0350f3ffaa23f0e66f71e141fa0a296de81051cc83e0fd05b01c870c86
Instruction Fuzzy Hash: 4731E47190CA5C8FDB59DB5888996E9BBE0FF66320F04822FD049D3652DB74A805CB81

Function 00007FFD3460A9C1 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3460AC99

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 16d470f2541c21a8edabc7abaa9f1b63bcc20c87260a5f4e5d06a12af4b9f962
Instruction ID: 8e368480de93e4e70089cd8b76ab437a03e14361d28c51b98cbf0b0089ec79e6
Opcode Fuzzy Hash: 16d470f2541c21a8edabc7abaa9f1b63bcc20c87260a5f4e5d06a12af4b9f962
Instruction Fuzzy Hash: 05A1BF30A1CA098FD758DF08C8955B573E1FBAA344B2445BED94AC7286DA39E843CB81

Function 00007FFD34614771 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

pnE?, xrefs: 00007FFD34614792

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: pnE?
API String ID: 0-861540311
Opcode ID: d514cd3d4e893f616ce57858e163e9b2cb4f8e02d6b35bf4808d4f6e27e02698
Instruction ID: 22c49779b7088266737f2ffe46a52670d833ff12566bc783a928f5e446c92740
Opcode Fuzzy Hash: d514cd3d4e893f616ce57858e163e9b2cb4f8e02d6b35bf4808d4f6e27e02698
Instruction Fuzzy Hash: 9691D261B0DA954FE79ADB3858B96A43BE0EF57310B0900FEE189CB1E3D91DAC42C341

Function 00007FFD345F9000 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

^L4, xrefs: 00007FFD345F909A

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: ^L4
API String ID: 0-2586609444
Opcode ID: 73a134e2a1e12bf7569868a82200606ec17501fdde256cb6113c0c276b7bb658
Instruction ID: 75d09b4e2a973d3887b90cabc4cf667707a20131d51a2edef6cf98bf874a262d
Opcode Fuzzy Hash: 73a134e2a1e12bf7569868a82200606ec17501fdde256cb6113c0c276b7bb658
Instruction Fuzzy Hash: E2A1D430B08A498FEB55EA2C84957A977E1FF59300F1441BDD58EC76D2CE3CAC859B42

Function 00007FFD3460D8DF Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

H2L4, xrefs: 00007FFD3460D98D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: H2L4
API String ID: 0-628320908
Opcode ID: 099b8aedf3687c023d7ef04ce824614af8595964faa08d35a4ec087a3e6c377d
Instruction ID: d46b5c8286c10de83091c8918583f526bf2e5d3354b566d507bea8ae8ce90931
Opcode Fuzzy Hash: 099b8aedf3687c023d7ef04ce824614af8595964faa08d35a4ec087a3e6c377d
Instruction Fuzzy Hash: 9F91643170C9498FDB95EF2CC8A5AA977E1FF9A304B1541A9E14DC7296CE39EC42CB40

Function 00007FFD3460CD7E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

x8<E, xrefs: 00007FFD3460CF08

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: x8<E
API String ID: 0-3505532839
Opcode ID: 035ebaa69970ee020054ba930063dd0a541026464cbaa8d5de8370bb343d9866
Instruction ID: 9c35b9b1b64c31926bab6cea502a7d3140f9b2a5d0359d9d7a2bc393a08e4bcf
Opcode Fuzzy Hash: 035ebaa69970ee020054ba930063dd0a541026464cbaa8d5de8370bb343d9866
Instruction Fuzzy Hash: 0061C331B1CE5C4FDB54EB5C98A56A9BBE1FF9A310B0401AAE14DD7292CE28AC018781

Function 00007FFD3460FF7B Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

`"<E, xrefs: 00007FFD3461004E

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: `"<E
API String ID: 0-1424914033
Opcode ID: bd308f84590fe7cc6c7f25783d07b575cdfd2949380d68b72af54e9756b0a244
Instruction ID: 9df7c817b90f5bff3e467fe4ca9e7f0e5a2f28b12c2b79f9a905a068b29903b1
Opcode Fuzzy Hash: bd308f84590fe7cc6c7f25783d07b575cdfd2949380d68b72af54e9756b0a244
Instruction Fuzzy Hash: E4712971A0DF854FDB69EF2884665E57BE0FF57301B0405BEC18DC7562DA2CA80AD741

Function 00007FFD34602139 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFD34602201

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: 33bce5c3f45b64e56f0acc0e3950e7d740e108176cf02617e33e9823663b9ae2
Instruction ID: d8e634971b7d7faf5f822f33afaca745bd76bd2714bd25dc6b160ed9beda13a8
Opcode Fuzzy Hash: 33bce5c3f45b64e56f0acc0e3950e7d740e108176cf02617e33e9823663b9ae2
Instruction Fuzzy Hash: D761F472A0D7694FD711FF68F8E61E677A0EF0A324B0545B6D18CCF0A3CA29A841C781

Function 00007FFD34602150 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFD34602201

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: a687e03d0634c06547897c9dfd1ca8887da5d9c589f6c26c93dad2173719bee3
Instruction ID: 1f3cbbf3a51c40288700f57f9cf71ca123888d69f431a99805a5d74b1c83188a
Opcode Fuzzy Hash: a687e03d0634c06547897c9dfd1ca8887da5d9c589f6c26c93dad2173719bee3
Instruction Fuzzy Hash: C951F572A1966A4FD711FFACF8E61E673A0EF0A324B054576D14CCF4A3CE29A8418781

Function 00007FFD34608C5D Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

x6<E, xrefs: 00007FFD34608C8C

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: x6<E
API String ID: 0-3664511661
Opcode ID: e1489c4ccea10a805bffe5cba79494cfdf0c458cbe039e77c66004ff43c0c7ad
Instruction ID: f5deae4b8d23641e523074fec8684b1daea90b32a9a71d24b2fb322e9acc9702
Opcode Fuzzy Hash: e1489c4ccea10a805bffe5cba79494cfdf0c458cbe039e77c66004ff43c0c7ad
Instruction Fuzzy Hash: E651EB70A0DA5A9FE791EB7888A96ED7BE0EF17311B4401BAD14DDB2E2DE2C5C41C700

Function 00007FFD345F76BA Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD345F76F0

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4
API String ID: 0-3973463976
Opcode ID: 4ef54ed966bc0739ae6c546fde4d355e9943ec982699dc9cf3c473f77b8e49d7
Instruction ID: e9e51d2b2d354867e31f22490b7aacc102440752e9a23f15b417c2d4df36baea
Opcode Fuzzy Hash: 4ef54ed966bc0739ae6c546fde4d355e9943ec982699dc9cf3c473f77b8e49d7
Instruction Fuzzy Hash: 66416723F1EE4A4FE795A66C98A96B537C1EF8A26071401BAD54DC3283EC18AC038341

Function 00007FFD346089BD Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

x6<E, xrefs: 00007FFD346089EA

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: x6<E
API String ID: 0-3664511661
Opcode ID: a00dc9ba61eb38166498589cf4d3cfeb8247ec0241746c25ae955df29a78763a
Instruction ID: bff50a3427ccbc1c7a87562ba777d14b8fbf4a0d0da61eaf8c0f34ed9e216be8
Opcode Fuzzy Hash: a00dc9ba61eb38166498589cf4d3cfeb8247ec0241746c25ae955df29a78763a
Instruction Fuzzy Hash: 0C519270A0DA5A8FDB95EB78886A2E9B7E0FF06301B4444BAD10DD72A2DE3D9C41C701

Function 00007FFD346010F2 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFD3460116E

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 5170184890bc610ab1b41d716a0cf1bd365a83f86aaaeeea4a83ae60d3a31a05
Instruction ID: 5fb21f9b3a1f47af6aabafd45c35e271579d82df15d42568ad614aea427b9287
Opcode Fuzzy Hash: 5170184890bc610ab1b41d716a0cf1bd365a83f86aaaeeea4a83ae60d3a31a05
Instruction Fuzzy Hash: F7412C23A0D6A90FD711BBA8B8A51E63B60EF0A330B0515B7D48CDF153CD687855C3C1

Function 00007FFD346B0718 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

x6<E, xrefs: 00007FFD346B074D

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: x6<E
API String ID: 0-3664511661
Opcode ID: b7c5d8ce8cfa5c9bdade8a8e3511a182e17614f7588b5d7b86ee10fa639790da
Instruction ID: 861f25f0ef5ad67e05a3a20176dc59802e44591d2aee4c1b583e2b3cf4dc6e39
Opcode Fuzzy Hash: b7c5d8ce8cfa5c9bdade8a8e3511a182e17614f7588b5d7b86ee10fa639790da
Instruction Fuzzy Hash: 38312A62B1DE450FE7689E6C586A2F4BBC1EB16320F5402BED48AC3193DD5D6C028782

Function 00007FFD3425EA00 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

f, xrefs: 00007FFD3425EA9B

Memory Dump Source

Source File: 00000000.00000002.3457802703.00007FFD3425D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3425D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd3425d000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 595c0a524929ae0fb1b23a874b56089c33912c5e287e9bdda063e41b118930ef
Instruction ID: 0a661b9f6adbc6dc8f27d62e6935783fc5de0cbd4e792f1537dfff95ceb43e99
Opcode Fuzzy Hash: 595c0a524929ae0fb1b23a874b56089c33912c5e287e9bdda063e41b118930ef
Instruction Fuzzy Hash: B741F27190DBC44FD756CB3898959523FF0EF57324B1906DFD088CB1A3D629A84ACBA2

Function 00007FFD34608F1D Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

x6<E, xrefs: 00007FFD34608F4A

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: x6<E
API String ID: 0-3664511661
Opcode ID: 831dcefb59e39db7fbea50723bf741050bc19e2f82dc7283e983fd2352b19719
Instruction ID: 6bd93bbd6a5d4841aa695610ed704ade6d35db22f227b8d4bca22affdb2a41b5
Opcode Fuzzy Hash: 831dcefb59e39db7fbea50723bf741050bc19e2f82dc7283e983fd2352b19719
Instruction Fuzzy Hash: E1418370A1DA5A8FDB91EF7884A92E977E1FF1A301F4404BAD10AD72A2DB3D9C45C740

Function 00007FFD34601148 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFD3460116E

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: e7e6adce224ba371d73cc8df52d13cca7a178662c99edc402f50be8891bb0c68
Instruction ID: a2708b8a25309fd6fca167b40b7d5c2e998bc47a15ba3663da90fd1602b11468
Opcode Fuzzy Hash: e7e6adce224ba371d73cc8df52d13cca7a178662c99edc402f50be8891bb0c68
Instruction Fuzzy Hash: D0313733A0DAA94FCB15AF58B8A51DA37A0FF4A330B0515B3D54CCF153CA68685687C1

Function 00007FFD345FD470 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

0nE4, xrefs: 00007FFD345FD4D3

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0nE4
API String ID: 0-1067224674
Opcode ID: 753cfa303c4c6ae485dc1176e193f2126308b44997bb871137691ddf3d760776
Instruction ID: d58d96fdd7161b21a644ccba0b54b98ee70b1a8f6b7d59b8f3c0464769f4d3e4
Opcode Fuzzy Hash: 753cfa303c4c6ae485dc1176e193f2126308b44997bb871137691ddf3d760776
Instruction Fuzzy Hash: 90312F22E0C9478AFB6A822894B9274B7C0EF87360F140179C54FC6992DD5CFC859253

Function 00007FFD345FC776 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

`"m4, xrefs: 00007FFD345FC79E

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: `"m4
API String ID: 0-3494665166
Opcode ID: 42afb464c10e3fba58e224a3d5405a2bf8d87a346c3eeba08cea2fe13133dbde
Instruction ID: 70a7e9ea43520cd77d8f314e07f954c0c9d0f9965e5d0e6d5ffd8f5def7b75e4
Opcode Fuzzy Hash: 42afb464c10e3fba58e224a3d5405a2bf8d87a346c3eeba08cea2fe13133dbde
Instruction Fuzzy Hash: 0C210353B2EE890BE79AE73844A92B667C1FF9A210B4440BFD14EC7993DC1CB8068341

Function 00007FFD345F2952 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

hqnE, xrefs: 00007FFD345F297D

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: hqnE
API String ID: 0-1999499681
Opcode ID: 38bf27d91ada62bd37c7f3001e5d6764bac0fdf39b0d1f11ef4318b2bf7c4298
Instruction ID: 09410a923a3e85cf4876887c3d1c6873b436e87f1b93b80868f9bc018a75eaec
Opcode Fuzzy Hash: 38bf27d91ada62bd37c7f3001e5d6764bac0fdf39b0d1f11ef4318b2bf7c4298
Instruction Fuzzy Hash: 80212951B29A8A4FE799B76844B52FA7BD1EF5A300F44C477D18EC7AC3CC6CA8068341

Function 00007FFD345F223A Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

`9L4, xrefs: 00007FFD345F2271

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: `9L4
API String ID: 0-1285554876
Opcode ID: 45235cb5a384fa445acf4c4dd62d9c2dcc7e59097b63966909c2dac6b6f68120
Instruction ID: 7c3d7fd6a39d9f85f75c6aa5e06de524b7debf4e4f3f4668450804b29c5b0b92
Opcode Fuzzy Hash: 45235cb5a384fa445acf4c4dd62d9c2dcc7e59097b63966909c2dac6b6f68120
Instruction Fuzzy Hash: 6CF04C6190DBCA6FD753977458695E67FF0EF57200F4944EBE458CB093D81D5504D302

Function 00007FFD345F22AD Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hqnE, xrefs: 00007FFD345F22F2

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: hqnE
API String ID: 0-1999499681
Opcode ID: 9f50daa356b5fcca59578ce17923eb3c66fcdf2052b70a776817dbe6e06a3541
Instruction ID: 0cc4f723a20fd652a545ccde1ac88d84f3ced5b8ec6858972e8935f1bc46f1a5
Opcode Fuzzy Hash: 9f50daa356b5fcca59578ce17923eb3c66fcdf2052b70a776817dbe6e06a3541
Instruction Fuzzy Hash: 0AF04671D5A6C95FE716DBB4086A0EA3FF0EF46210F4A45EAE559C7043ED6D54058301

Function 00007FFD34608912 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

honE, xrefs: 00007FFD34608947

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: honE
API String ID: 0-1637187547
Opcode ID: 5b1f070802448d59a46a719efa47ea1d24da034c74aacf5a1f82869bbb6971ad
Instruction ID: b504b78eb3c419f9f1a96de8339d7e1481736e3e2a815dd8509f6b98fd578d39
Opcode Fuzzy Hash: 5b1f070802448d59a46a719efa47ea1d24da034c74aacf5a1f82869bbb6971ad
Instruction Fuzzy Hash: 5CF0EC10B5DA1B0FD6E5B3BC586A1AC79D1DF4A170B4445F6E58EC31E7DD2C8C419381

Function 00007FFD34612399 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7690f43847289dd532440b5c6489a269750c2d5a2f17884938e5f10d3b0f42f8
Instruction ID: 9290aff543f98857373743d46d965a0dfa2739bd543248cd4461593a62196e46
Opcode Fuzzy Hash: 7690f43847289dd532440b5c6489a269750c2d5a2f17884938e5f10d3b0f42f8
Instruction Fuzzy Hash: 8CC18630B1CA594FDB98EF28C8A57A977E1FF5A300F0441AAD54DD7296DE38AC41CB81

Function 00007FFD345F2D79 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01e7d0069fb5e10253ae9a37d125c255a0c3835cbaad98360644ece9a6ca8de
Instruction ID: c528d7a6742c79cb4856be55177f8e9eb44cd1254b0f083d5977826e26b8eb22
Opcode Fuzzy Hash: b01e7d0069fb5e10253ae9a37d125c255a0c3835cbaad98360644ece9a6ca8de
Instruction Fuzzy Hash: 34B16CB2F0DA8A8FE756EB2884A51B57BE0EF56310B0441FAE58DCB593DD2D9C06C701

Function 00007FFD345F8DFC Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fd23baeba2cd182b4ccb877172f7bae340852a2cb6d48e0c8b4b194a9d878d
Instruction ID: cff203ed90d7c398696affa068f73b998f792ffb1ff2bb296df9d9f55073271d
Opcode Fuzzy Hash: 94fd23baeba2cd182b4ccb877172f7bae340852a2cb6d48e0c8b4b194a9d878d
Instruction Fuzzy Hash: 9DB1E621F08A4A8FF796AB2884A57A877D1EF5A310F1441BDC68EC75D3DE3CA8469701

Function 00007FFD345F3180 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb4f35af977bf9b769394f2bce94171bdd7041b51b9710ef99a7df08f991a49
Instruction ID: b357919fd81867693fe0f2eef66a0fd016592ac3f404925fdca8548fb337a15f
Opcode Fuzzy Hash: 9eb4f35af977bf9b769394f2bce94171bdd7041b51b9710ef99a7df08f991a49
Instruction Fuzzy Hash: 21A1A231F0CA498FEB99EB6894A52FD77E1EF9A311F044179D54ED3282DE38A8029741

Function 00007FFD345F34A1 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff81ebaf3b36beec92f5967ed77dd67b9e9f4c7d7ba8146334cebad083507f6
Instruction ID: 109a7fd4ea62777d10da6cacb99423808c4b5789141551a5a7f448b8f15e124a
Opcode Fuzzy Hash: 9ff81ebaf3b36beec92f5967ed77dd67b9e9f4c7d7ba8146334cebad083507f6
Instruction Fuzzy Hash: 58912732F0DB498FE7A6EB6884A55B57BE0EF66310B0441BAC14EC7693DE2DA845C341

Function 00007FFD34612FAC Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de89cf5326a1caa1822571ca6eb1532fd02b6f331f4a5d5a2de6c7c4908cdfdc
Instruction ID: a4319d612bacbacf825c3c6eab561dd195b3e6e63445c14c3adcf1135c4b6122
Opcode Fuzzy Hash: de89cf5326a1caa1822571ca6eb1532fd02b6f331f4a5d5a2de6c7c4908cdfdc
Instruction Fuzzy Hash: 10A1FD31B1891D8FDF84EF58C8A1EE977A1FFAA344B540165E50DD7296CE38E881DB80

Function 00007FFD345F8E4D Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4c0ce68d03a14f3582fda61163b8054e02bd1d6a72d09c999fbf2cd9211d26
Instruction ID: 3afc8100176a4ac60f78994af06577db1bda3665b6456321f18c8ef483be3224
Opcode Fuzzy Hash: dc4c0ce68d03a14f3582fda61163b8054e02bd1d6a72d09c999fbf2cd9211d26
Instruction Fuzzy Hash: 42910421B08A4A8FF795EA2C84A57A977D1EF5A310F1441BCD68EC75D3CE3CAC469701

Function 00007FFD346138B4 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e87d072f8472a92c0a3df321650738d0d71026b3e64d9d192c205393ebd0826
Instruction ID: 14e8caf70796f3eb498764533bb12194f08c73489696f8ebaa85cedab158107d
Opcode Fuzzy Hash: 7e87d072f8472a92c0a3df321650738d0d71026b3e64d9d192c205393ebd0826
Instruction Fuzzy Hash: DF71543071CA194FEB98EF5C94A5AB977E1FF9A300B04017AD14ED7696CE28AC41D781

Function 00007FFD346B2172 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67c95f05dfa90c293cd4a0b09d5b24d6a477fc3cc957719fcac644bbf4fe8e5
Instruction ID: 55d48fef6a532c26d8069c5440b3d7b50d92e17f275583db89a920bb33807542
Opcode Fuzzy Hash: f67c95f05dfa90c293cd4a0b09d5b24d6a477fc3cc957719fcac644bbf4fe8e5
Instruction Fuzzy Hash: 9D719311B28E660BE685AB5D88F67B966D2FF9A300F444079D30EC36D7DD6CEC019392

Function 00007FFD345F8F42 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849985727afccc75c9de53ddb762e7338cd974650dfd6f8b25f170a70a48328f
Instruction ID: a37761bccfa8c4a086111479567bebabee58ffc6a4186fbb90b0333fa7e2e5ef
Opcode Fuzzy Hash: 849985727afccc75c9de53ddb762e7338cd974650dfd6f8b25f170a70a48328f
Instruction Fuzzy Hash: 9081A420B08A498FE795EA2884A57A977E1EF49300F5481BDD58EC76D3CE3CAC859701

Function 00007FFD345F8F7D Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1599c09438a5fb1161518231acaef20a471e23512ab3cef1cbff5bc74ab4d6e9
Instruction ID: ac5c9bb51489e65d17f9afcb6280410374e0207173fc9fc41b47f8d546ea371d
Opcode Fuzzy Hash: 1599c09438a5fb1161518231acaef20a471e23512ab3cef1cbff5bc74ab4d6e9
Instruction Fuzzy Hash: 3181A220B08A4A8FE795EA2D84A57B977D1EF49300F5481BDD98EC76D3CE3CAC859701

Function 00007FFD345F8DDD Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336e4ce754d92250a3d9a7844c00ca937f4b73931c33cd0b6f83a6aa80afbbc4
Instruction ID: 3fe3cdb4cb5e5236c7cd0d7a19da8613fae7eac8d3e55ecdf96e5f2e482689a4
Opcode Fuzzy Hash: 336e4ce754d92250a3d9a7844c00ca937f4b73931c33cd0b6f83a6aa80afbbc4
Instruction Fuzzy Hash: 45718220B08A4A8FF795EA2D84A57A977D1EF49300F5481BCD98EC76D3CE3CAC859701

Function 00007FFD345F8ECD Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b641feeec513b3dd40c31bd4c90252a717a93189f40b1edf638b9d33965273d4
Instruction ID: 44f89c499fd85f35abc3d54d8bc5f6bf73d031d0cdf883651271b827070411d8
Opcode Fuzzy Hash: b641feeec513b3dd40c31bd4c90252a717a93189f40b1edf638b9d33965273d4
Instruction Fuzzy Hash: CA718120B08A4A8FF795EA2984A57A977D1EF49300F5481BDD98EC76D3CE3CAC859701

Function 00007FFD345F8F26 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c838fa1300acb6ad14c14cf729cee4e1a9106d1f995e2eae8b2ff2ec8f5fdf
Instruction ID: af6b5fe59a5a082c2796c455a4d6c9d20b33d96250e6e4af7dd1d3f84806f57e
Opcode Fuzzy Hash: 31c838fa1300acb6ad14c14cf729cee4e1a9106d1f995e2eae8b2ff2ec8f5fdf
Instruction Fuzzy Hash: 4B718220B08A4A8FF795EA2D84A57A977D1EF49300F5481BDD98EC76D3CE3CAC859701

Function 00007FFD345F8EEB Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8a09a6068f70972fb3ae22c709e0c58470f4e72abac99d12c73c3f6ad686c1
Instruction ID: 9fc91a4c9aa78bf84c510d4ca6b03465fe66da448749bbdd8f89d4e396fdc6e7
Opcode Fuzzy Hash: 1f8a09a6068f70972fb3ae22c709e0c58470f4e72abac99d12c73c3f6ad686c1
Instruction Fuzzy Hash: 5E718320B08A498FE795EA2D84A57A977D1EF49300F5481BDD98EC76D3CE3CAC859701

Function 00007FFD345F8FC0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2569ee80c1c1f3e7719cb87c194904255a5883bb687ca7a207614ee99455c19
Instruction ID: 9df9866ed6f169af365fc1dd20dfc0415c3faaef7fae489f0e15a9b8780cd4e6
Opcode Fuzzy Hash: e2569ee80c1c1f3e7719cb87c194904255a5883bb687ca7a207614ee99455c19
Instruction Fuzzy Hash: 17819520B08A498FEB95EA2D84A47A977D1FF59300F5481BDD58EC76D3CE3CAC859B01

Function 00007FFD345F8F08 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fb657d2b5d21138f83cf007bd25511409044df7bd2c12869267a895060d50a
Instruction ID: a9358a47b81f2cc6a9d949eba7f04a56d37f4671001fa098cf12b9629a4f776b
Opcode Fuzzy Hash: f4fb657d2b5d21138f83cf007bd25511409044df7bd2c12869267a895060d50a
Instruction Fuzzy Hash: F281A220B08A498FE795EA2D84A47B977D1EF49300F5481BDD98EC76D3CE3CAC859B01

Function 00007FFD34604BE0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804411d4645c9f57152f21a5e96441c39d894ce95952d1b2dfbd76c74cc3247
Instruction ID: c92324ed3a4239b56488e6833d2d2f1703eb6ef3287975dfef591b8a1cdc299f
Opcode Fuzzy Hash: 5804411d4645c9f57152f21a5e96441c39d894ce95952d1b2dfbd76c74cc3247
Instruction Fuzzy Hash: BC51707190CA5C4FDB64DF58D855BE9BBF1EF59310F0082ABD44DE3252DE34A9848B81

Function 00007FFD34600007 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9da5e20045f7705792b3bc1bcc76e77a2c562182feccee8967efa213ed9fa5c
Instruction ID: f1c8675fccd5300015feeff016654aae08b3cabfe353699d4728d444a44b1e8b
Opcode Fuzzy Hash: f9da5e20045f7705792b3bc1bcc76e77a2c562182feccee8967efa213ed9fa5c
Instruction Fuzzy Hash: 4B718324B1CE178BE7A8DF5990A06B5A3E2FF97304F1481B6C50EC2596DE3CE8819780

Function 00007FFD345FD5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34584c15a9578654864bc10ca3ad22f083b2c89395d26a50ee93f213a856592
Instruction ID: f7051524490fb3008da91178ad561056dbecb6e278cffc88ff377c565a81759b
Opcode Fuzzy Hash: a34584c15a9578654864bc10ca3ad22f083b2c89395d26a50ee93f213a856592
Instruction Fuzzy Hash: C951A372B199498FDF98EF6CD4A4AA977E1EF59310B14017AE04EC7296CE28EC41C741

Function 00007FFD345F3751 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c47b6ee37cc8dde9a1207a7fb58afa68ffc0e01bb52db37feb43db127c4014
Instruction ID: 8b0e50c5d6f161487261bab09471dd5ca78ec0cde81aa5e77265086de775b6e2
Opcode Fuzzy Hash: f0c47b6ee37cc8dde9a1207a7fb58afa68ffc0e01bb52db37feb43db127c4014
Instruction Fuzzy Hash: AC518932A0DA8A8FF766A77848A51B27FD0EF57324F1405BED5C9C3593DE1DA8028342

Function 00007FFD345F91FD Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26373c0cb7fd972f530ca4b0a6f2837ec6e2d16b197b6c917f83457797af5515
Instruction ID: c44e7dcccb9872cb64fcdfc07300b555b0da087a2a3e226ef24690f1b43e058c
Opcode Fuzzy Hash: 26373c0cb7fd972f530ca4b0a6f2837ec6e2d16b197b6c917f83457797af5515
Instruction Fuzzy Hash: EA512720B08A4A4FF759A62980A53B977C2FF99300F10817DD5CFC76D3CE2CAC469641

Function 00007FFD34610061 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a1cb521ec391f83c5dc511f659be046004aa8cc87d09418ba5748360a9a548
Instruction ID: 1bba513af637d008663c7958d233f7676ce921f2b83aab8728e1373a149fc0b9
Opcode Fuzzy Hash: 14a1cb521ec391f83c5dc511f659be046004aa8cc87d09418ba5748360a9a548
Instruction Fuzzy Hash: 85512B3060DF854FDB69DF2888675E53BE0EF57300F1405BEC589C75A2DA1CA80AD382

Function 00007FFD345F7A72 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95e6d4ce13ec2d1d165212167f59aef24cae35e6c0d02ddc9172ffed582c9ac
Instruction ID: 27a53f95a64760a15f67948f08e8ae6d012436ea80903f28bc001c750e4e1389
Opcode Fuzzy Hash: f95e6d4ce13ec2d1d165212167f59aef24cae35e6c0d02ddc9172ffed582c9ac
Instruction Fuzzy Hash: 1841F631A0C7888FDB599F1C88556B67BE0EF57310F15006EE5CAC3692CA39E842C742

Function 00007FFD345F76AE Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbae5a7c80735d4af0adfedbd61f76688e31baf335ad170bcfe50ec8e60fcde5
Instruction ID: 78cbbf87fc46dabee147a1f5d16b597e8d8525a4d58b0bd2620233b8e64e9bf4
Opcode Fuzzy Hash: dbae5a7c80735d4af0adfedbd61f76688e31baf335ad170bcfe50ec8e60fcde5
Instruction Fuzzy Hash: 88314823B1EE494FE795A76C98A95B53BD1EF8A35031501FAD04DC7293DD18BC038341

Function 00007FFD345F20B0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99f61de588b4dd10c9f9bbb2c5eb1307aa75eecf03d9619ae715bda74c5a110
Instruction ID: 799566e6fb1b4424ab796ab6250df922a69a150c57269b8b31f03fa33aa2dd22
Opcode Fuzzy Hash: a99f61de588b4dd10c9f9bbb2c5eb1307aa75eecf03d9619ae715bda74c5a110
Instruction Fuzzy Hash: 52415D73D0E5460AD3127BF8B8AA0E537109F1A728B0E85B2D1ECCB8D3DD1D654082D5

Function 00007FFD3460EFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b026157d1135bef65468e075030ec7660f768a2aac9b275ff6e160752de2077
Instruction ID: 34b544f1ca41d5c0de884dbde0386785d01b499363a9baf4f8b53edc9676d262
Opcode Fuzzy Hash: 6b026157d1135bef65468e075030ec7660f768a2aac9b275ff6e160752de2077
Instruction Fuzzy Hash: 4231B321B0C9254BEB9CDF6D58B46B827C6EF9B744B0500B9E68DD7293DD6CAC029241

Function 00007FFD345FD099 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1685a895b2292796ba3884492237b5ea2458e3a931897cd3cb7cf5fcc2b44973
Instruction ID: 6ea7dba212a51ba6a2bada84bee1b30dd7c7f3785590381bdba119d66f507c1e
Opcode Fuzzy Hash: 1685a895b2292796ba3884492237b5ea2458e3a931897cd3cb7cf5fcc2b44973
Instruction Fuzzy Hash: 6D414F31A1964A8FDB96EF18C4A1BA937E1FF46300F4400B9E54ECB592CB39E855D701

Function 00007FFD34612185 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a5bb35440fcf4b755a9fe192788c32cf6b44d8ede639068255f7a2181e4907
Instruction ID: e9563f6ef2fb086452fa45a4bb494efaafc10afcbe623f09894daee333535e1a
Opcode Fuzzy Hash: 17a5bb35440fcf4b755a9fe192788c32cf6b44d8ede639068255f7a2181e4907
Instruction Fuzzy Hash: 6641B030B0992D8FDF94EF18C8A1BA877A1EF5A300F5441A8D14DE7292CE39AD45DB41

Function 00007FFD345F2EEE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf2f41f69bd4ed62f467349f6c4957835230acd38e4f65151096a8a8578d7c0
Instruction ID: d9e204292da15c3b77ec06cdca4a427c5de21ab408153d41de4dc530f02e2249
Opcode Fuzzy Hash: abf2f41f69bd4ed62f467349f6c4957835230acd38e4f65151096a8a8578d7c0
Instruction Fuzzy Hash: 68312772A1EB864FD39B9B7848A65A07BE0DF5B22070441FFD449CB193DC2E5C46C301

Function 00007FFD345F3780 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f9f11fa744eff10873b260f520d16b26ddb4f2035da6fc6f613626975a21a7
Instruction ID: 5fa6786ddd84ffff1f5b57ab43cfeff1773d77516e8a6119e5bb05aa1bb85b27
Opcode Fuzzy Hash: f5f9f11fa744eff10873b260f520d16b26ddb4f2035da6fc6f613626975a21a7
Instruction Fuzzy Hash: 13312631A0DA0A5FF796E77844595B63BD1EF9A225F0105BDDA8DC3292ED2DAC024381

Function 00007FFD34609A09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27c1595f4ad6f0f6f4f66fa6bc51cc020353a32b0de162d5ac131b9c571ee8a
Instruction ID: 8a4da2b622d55ac2900e2eacb15634d91c99cb500824ff6a97bf02a01d1c9de3
Opcode Fuzzy Hash: d27c1595f4ad6f0f6f4f66fa6bc51cc020353a32b0de162d5ac131b9c571ee8a
Instruction Fuzzy Hash: 8E312631B4EA990FDB65AB3C5CA20E87BE1EF97230B0841BBD549C7193CD2D9C069781

Function 00007FFD3461332D Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768e425ab4bb2a00f310e6a5b34ed1f7d6b5919449dbb83accf7f530aa52f7a1
Instruction ID: 1dbeb03dea76230fc2cb127b967bc99551477cbde006c4f339614f8bcbd6b0cc
Opcode Fuzzy Hash: 768e425ab4bb2a00f310e6a5b34ed1f7d6b5919449dbb83accf7f530aa52f7a1
Instruction Fuzzy Hash: 1931EB3170CA595FE785EF2C94A4AA57BD1FFDA310B0401BAE04EC7292CE29EC82C741

Function 00007FFD34601535 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933a3bcebfe6e73d3eefb82165e6253c02ecd4eba906e4987618a9fa17e7426f
Instruction ID: 62bf77d35601ba5cd4ad28838da8779ea0bedd6009b5e4dc32a5493ff9ea80cb
Opcode Fuzzy Hash: 933a3bcebfe6e73d3eefb82165e6253c02ecd4eba906e4987618a9fa17e7426f
Instruction Fuzzy Hash: 5E314821A0DAD94FE795EB3894B46E47BE0EF5B20070805FEC48ACB293DD1EEC458740

Function 00007FFD3460F6F0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850ed2b615fdf0d029d876a01aaf10b9d3e5227cf0d73360826f8fd7097658fa
Instruction ID: b6ac8f7e8080e3fe4ea1eef19b8526d21c96603d2067cc14b8789e16b7c52f4d
Opcode Fuzzy Hash: 850ed2b615fdf0d029d876a01aaf10b9d3e5227cf0d73360826f8fd7097658fa
Instruction Fuzzy Hash: 7E31D63170C9194FE7BCDF1C9496AE537D4FF5A311F100679D18DC32A1DA68AC069781

Function 00007FFD345F2DBA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e900961b96a110555f8a244ca6040d736d8627a96840c15177f4deb21a2a5f
Instruction ID: ece3224720c7c6350a85cfb83f873f52065e9ff845271967d4aa0165d733140f
Opcode Fuzzy Hash: a6e900961b96a110555f8a244ca6040d736d8627a96840c15177f4deb21a2a5f
Instruction Fuzzy Hash: DB3108B3F0994ACFD7A2EA1894995B9B7E0FF9531075401B4F288CB961D92EAC06D701

Function 00007FFD34600C78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80208afe38fc92f64ef3754d87fbd8d495fa16a5f904f215b02eb5162dd6db8d
Instruction ID: 3594543e696877eb9338632eb325b79ad5a640c0f95b96017b3a3a742ecb9abf
Opcode Fuzzy Hash: 80208afe38fc92f64ef3754d87fbd8d495fa16a5f904f215b02eb5162dd6db8d
Instruction Fuzzy Hash: E731DF32B0CA154BDB58EF9CB0652EA73D1EF58325F04053FE14ED7292DE29A8418784

Function 00007FFD346B57AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05ec293ee5a4097987e28dab23bb5a7fa3060068c0e7e969c053684e4cdeeed
Instruction ID: 9e3143067a76b7497e20ee3b01635161962e4d4229f2c81f90324f609f94383e
Opcode Fuzzy Hash: a05ec293ee5a4097987e28dab23bb5a7fa3060068c0e7e969c053684e4cdeeed
Instruction Fuzzy Hash: AE210502B19E5A0BFBE5AA2D18F42F916C2DFCA21475901BAD54EC32D7EC6DEC431340

Function 00007FFD346B5098 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d730f30ba15a7d47284e923b428c7610c56ed7548602d61be8b7e11e79d022
Instruction ID: 66f6c28ef2b0dbe67243398f03ad37e2a977c6a963e3642bbed06329f4b592a6
Opcode Fuzzy Hash: e5d730f30ba15a7d47284e923b428c7610c56ed7548602d61be8b7e11e79d022
Instruction Fuzzy Hash: 74312512B0DE570BFBE5AA2D04F42F96AC2EF9A614B5800BED54DC32D6ED6DEC425340

Function 00007FFD345F7390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161056eb1221ebe6cf816681940f8953fd67aa43114b22525c387325633be157
Instruction ID: 45359d0cee19fb30aa76c9e33f7a2fb9325b42c1ee8d228c09393914e7b7ae60
Opcode Fuzzy Hash: 161056eb1221ebe6cf816681940f8953fd67aa43114b22525c387325633be157
Instruction Fuzzy Hash: C831F822B1CA494FE786EB2C54A41757BD1FF9A214F04067AD98CC32E2DE2D9C419302

Function 00007FFD3460AE7D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ac95efede525c896bd3287890e093d7956848a95d8e988c5b2a5bab56f1f09
Instruction ID: 9e2759ec619821af971e9f1112fa59c0202263cb124292b5e80492e11b7033ea
Opcode Fuzzy Hash: 29ac95efede525c896bd3287890e093d7956848a95d8e988c5b2a5bab56f1f09
Instruction Fuzzy Hash: E3316230618A4D8FDB84EF24C8A47EA77E1FF5A304F1045A9E51AC7282DB39E855C740

Function 00007FFD346B522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e0b762b431a693e9c58348ff637ebd2c8d557ab8a2abdfac5a81f5b7c81815
Instruction ID: 588dc70d4fb861b3b64508199090042aa3d958df13ac755ce8a856dbb13b687c
Opcode Fuzzy Hash: a5e0b762b431a693e9c58348ff637ebd2c8d557ab8a2abdfac5a81f5b7c81815
Instruction Fuzzy Hash: 17212902B0EE5A0FF7E5AA2D04B52F466C2DFDA214B5801BAD14ED33D6EC6DEC425300

Function 00007FFD34600CD3 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b8209fc673bccc1d8f1bbf93c5f1d1374eaccfb85f00403c9054cc0bb32689
Instruction ID: 68617a7e17c55cde1620d87333e57cafca7e53d7c5b6665198b8a26c7a976f09
Opcode Fuzzy Hash: 63b8209fc673bccc1d8f1bbf93c5f1d1374eaccfb85f00403c9054cc0bb32689
Instruction Fuzzy Hash: B831D532A0DB984FD799DF2864652FA7BE0EF5A320F04417FE08DC72D2CE2958418745

Function 00007FFD345F3169 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ff7ba2a2ee2b1beef702152e6cccdbede4e1b3626c6155c56d96a8edfd4cab
Instruction ID: e3bd5538c42984a044a631cded343c164137f1c4abcd6a213412b1e4baed95d7
Opcode Fuzzy Hash: c2ff7ba2a2ee2b1beef702152e6cccdbede4e1b3626c6155c56d96a8edfd4cab
Instruction Fuzzy Hash: DA31F332E0D7889FD759EF68C8652A93BE1FF9A314F0540BED449D7282CA39A802C701

Function 00007FFD345F3FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc509a9d6028fe729797e5ff6858165a98d7f6ac904c12cd00169b34618ea4b
Instruction ID: 1a93dad046458caf22b1c993ec0217be1e62e264e47c64207ac7e2ec2a6acd85
Opcode Fuzzy Hash: 6bc509a9d6028fe729797e5ff6858165a98d7f6ac904c12cd00169b34618ea4b
Instruction Fuzzy Hash: AA210822B0C6454FF399A61C589A6B537D5DF97260F0801BED58DC7193DD1DAC438383

Function 00007FFD345F2468 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b6421b7a5468d697a4d5fac1b9d5e528581932c995860bca6593bf489bc277
Instruction ID: 23f13d9fb00ea0700d76427dd70258886f2c08bc6645e7bf846e78d997f54ac7
Opcode Fuzzy Hash: 93b6421b7a5468d697a4d5fac1b9d5e528581932c995860bca6593bf489bc277
Instruction Fuzzy Hash: 55219C31A0DA664BE7659F346CA41E177E0EF53354B0802BDD548C75C3DA1DAC8A9380

Function 00007FFD346B39C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e4ed02518c7dcd368a4a33e49071d2b942e696884d250b39d225e074d47c6f
Instruction ID: 5a96bd257fcbfe25e266d6cd2f7edf93418582b76db87bc8b0cf263644b37c68
Opcode Fuzzy Hash: d0e4ed02518c7dcd368a4a33e49071d2b942e696884d250b39d225e074d47c6f
Instruction Fuzzy Hash: 24210712B1DE0A0FF7E5A62D08F52B856C2DFDA61076801BAD54EC32D7ECADEC825340

Function 00007FFD346B5958 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30993a27e4dbb3f3e4b5d53707147fd86e054b58ee3f709c576b3ac579de7cef
Instruction ID: 369aaa587c013b09d12b1bb52efd6cfae46b06b0ce427ac8007c9e3c5a5e1c28
Opcode Fuzzy Hash: 30993a27e4dbb3f3e4b5d53707147fd86e054b58ee3f709c576b3ac579de7cef
Instruction Fuzzy Hash: B0212502B0DE4A0FE7E5B62C04B42B856C2DF8A624B59017AD50EC3297EC6CEC021340

Function 00007FFD346B286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e4dc36639878111bfcfcb31f60b4439d753c46cd47aa06932d17f0259da992
Instruction ID: ce95a87e62a5910a923f4d6703a4c05e8f2c2c92a06d1b5a88f8360ab8f1d435
Opcode Fuzzy Hash: f3e4dc36639878111bfcfcb31f60b4439d753c46cd47aa06932d17f0259da992
Instruction Fuzzy Hash: 0D212812B19E0A0FEBA5AA2D04F82B566C2EFDA610B58007ED14ED32D6ED6DEC025340

Function 00007FFD346B39B2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd434da744b6a234278b593f8b4fad88e8451f345141e554bd49b565c4140586
Instruction ID: 1213e518356a95813360942aa3724a15fcbaa5db66ffdb07a378c8ede7f9470c
Opcode Fuzzy Hash: fd434da744b6a234278b593f8b4fad88e8451f345141e554bd49b565c4140586
Instruction Fuzzy Hash: C4212812B1DD5B0BF7E5A62D04F52B457C1DFCA610768017AD54EC32D2ECADE8825300

Function 00007FFD346B369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c3aaf29f7cb0837f103f8c1e7810f652ba65883f89db6d801ed6545f562043
Instruction ID: fb8dee3bb72b9d8996be675d378861a7162d063926d5ce6175cefe48259dfd30
Opcode Fuzzy Hash: 12c3aaf29f7cb0837f103f8c1e7810f652ba65883f89db6d801ed6545f562043
Instruction Fuzzy Hash: C3213A12B1DE4B0BE7E5A62D08B52B566C2DFDA600798407ED14EC3397EDADEC425340

Function 00007FFD346B4668 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced351efcc553596a132ecbf58d0e4b5aed4d185108bf9f87cfaea41b826fa12
Instruction ID: e9d8d968295b4d630d4ceb7d65b72478b9ba09824e912a1878b74938747ca4ad
Opcode Fuzzy Hash: ced351efcc553596a132ecbf58d0e4b5aed4d185108bf9f87cfaea41b826fa12
Instruction Fuzzy Hash: C0210711B09E4A0FF7E5AA2D04B82B855C2EFDE21075801BAD54ED33D7EC6CEC025300

Function 00007FFD34610F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf9009372c5b644ca558e931acaf931a7d0ccd09340ae65e434f605a4f05836
Instruction ID: c09247f0a50478aeeb2b6aa29454e7b8acc4b0e396dac38ec7cd853c9b211048
Opcode Fuzzy Hash: 4bf9009372c5b644ca558e931acaf931a7d0ccd09340ae65e434f605a4f05836
Instruction Fuzzy Hash: 72213E70B1CA588FD784EF1C9494A6977D1FF9E311F5405BEE54DC32A6CE28E8418B41

Function 00007FFD3460EEA9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da293f5b50deaa17419b0e68f2f157a7e4e56c2defa7c1ed8398c2311e025c86
Instruction ID: 76a23a8c52e6a28d678469911a7839b43b8028c121019001961cac411a623fa0
Opcode Fuzzy Hash: da293f5b50deaa17419b0e68f2f157a7e4e56c2defa7c1ed8398c2311e025c86
Instruction Fuzzy Hash: D2214721A1DBC60FD716A72888656E67FE0EF6B224B0842BFD48AC31D3CE5DA406C341

Function 00007FFD345F7750 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b108975db2b8561587b25eb070ef588c5bd523c670f7538cd78e8b3b7cba12
Instruction ID: 1ab8d4a8d1256b72d56b94403f08428e7540180bf2a84dd06c69edfcd24ef5d9
Opcode Fuzzy Hash: 03b108975db2b8561587b25eb070ef588c5bd523c670f7538cd78e8b3b7cba12
Instruction Fuzzy Hash: 00117F23F2ED0D4FE6A8A65C58965B233C2EF893603550179D44DC3687DC1CBC024381

Function 00007FFD346B3A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6eaa07753b0274d167b5b1a8a476d795c31f9c047dc26d3dd9cda01b54e1ca
Instruction ID: 9989747d7b0071fa2947e11fa3657abe6cf83d2c61500dff264d64dca44daca1
Opcode Fuzzy Hash: ae6eaa07753b0274d167b5b1a8a476d795c31f9c047dc26d3dd9cda01b54e1ca
Instruction Fuzzy Hash: 0F212C12B19E1A0FFBE9AA2D04F52B966C2EFDA210764017ED14EC32D6ED6DEC425300

Function 00007FFD346B26EA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4f618cc4c5770d4bfab571a72cfc7a47442210d2f5dd8218d457f4211943e5
Instruction ID: 95100cb89e6158f860bfb6483acce2759a430013b0093369ee3c1ebd55968da4
Opcode Fuzzy Hash: 7c4f618cc4c5770d4bfab571a72cfc7a47442210d2f5dd8218d457f4211943e5
Instruction Fuzzy Hash: A421F312B19E1B0BE7E9AA2D04F92B565C2DFCA610B68017AD60EC32E7DD6CEC421344

Function 00007FFD34610501 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b577c21ded3cce3e928edc6fc7f58bb825647abd913f331330c9beab38763fe4
Instruction ID: ba9b81ac3f15bbca6f43eec1b6e7cd7078325783ebc7991a6959901afacea0b5
Opcode Fuzzy Hash: b577c21ded3cce3e928edc6fc7f58bb825647abd913f331330c9beab38763fe4
Instruction Fuzzy Hash: 2C21D33170DD595FEB99EB3C88A56A97BE0EF5A31030541BAD04AC72A2C92CEC42C741

Function 00007FFD346B32B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583409ef0719323ba5c76c3f22abb2f2d6cfdfeff10aec69d3101b08f6aa8823
Instruction ID: 3de7eb0cabd64e333531de5744c8fcd3e671ad8475cfbde49c5f31649b2fcdc6
Opcode Fuzzy Hash: 583409ef0719323ba5c76c3f22abb2f2d6cfdfeff10aec69d3101b08f6aa8823
Instruction Fuzzy Hash: 15210A21B0DE5A0FF7E5A62D04F52B565C2EFCA6107580079D14DD3396DDBDEC425340

Function 00007FFD346B2566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5980b87003a9b934557edbf9b84bd2c346b687a8d4a68c888cb148354663f17
Instruction ID: 8d08386b93f6ebd92814590716fd84483922d56686a0c439ea1aef5f98e8cd19
Opcode Fuzzy Hash: d5980b87003a9b934557edbf9b84bd2c346b687a8d4a68c888cb148354663f17
Instruction Fuzzy Hash: 0521F912B19E1A0BE7E5AB2D04B92B525C3DFDE210B58417AD54EC33D7DC6CDC025340

Function 00007FFD346B3CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6952aab8730d57116f4ab82814a9f48daa9aa383152b3162c37a398f963baf8d
Instruction ID: 1dad688f6f3e8c1f4d6d5d1096230315aadcac81d607320826cb5e2dc3c91db3
Opcode Fuzzy Hash: 6952aab8730d57116f4ab82814a9f48daa9aa383152b3162c37a398f963baf8d
Instruction Fuzzy Hash: A9212912B0DE1A0FF7E5AA3D04B42B566C2EFCA61076801BAD10DC32D6EDADEC421340

Function 00007FFD345FA6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction ID: 4f0898ac465327bac87521f3ae1544ecdd5342e828b057eb595860485bfcf8b4
Opcode Fuzzy Hash: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction Fuzzy Hash: 0121687190CA1C5FDB58EA58DC4A5F9B7F4EB95321F00413FD44ED3211DA31B9458B82

Function 00007FFD3460A710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95744a14ae19fdf057c9973bcaf518a502538e013c5c3d01aaa9a8136dd52ab9
Instruction ID: a0d3a6152a62722dae5bf3d84fabedbcaac3eee8c50d0d0fcd6ad2413c8c34e9
Opcode Fuzzy Hash: 95744a14ae19fdf057c9973bcaf518a502538e013c5c3d01aaa9a8136dd52ab9
Instruction Fuzzy Hash: 0421F632F1CA195BE75CDA1C58A56B677D1EF9A350F00427EE58EC3282DD68AC0642C5

Function 00007FFD345F3FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075c3296baa8eed5d4e6843ab9bfb6fc3af63b23ea0f73a89a095922cc1e8c03
Instruction ID: e8a99ceb33dd4973c984170443c16fdc88c44d641de5d4153d26f363258a1b3f
Opcode Fuzzy Hash: 075c3296baa8eed5d4e6843ab9bfb6fc3af63b23ea0f73a89a095922cc1e8c03
Instruction Fuzzy Hash: B511E022B0C6054FE799A51C585A7B533C5DF9B261F04017EE98DC3253DD19BC424283

Function 00007FFD3460AEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction ID: b0c19e8bf229b981992f0ce3afbf4e17a5d9c0a9f9dbfe084c32557e0aaa79f3
Opcode Fuzzy Hash: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction Fuzzy Hash: 04214F34A18A4E8FDB88EF28C8947AA77A1FF59304F504569E51EC7286CF39E851CB40

Function 00007FFD345F7065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330af2df4c99b406f4a67bce81512434298b1d7c64cdda629c8e8b4831c89979
Instruction ID: 2221df666333433f55fd2cebb319fd9a0478afd0acc8af20621326e283c0b2be
Opcode Fuzzy Hash: 330af2df4c99b406f4a67bce81512434298b1d7c64cdda629c8e8b4831c89979
Instruction Fuzzy Hash: F8212C21A1CA554FE752971C9498A717FD1DFA6310F0C09BAD9C8C72B3D85DD9C5C702

Function 00007FFD34603805 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f79ef8e28789aca8a6d672094e657e19b7aad9e5e13b41e04fb16829b24990c
Instruction ID: e6238203c3625261553206e91d682639ad4a71038c1f0a1ce6a52bd68ed9b1a6
Opcode Fuzzy Hash: 5f79ef8e28789aca8a6d672094e657e19b7aad9e5e13b41e04fb16829b24990c
Instruction Fuzzy Hash: 12316F30A1D66ADFE7A5EF6484A17E8B7A1FF46301F5000BDD14ED7192DA3D9882DB00

Function 00007FFD3461351E Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a5d78b1d2db532e80507f1af281edd0944159358623a403153fd1a0b0abdb1
Instruction ID: 202e1580a97b40da3d43ce21dbf1c98902ee5c6dc8a5d5caa9625fceb14b5726
Opcode Fuzzy Hash: 13a5d78b1d2db532e80507f1af281edd0944159358623a403153fd1a0b0abdb1
Instruction Fuzzy Hash: 9B217130718A5A8FE795EB2884E56B477E1FF86314B54447DD14FC7292CE2DAC82D700

Function 00007FFD346096D5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f74e65a97f845d74f9e182a75291f2491f31b8d67cc8c599726745993c629ae
Instruction ID: 8a401634869c1b6260fa3544d8e72a7d145450253c9b692d6f509a00bbef57fe
Opcode Fuzzy Hash: 2f74e65a97f845d74f9e182a75291f2491f31b8d67cc8c599726745993c629ae
Instruction Fuzzy Hash: 72219332B4DA8D4FDB85EF1894A16E977A1EF9B310B0501BAD50DC7292CE2D9C458781

Function 00007FFD346099AA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3d4809100c5d9b43e3ad67a4f4cfc2af1196344bfa62f8ab5a73c652b50b66
Instruction ID: 99297b3b7d63d20d77529b4c8b2b25625014028a7c621a62efec9841989ae6fe
Opcode Fuzzy Hash: be3d4809100c5d9b43e3ad67a4f4cfc2af1196344bfa62f8ab5a73c652b50b66
Instruction Fuzzy Hash: FF21F320A4E7D50FDB56AB789CA24E87FE1EF47230B4881FED189C7193C92D5806D751

Function 00007FFD345FCFC5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7c521825710cfd1bdcd74ee2c69ffb72dab25170553d076f04341a7b453725
Instruction ID: 484855f787a5175b3cd0796fcaff6609c72a595af907cc63f243d2943443c81a
Opcode Fuzzy Hash: 0d7c521825710cfd1bdcd74ee2c69ffb72dab25170553d076f04341a7b453725
Instruction Fuzzy Hash: 0911910158EAC61FE34757B44C795E63FE5DF8B12030D42EBE486CB8A3D85C598B8362

Function 00007FFD346B4A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590cd4e4d1fe18d5b7b0ab62afb6fd8dbac9c9f9b2c25fb8f1ace08864345c40
Instruction ID: 6f1263e1c6517c0e06d8519ab844b77fd5caa93485991877b3d38a880e4d1616
Opcode Fuzzy Hash: 590cd4e4d1fe18d5b7b0ab62afb6fd8dbac9c9f9b2c25fb8f1ace08864345c40
Instruction Fuzzy Hash: BE11E712B1DE4B0BF7E5AA2D04B42B996C2EF8A21076901BAD55DD32D6ED6DEC425300

Function 00007FFD346B2C8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea4cff87a093a944d9d8b15129349d4223a7a49beeb6439433ac69532763df7
Instruction ID: d10831ffb497d196e353ff7c34c38e5e1af85cd35c210326dcaa871e922dcd48
Opcode Fuzzy Hash: bea4cff87a093a944d9d8b15129349d4223a7a49beeb6439433ac69532763df7
Instruction Fuzzy Hash: C7110A52B0DE4A0FF7E6A72D04B827966C2DFCE210B5901BAD54ED32DAED6DEC025340

Function 00007FFD346B2964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50cd9548484139be7848f0a12b60aea5c1942efe1e4f5134989a8d9315c176
Instruction ID: c8e46fbd81af70f4d0bb73f65253afa6c2aed4293d6f2f8a88b36548e7408411
Opcode Fuzzy Hash: 0b50cd9548484139be7848f0a12b60aea5c1942efe1e4f5134989a8d9315c176
Instruction Fuzzy Hash: 42110A12B1DE5A0FF7E5A62E14B82B496C2DFDA210B5901BAD14ED32D7ED6DEC025340

Function 00007FFD346B5A50 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fe9461573c4b468a89f3d04a545dd2139165063821ee9cbc03cccf673b5d02
Instruction ID: 69067f3db3b46aa3f7d7dce54927a7f766012274e1d24a8718f7d22b84bfab51
Opcode Fuzzy Hash: 92fe9461573c4b468a89f3d04a545dd2139165063821ee9cbc03cccf673b5d02
Instruction Fuzzy Hash: 4B11E712B0DE4A0BF7E5A62D04F42B896C2DFCA214B5901BED55DE32D7ED6DEC425340

Function 00007FFD3460159D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f9d211e0a73899b7ed9a56c4d593f4ff2fe5c6ba72c3cd1beed170610241d6
Instruction ID: 258db2a522de0f2ca948904ba83df4b2aeafc9051728499ec40259ea9a10bb11
Opcode Fuzzy Hash: 05f9d211e0a73899b7ed9a56c4d593f4ff2fe5c6ba72c3cd1beed170610241d6
Instruction Fuzzy Hash: 3C11B161B1DE894FE7A9EB3884F5AA577D0FF6A300B4804ADD44ACB293DE19EC05C740

Function 00007FFD345F65F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f90c20ca4ebb3f878e55df3e8653a2a096140de84573f44fdb87e76a2034d64
Instruction ID: 73fdff8e96a74bd0d3fce1d6f38ae9077f0203dc55804538ac67cde5782a39b9
Opcode Fuzzy Hash: 3f90c20ca4ebb3f878e55df3e8653a2a096140de84573f44fdb87e76a2034d64
Instruction Fuzzy Hash: 5F11C43190D68A8FCB42DBA4C8556E9BBF0EF46200F0405AAD158C74A2DB7C5945C791

Function 00007FFD345FD295 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e869f58abb6ebdb0da4ba5eda51205409b943a7dbf580a178c2a0c6f490f11e5
Instruction ID: 824c673989ce33ff25babf121c8eb357acfdb956673edeebafc5d72d58a10ad0
Opcode Fuzzy Hash: e869f58abb6ebdb0da4ba5eda51205409b943a7dbf580a178c2a0c6f490f11e5
Instruction Fuzzy Hash: E1119E2158E7C60FC34797B48C24AD57FE5DF8B11030942E7D089CB5A3C91D9847C761

Function 00007FFD3460A425 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fd28082c9a1142b6888bd390cc70b16a9149e7ca6b68cb8b32752142e883d7
Instruction ID: 4d49e89b68a73369f973b6388e14c50da3529602903bc06c2466bd9be4325cb1
Opcode Fuzzy Hash: 38fd28082c9a1142b6888bd390cc70b16a9149e7ca6b68cb8b32752142e883d7
Instruction Fuzzy Hash: 4B11293695D6D20FE31657305CA64E17BA4DF53390B0A02F6D188CB893D81D798B8392

Function 00007FFD346015B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150b634a5c3c6bfb01f5e369b540c72894effbec829066ededb7b247a68501a
Instruction ID: 6fb5c1a6ce74c90682c808cbfa19d9a081dd6f3494dd07743d1fd36df5fa5d9d
Opcode Fuzzy Hash: 5150b634a5c3c6bfb01f5e369b540c72894effbec829066ededb7b247a68501a
Instruction Fuzzy Hash: 2811C631719E594FD7A8EF3884E8AA577D0FF5A300B4804ADD44EC7292DD19E805C740

Function 00007FFD34610D65 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ea9199850692f3514242e3cd73a7aaec4a8cd305aedf8a377ab7f13b979960
Instruction ID: 50224dbde902f721ab0d2bbf49ba6fa26d36e2f205c9f7be42b36cc4d6d69fd7
Opcode Fuzzy Hash: 73ea9199850692f3514242e3cd73a7aaec4a8cd305aedf8a377ab7f13b979960
Instruction Fuzzy Hash: 92012625B0EEA60FDB8A963914B82F8BAD0DF47210B1441FFC149C71E2DD1C5C42D341

Function 00007FFD34610D42 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af9ebf19693629b7a4b392f6bad93cda15f87f209872cc8a932fd2a7697c576
Instruction ID: adc56681aed1bd04753ad8e56df014b1dd4bc56575103f31fa70fc3d843445d3
Opcode Fuzzy Hash: 2af9ebf19693629b7a4b392f6bad93cda15f87f209872cc8a932fd2a7697c576
Instruction Fuzzy Hash: B001D411F0DDAA0EEB59AA3924B92F86AC1DF87210F1840FBC50DCB5D3DD2CA841A341

Function 00007FFD3460C229 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2102fc22822c9ce3579d2c4c6d149a04ac5931bfde7d5965371ef7d6537a2c5b
Instruction ID: 20e94a29d40b5336e6c3d97a84a39e84acdb46fe09f496f023ef2e596796bf0e
Opcode Fuzzy Hash: 2102fc22822c9ce3579d2c4c6d149a04ac5931bfde7d5965371ef7d6537a2c5b
Instruction Fuzzy Hash: 12012611B1CF8A0FE7A6F3B864A54F67BE1DF9D21030442BBD04EC359BDC2898058380

Function 00007FFD345FD315 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28364638c6eaa6ba2b7e0e79c591147349eb655e4d73554378621375b918f4fb
Instruction ID: 75518ae35d51c8ccf98348ffe601fed51f9e4e821622b9a4f888d99013e4185f
Opcode Fuzzy Hash: 28364638c6eaa6ba2b7e0e79c591147349eb655e4d73554378621375b918f4fb
Instruction Fuzzy Hash: A5118272A0D3844FD706DF24946149A7FE0BF8A214F0946BFE58DD7292CA2CA905C742

Function 00007FFD3460990B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4961324a0d4a90f3c99fc48767cba0ec739ea20fc116a80ab3650a915a995957
Instruction ID: 398137af2eaabbd8cdbddd2786367b85a75338cf9832dbc8b2d464877da4e64c
Opcode Fuzzy Hash: 4961324a0d4a90f3c99fc48767cba0ec739ea20fc116a80ab3650a915a995957
Instruction Fuzzy Hash: 0E01F630B1890D8FDB84EF6CD895AA9B3E1FF9931570544B9D54AD72A2CE24EC42CB80

Function 00007FFD345FD551 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7861c6abe21b1fe87b0d527715e58f915d97ee2c4f57ae66a41712a300930c55
Instruction ID: 9c573575a6f3bd36ae060b7c1daf0497423f04a170b8dd001843507e7e63c5e6
Opcode Fuzzy Hash: 7861c6abe21b1fe87b0d527715e58f915d97ee2c4f57ae66a41712a300930c55
Instruction Fuzzy Hash: 5EF0287284D68C5FD756DF184C59AE73FE4EF57240B09416AF149C3692CA2C6804C351

Function 00007FFD34611616 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d113a40863a0df93cf8f19112b7816723fabba2b9bedc5b767dbb3f1859e10
Instruction ID: a6281259bd36cb0ecc01ba9e4f98e28ed312007e3d6dd368d0317c4890bbb464
Opcode Fuzzy Hash: 92d113a40863a0df93cf8f19112b7816723fabba2b9bedc5b767dbb3f1859e10
Instruction Fuzzy Hash: 12F02422B5CA590BD6B0DA1C7CE01F433C2EF8A310F08027AC20CC3296DD2EBD429381

Function 00007FFD345F6620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6c8a4a3d34663f5000a2a4067575b9797e47f192a0464e2906dbb378c94263
Instruction ID: 8f4cd5f354a0c1076e964bad5b3fbd0354cce826bfbc9296f280f05701f96490
Opcode Fuzzy Hash: 5d6c8a4a3d34663f5000a2a4067575b9797e47f192a0464e2906dbb378c94263
Instruction Fuzzy Hash: FFF04F71E08A1E8EDB95EBA8D8556EEB7F0FF09300F40097AD11DE3591DB796940CB81

Function 00007FFD3460DC9C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f423ace51a403b51514d996e2da80e40c60d5514ba715f3004b3c8d5d9ba74
Instruction ID: 0da4b6c46b681975787fefec433a6f8112c12dac6f2d79e107004f6942087cd7
Opcode Fuzzy Hash: 04f423ace51a403b51514d996e2da80e40c60d5514ba715f3004b3c8d5d9ba74
Instruction Fuzzy Hash: 27F0A711B2CD4B0BF699F7AC54F56F99292FFA82007508277D00EC36CADD6CE8564380

Function 00007FFD345F4D08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e1e51564d5b28c2229876d1e7e64c8c0cfcb934e345ccdc5040838e8b2cf82
Instruction ID: 53b55e1d2921aa492b3579679fefe9d0b026c40652184e9b06cec53a84b3edc8
Opcode Fuzzy Hash: 10e1e51564d5b28c2229876d1e7e64c8c0cfcb934e345ccdc5040838e8b2cf82
Instruction Fuzzy Hash: CDF04C31A0CA185AE78AF71844D42B97FC1DFDA250F084A3DD08DC71B1CF7C99808346

Function 00007FFD345F345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction ID: c84581313a262509e48223f8661426f4d7543da484b36629191269cfe995bfdb
Opcode Fuzzy Hash: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction Fuzzy Hash: A8F0A77194D60D5FD718EE45EC8A5EA77A4FF86224F00013AF54DC2152D6356863C751

Function 00007FFD345F3050 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f547c55da0f7c8ca62e1efe3ec6876344636431cad9e4e15420f6525c73103a
Instruction ID: 94b6206d3dce26caee8937cff16e67f87e4a5c46164e49f5c293ed760adccca7
Opcode Fuzzy Hash: 2f547c55da0f7c8ca62e1efe3ec6876344636431cad9e4e15420f6525c73103a
Instruction Fuzzy Hash: 86F05935F18A458BE749EA3C445427133D1EF46304F0044BED88ED7292DF28EC029241

Function 00007FFD3460978A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b487b8e305f9a310f586aab2b4ec54bc46e7eb95fbf31e429642e8c7a30cc4b9
Instruction ID: aaf8c229e96035ea71e5e9f18972bbba4d972c480bd747fd1527715222c13ea6
Opcode Fuzzy Hash: b487b8e305f9a310f586aab2b4ec54bc46e7eb95fbf31e429642e8c7a30cc4b9
Instruction Fuzzy Hash: 6CE07D3250C94C4BDB40AE18A8008D57FD0FFC631CF00009BE55CC7141C222D519C741

Function 00007FFD345FC749 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e6c1d42450e2e3f1efd46d14f333e2ca420ab5e665f8126adf5f1836c08d36
Instruction ID: d98601227f05343b6416c470a221309bcda0175b01b9bde8f2639761beca3319
Opcode Fuzzy Hash: a0e6c1d42450e2e3f1efd46d14f333e2ca420ab5e665f8126adf5f1836c08d36
Instruction Fuzzy Hash: 5CD0A703FADD8E46FA817E0878D11F5B384FF93168B904237D98AD3C86DD6D95078182

Function 00007FFD345F2D3B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299cb0e2a709e06fd7cfc16925b06015b36c8d8d7c6314552c3e506a389454e8
Instruction ID: c6d7405cf4a5c749d9583c5678147624a9ddb450deb74803f8c81bb0e872ff00
Opcode Fuzzy Hash: 299cb0e2a709e06fd7cfc16925b06015b36c8d8d7c6314552c3e506a389454e8
Instruction Fuzzy Hash: 04E08C20B1D9920BE3A1E7B804233BA66D29F88310F8580F8D40DC32C7C92E2C024252

Function 00007FFD346B0FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: 8a4f1b3bc0a5db435a23ab0d41c884f4a1c15046849ea30d1e360186495e4ae0
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: FBD0C9117A942207F258318D6CA63F97285DB89724F608436E64DC33D6CCDE6C8112D2

Function 00007FFD34611481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b63cb663c3b60ac184c198afd918142f2aa5e64963ed9b47e7e75e24da6115d
Instruction ID: 3c5a1da7a5ca317beb226db6e823fadd99d12ff2386db48913c41d4dad864d04
Opcode Fuzzy Hash: 3b63cb663c3b60ac184c198afd918142f2aa5e64963ed9b47e7e75e24da6115d
Instruction Fuzzy Hash: 3DD0A73178D55D4DD2219A387C501E9B381DBC6121F5007BAC24DC2145CC2A40825241

Function 00007FFD346093C6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cb845d684681ea0255217becf105ecd754e2d8bc0bde32d3d67327d869f4e8
Instruction ID: e27e2eac6d7a2473bfd7ec7efa63d5a37817ba529acf37d5d8317ae75770c586
Opcode Fuzzy Hash: 70cb845d684681ea0255217becf105ecd754e2d8bc0bde32d3d67327d869f4e8
Instruction Fuzzy Hash: E3C08022B8D82D099B94775530631FCF211DFC7210FC11431D21DC20C3CD4E2C141AC1

Function 00007FFD346028A3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction ID: 92778a3f465a97165720b31000c02a8472c62a1c468267dd52300c86590d85c7
Opcode Fuzzy Hash: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction Fuzzy Hash: F3A00202BCE42E019544269D79920D8B284C787171BC93A72EA08C414AAE8F1DD61281

Non-executed Functions

Function 00007FFD343795FD Relevance: 11.7, Strings: 9, Instructions: 458COMMON

Download Yara Rule

Strings

pwL4, xrefs: 00007FFD34379851
PwL4, xrefs: 00007FFD34379831
4, xrefs: 00007FFD34379600
@wL4, xrefs: 00007FFD34379821
`vL4, xrefs: 00007FFD34379741
0wL4, xrefs: 00007FFD34379811
wL4, xrefs: 00007FFD34379801
pvL4, xrefs: 00007FFD34379751
puL4, xrefs: 00007FFD34379701

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: wL4$0wL4$4$@wL4$PwL4$`vL4$puL4$pvL4$pwL4
API String ID: 0-1815899802
Opcode ID: cab2b573569feb55540820d2d48e659d272a7b869be340cae2165268420b282e
Instruction ID: 88e9ef8175b022170b0565ff8cca06ebbd4fc046b583cad0b4a7b5e9ee1194fc
Opcode Fuzzy Hash: cab2b573569feb55540820d2d48e659d272a7b869be340cae2165268420b282e
Instruction Fuzzy Hash: C6E1DF47B4F6C11BF721676C6CA61A97F91DF4326470C42F7C2D88B0D7981E690A9B83

Function 00007FFD3437BFF3 Relevance: 6.7, Strings: 5, Instructions: 443COMMON

Download Yara Rule

Strings

ppN4, xrefs: 00007FFD3437C121
0oN4, xrefs: 00007FFD3437C081
pN4, xrefs: 00007FFD3437C0D1
0pN4, xrefs: 00007FFD3437C0E1
`pN4, xrefs: 00007FFD3437C111

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: pN4$0oN4$0pN4$`pN4$ppN4
API String ID: 0-4138390926
Opcode ID: db661bbc0f900da69548921786058cbba2c17097ddacbb40b805985632fa6ac5
Instruction ID: c44876a8b46e0a04fbde24bf256c44f432365e09033dd7d44c70559be4a61eab
Opcode Fuzzy Hash: db661bbc0f900da69548921786058cbba2c17097ddacbb40b805985632fa6ac5
Instruction Fuzzy Hash: 67F1DE12A4D7D21BE713A76C7CA61E57F90EF03364B0841B6C2C8DB0B7D92D665AD382

Function 00007FFD34374EFA Relevance: 6.6, Strings: 5, Instructions: 326COMMON

Download Yara Rule

Strings

8I4, xrefs: 00007FFD34374F99
8I4, xrefs: 00007FFD34375019
I4, xrefs: 00007FFD34374FF9
0I4, xrefs: 00007FFD34374FB9
I4, xrefs: 00007FFD34374FA9

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0I4$8I4$8I4$I4$I4
API String ID: 0-3098781491
Opcode ID: 2f97b2b7c93dd0cb3274ef26a87fe78da04759d16f26c1142fbcf59b89dd9e5d
Instruction ID: ae44446de1ab9684ee893d84c015484adbe059f7a87e2391acdd17fc2f5d0f02
Opcode Fuzzy Hash: 2f97b2b7c93dd0cb3274ef26a87fe78da04759d16f26c1142fbcf59b89dd9e5d
Instruction Fuzzy Hash: 41A11B43B0FAC20BE66666AC2CB61F92FC0EF5327570841F7D6C8874D79C1DA90692C6

Function 00007FFD346B0848 Relevance: 4.2, Strings: 3, Instructions: 470COMMON

Download Yara Rule

Strings

x6<E, xrefs: 00007FFD346B0B4D
x6<E, xrefs: 00007FFD346B0A26
0'K4, xrefs: 00007FFD346B08FF

Memory Dump Source

Source File: 00000000.00000002.3462254996.00007FFD346B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd346b0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 0'K4$x6<E$x6<E
API String ID: 0-3698508719
Opcode ID: 18c4d3cc1f5c284ba365ecdf8a83eed17ad2ade4802133312d74815a868f7c7a
Instruction ID: f11fa3de0b4f83cb9e99fb43ba2cfebb37738b041ba8b0a93340d554648af23c
Opcode Fuzzy Hash: 18c4d3cc1f5c284ba365ecdf8a83eed17ad2ade4802133312d74815a868f7c7a
Instruction Fuzzy Hash: D8E12521B0CE8A4FE765AB2888A56B57BD1EF56310F1442BED18EC71D3DD5CAC428781

Function 00007FFD345F1CE0 Relevance: 4.1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

Strings

'%_I, xrefs: 00007FFD345F2004
&%_^, xrefs: 00007FFD345F1E01
%%_^, xrefs: 00007FFD345F1F01

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: %%_^$&%_^$'%_I
API String ID: 0-3000582724
Opcode ID: c2f29a2fde53522e69f5b18efc002ab0966e00a1c65bce0f59273fd837f27ed6
Instruction ID: 9cf74577fc5af3c0369498e5eac53ea080a72404466cc4c18de52ebfa71f799e
Opcode Fuzzy Hash: c2f29a2fde53522e69f5b18efc002ab0966e00a1c65bce0f59273fd837f27ed6
Instruction Fuzzy Hash: D9B17CA3E0E1924AE211B7E8B8BB1E63B949F0633870D4177D5ACDF8C3ED0D65419686

Function 00007FFD345F1CCF Relevance: 4.1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

Strings

'%_I, xrefs: 00007FFD345F2004
&%_^, xrefs: 00007FFD345F1E01
%%_^, xrefs: 00007FFD345F1F01

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: %%_^$&%_^$'%_I
API String ID: 0-3000582724
Opcode ID: 1a8d20890431447bbdb6aaa3a78651a0b238c2b3756ce62459f211205b3225d7
Instruction ID: 10429be0bdbd5251b416e3f71a13227451796898ebc5d70aef37aff12ba0fb57
Opcode Fuzzy Hash: 1a8d20890431447bbdb6aaa3a78651a0b238c2b3756ce62459f211205b3225d7
Instruction Fuzzy Hash: 34B16AA3E0D5924AE211B7E8B8BB1E63B94DF0632870C4177D5BCCF8C3ED0D65419286

Function 00007FFD345F11F2 Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

2%_^, xrefs: 00007FFD345F1201

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 2%_^
API String ID: 0-4094711381
Opcode ID: ddaac76cf3f7f726fe5592195cc67e4c91756d9b17ce7b38ebbcd939eb513a16
Instruction ID: a35c30d8dab0eae48915f496cde23f363840ebc35ffec45ae59007feaea4aaa1
Opcode Fuzzy Hash: ddaac76cf3f7f726fe5592195cc67e4c91756d9b17ce7b38ebbcd939eb513a16
Instruction Fuzzy Hash: 04C1C757D0E5D24AE62277F8B8BB0E73B549F0722C70E4672D1DC9E893DD0E26439285

Function 00007FFD345F07F2 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

:%_^, xrefs: 00007FFD345F0A01

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: :%_^
API String ID: 0-832863930
Opcode ID: 4f8d487df96f6c497f7f334d26c1fd848235866be6a0b03f6fc162e1a55a92b7
Instruction ID: 5718002ddf64334f56c537908097d86dcb2e247ac749e3dc1d43b0e840cf9b4d
Opcode Fuzzy Hash: 4f8d487df96f6c497f7f334d26c1fd848235866be6a0b03f6fc162e1a55a92b7
Instruction Fuzzy Hash: 89B1A917E0E5A24AE62173FC78BA1EB3B58CF0633DB0D4172D1DC5E8839D0D26835199

Function 00007FFD34600EFA Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

5$_^, xrefs: 00007FFD34600F01

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 5$_^
API String ID: 0-1745159387
Opcode ID: 439b973a450447965e65c2669c11c77399165091b33b66de0fd0bd69970fefd9
Instruction ID: ec8268b0719aeeafaca006f466ca61a2da0d939027eb17083d980c1634fbdea5
Opcode Fuzzy Hash: 439b973a450447965e65c2669c11c77399165091b33b66de0fd0bd69970fefd9
Instruction Fuzzy Hash: 69513B67E0E1614BE620BBACB4AB0E637D4DF0A338B095173D1CCAF453DC09248A9289

Function 00007FFD34373CAD Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86b5804fe195123228e275cdfcfa3cff621aa3a7cce130e9babeb1f4c516735
Instruction ID: 33440043a4655f1080012e751596761b2621ab20b73e3c1e96e173c676c1c46e
Opcode Fuzzy Hash: d86b5804fe195123228e275cdfcfa3cff621aa3a7cce130e9babeb1f4c516735
Instruction Fuzzy Hash: CEE13C53B0EAC60BE725662C6CA51B57FD1EF93364B0842FBD1C8C71D7DD2DA8069242

Function 00007FFD345F10D1 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60fa5d2dcb7242b62e90b746882b042129cf8d26f4a51f65a47b714f330041b
Instruction ID: 9b8da90bb2802e90617a38b937111e5c52171c7842ac165b4f8701967d8d1a18
Opcode Fuzzy Hash: b60fa5d2dcb7242b62e90b746882b042129cf8d26f4a51f65a47b714f330041b
Instruction Fuzzy Hash: 3AE1E857E0E1A24AE62177F8B8BB0EB3B54DF0722CB0E4672D1DC9F893AD0D26435185

Function 00007FFD343753D0 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3458183389.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac586e73f44573c69a57e75a3a0547f65214f583edd6cf5197a237e805633f91
Instruction ID: 5ebd8f25290d384246fdd05d096f7e7a674b6bbe7deec7de6d29a20b77c4b82b
Opcode Fuzzy Hash: ac586e73f44573c69a57e75a3a0547f65214f583edd6cf5197a237e805633f91
Instruction Fuzzy Hash: 15B1B517B0E6A20BE221B7FCB8FA1FA3B94DF4327A70941B3C1C8CA453ED1A554642D5

Function 00007FFD34600E0F Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f7a0e282e0a4a76a47f818ca53bc054e1168fd65e7fb5805341dda86698cae
Instruction ID: 254e3305370f623889434b17c24a120dd7d20d726f46cd921418cb0d199cba96
Opcode Fuzzy Hash: 30f7a0e282e0a4a76a47f818ca53bc054e1168fd65e7fb5805341dda86698cae
Instruction Fuzzy Hash: DB912A57E0E1614AE6217BFCB4AA0E63B94CF0A33870E5177D1CCAF493DC0D358A9289

Function 00007FFD34600E50 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d9fffd0aa707cabdc7297b05bd7dce9d45d866be50e55d66b8d25117dda1e5
Instruction ID: 6209cea80ad2fde5c61ad78c7f45884af85d26c27498f5b9f75b7acdcb925559
Opcode Fuzzy Hash: e1d9fffd0aa707cabdc7297b05bd7dce9d45d866be50e55d66b8d25117dda1e5
Instruction Fuzzy Hash: 5C71E957E0E1654AE621B7FC78AA0EA3B94CF0A33C70A5577D1CC6F463DC0D258A9289

Function 00007FFD34600EB8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c334c39f84beef21b24401b3e06002ec627898a3dc1734f8d79f7d5ff153ab
Instruction ID: e6eaf756260b41e46f192d66fb0f4bd488076e74a2374e78b4d19b3134c924f5
Opcode Fuzzy Hash: 24c334c39f84beef21b24401b3e06002ec627898a3dc1734f8d79f7d5ff153ab
Instruction Fuzzy Hash: 53510B67E0E1614AE6217BFC74AB0EA3794DF0A338B095173D1CCAF453DC0D248A9289

Function 00007FFD345FB3C1 Relevance: 6.5, Strings: 5, Instructions: 284COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD345FB510
HA&4, xrefs: 00007FFD345FB436
HA&4, xrefs: 00007FFD345FB470
HA&4, xrefs: 00007FFD345FB5E9
HA&4, xrefs: 00007FFD345FB5C1

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4$HA&4$HA&4$HA&4
API String ID: 0-1739086034
Opcode ID: c55b368f21184dbfbadab58dcdf3b81c2d6e6231ba9c8cfa8bd673784dbb68f0
Instruction ID: 3f4f0dc50b1721b8db69212f57a7ebb5e132525426bb58fad55db552779f77ca
Opcode Fuzzy Hash: c55b368f21184dbfbadab58dcdf3b81c2d6e6231ba9c8cfa8bd673784dbb68f0
Instruction Fuzzy Hash: BB818873F0DA868FE792973884A91B07BE1FF9A210B0841BAC14DC7593ED1DAC438781

Function 00007FFD345F9A18 Relevance: 6.3, Strings: 5, Instructions: 3COMMON

Download Yara Rule

Strings

P9<E, xrefs: 00007FFD345F9CC5
@9<E, xrefs: 00007FFD345F9BE4
hqnE, xrefs: 00007FFD345F9AD8
H9<E, xrefs: 00007FFD345F9C0C
89<E, xrefs: 00007FFD345F9B41

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 89<E$@9<E$H9<E$P9<E$hqnE
API String ID: 0-96957171
Opcode ID: d13d284b9d5e983f3904a8a7781c6bc5f2640d9b04697e6c082b0ed21cecb1c7
Instruction ID: 3c5b01e577d906071b4f8df06674fc0a36471053c2363c063e8cdbedbf53264c
Opcode Fuzzy Hash: d13d284b9d5e983f3904a8a7781c6bc5f2640d9b04697e6c082b0ed21cecb1c7
Instruction Fuzzy Hash:

Function 00007FFD3460C419 Relevance: 5.3, Strings: 4, Instructions: 338COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD3460C485
^._L, xrefs: 00007FFD3460C5D0
hqnE, xrefs: 00007FFD3460C547
(`E4, xrefs: 00007FFD3460C65E

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: (`E4$HA&4$^._L$hqnE
API String ID: 0-1043327802
Opcode ID: d17c2d81499b858e237bade081202439b632a7768eae6e0bcb5801bbe1908b04
Instruction ID: 73375e5929691e23e9c2418624b07cb593012800b4343e75491e6c8bd580014b
Opcode Fuzzy Hash: d17c2d81499b858e237bade081202439b632a7768eae6e0bcb5801bbe1908b04
Instruction Fuzzy Hash: FDA10B21B1DF894FE769EB6C98A96B577E1EF9B310B0401BAD44DC3293DD2DAC068341

Function 00007FFD345F39D0 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD345F3F82
$_L, xrefs: 00007FFD345F3A6E
hqnE, xrefs: 00007FFD345F3A76
7<E, xrefs: 00007FFD345F3AAB

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: 7<E$HA&4$hqnE$$_L
API String ID: 0-109013367
Opcode ID: 159ddc7ca9a774caad91789c2fecf34f41431249e41699c9599e8e9340bdcdfc
Instruction ID: 229fed06e17b941638971bc0a0e92637c439d875a6d0ac3c33cb2ffeeb1c043c
Opcode Fuzzy Hash: 159ddc7ca9a774caad91789c2fecf34f41431249e41699c9599e8e9340bdcdfc
Instruction Fuzzy Hash: 6081E432B189058FEB99EB18D4A567533E1FFAA300B14807DE44EC76A2DE39EC42C741

Function 00007FFD345FB543 Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

HA&4, xrefs: 00007FFD345FB576
HA&4, xrefs: 00007FFD345FB54E
HA&4, xrefs: 00007FFD345FB5E9
HA&4, xrefs: 00007FFD345FB5C1

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: HA&4$HA&4$HA&4$HA&4
API String ID: 0-346238700
Opcode ID: fd056044c4b53a85ccf21a60d98c1c79a5015a8fb3059b1f350a2c76d9c50583
Instruction ID: cec130f84dc5ecba85b89e8e51c3986da59fde3630f2df442ba6fb924e62f142
Opcode Fuzzy Hash: fd056044c4b53a85ccf21a60d98c1c79a5015a8fb3059b1f350a2c76d9c50583
Instruction Fuzzy Hash: 53412A62B1999A4FEB82E77880A56757BD1FF9A310B0540B5D18EC7293DE2CFC438741

Function 00007FFD346013A5 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

hem4, xrefs: 00007FFD346013D6
x6<E, xrefs: 00007FFD346013EC
xfm4, xrefs: 00007FFD3460143D
x6<E, xrefs: 00007FFD34601453

Memory Dump Source

Source File: 00000000.00000002.3461402047.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd345f0000_kqeGVKtpy2.jbxd

Similarity

API ID:
String ID: hem4$x6<E$x6<E$xfm4
API String ID: 0-1812433747
Opcode ID: e9a69e23be3d16741e5b3f76e1ea025e8555992260101bc922b5732efd30373a
Instruction ID: 9ae6469caf29d7a70e1b530ee79630cebc6329508f176518a425594252ec8a71
Opcode Fuzzy Hash: e9a69e23be3d16741e5b3f76e1ea025e8555992260101bc922b5732efd30373a
Instruction Fuzzy Hash: BD312562B1EF8A1FD7A5EF3844A91F577E1FF5A31074445BAC08AC71A7ED28AC168340

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kqeGVKtpy2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
kqeGVKtpy2.exe

Function 00007FFD345F9621 Relevance: 13.7, Strings: 10, Instructions: 1223
COMMON

Function 00007FFD3460E399 Relevance: 11.1, Strings: 8, Instructions: 1119
COMMON

Function 00007FFD3437295E Relevance: 10.3, Strings: 8, Instructions: 262
COMMON

Function 00007FFD3460B009 Relevance: 9.6, Strings: 7, Instructions: 888
COMMON

Function 00007FFD345FAA4D Relevance: 8.5, Strings: 6, Instructions: 978
COMMON

Function 00007FFD3460F6FD Relevance: 12.3, Strings: 9, Instructions: 1015
COMMON

Function 00007FFD3460BA79 Relevance: 11.9, Strings: 9, Instructions: 699
COMMON

Function 00007FFD34601B28 Relevance: 11.7, Strings: 9, Instructions: 469
COMMON

Function 00007FFD345FFFA7 Relevance: 8.0, Strings: 6, Instructions: 517
COMMON

Function 00007FFD345F6D81 Relevance: 7.8, Strings: 6, Instructions: 330
COMMON

Function 00007FFD34609F8D Relevance: 6.7, Strings: 5, Instructions: 408
COMMON

Function 00007FFD34609AE9 Relevance: 6.5, Strings: 5, Instructions: 214
COMMON

Function 00007FFD3460A059 Relevance: 6.4, Strings: 5, Instructions: 138
COMMON