Edit tour

Windows Analysis Report
hKvlV6A1Rl.exe

Overview

General Information

Sample name:	hKvlV6A1Rl.exe renamed because original name is a hash value
Original sample name:	edb3d030a4a033bae41057c19437dff31c171573b65afab0acd433cbd0572a17.exe
Analysis ID:	1578205
MD5:	ab0d88d920d75c9de43ccbdd901c8a53
SHA1:	638197f5a23428f1c15a0a5473b6558d263b0a0c
SHA256:	edb3d030a4a033bae41057c19437dff31c171573b65afab0acd433cbd0572a17
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hKvlV6A1Rl.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\hKvlV6A1Rl.exe" MD5: AB0D88D920D75C9DE43CCBDD901C8A53)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "e318fab0-811e-40a6-b0aa-1e21015956c8", "StartupKey": "Quasar Client Startup", "Tag": "Slimo", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd468:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x2ab438:$s4: logins.json 0x2ab16e:$a1: username_value 0x2ab18c:$a2: password_value 0x2ab478:$a3: encryptedUsername 0x2fd3ac:$a3: encryptedUsername 0x2ab49c:$a4: encryptedPassword 0x2fd3ca:$a4: encryptedPassword 0x2fd348:$a5: httpRealm
00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea96:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Process Memory Space: hKvlV6A1Rl.exe PID: 7828	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d401:$x1: Quasar.Common.Messages 0x2a9a3a:$x4: Uninstalling... good bye :-( 0x2ab22f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fec:$f1: FileZilla\recentservers.xml 0x2a902c:$f2: FileZilla\sitemanager.xml 0x2a906e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ba:$b1: Chrome\User Data\ 0x2a9310:$b1: Chrome\User Data\ 0x2a95e8:$b2: Mozilla\Firefox\Profiles 0x2a96e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb668:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a983c:$b4: Opera Software\Opera Stable\Login Data 0x2a98f6:$b5: YandexBrowser\User Data\ 0x2a9964:$b5: YandexBrowser\User Data\ 0x2a9638:$s4: logins.json 0x2a936e:$a1: username_value 0x2a938c:$a2: password_value 0x2a9678:$a3: encryptedUsername 0x2fb5ac:$a3: encryptedUsername 0x2a969c:$a4: encryptedPassword 0x2fb5ca:$a4: encryptedPassword 0x2fb548:$a5: httpRealm
1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b24:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e93:$s5: GetKeyloggerLogsDirectory 0x29cb60:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcc96:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd468:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x2ab438:$s4: logins.json 0x2ab16e:$a1: username_value 0x2ab18c:$a2: password_value 0x2ab478:$a3: encryptedUsername 0x2fd3ac:$a3: encryptedUsername 0x2ab49c:$a4: encryptedPassword 0x2fd3ca:$a4: encryptedPassword 0x2fd348:$a5: httpRealm
1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea96:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d401:$x1: Quasar.Common.Messages 0x2a9a3a:$x4: Uninstalling... good bye :-( 0x2ab22f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fec:$f1: FileZilla\recentservers.xml 0x2a902c:$f2: FileZilla\sitemanager.xml 0x2a906e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ba:$b1: Chrome\User Data\ 0x2a9310:$b1: Chrome\User Data\ 0x2a95e8:$b2: Mozilla\Firefox\Profiles 0x2a96e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb668:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a983c:$b4: Opera Software\Opera Stable\Login Data 0x2a98f6:$b5: YandexBrowser\User Data\ 0x2a9964:$b5: YandexBrowser\User Data\ 0x2a9638:$s4: logins.json 0x2a936e:$a1: username_value 0x2a938c:$a2: password_value 0x2a9678:$a3: encryptedUsername 0x2fb5ac:$a3: encryptedUsername 0x2a969c:$a4: encryptedPassword 0x2fb5ca:$a4: encryptedPassword 0x2fb548:$a5: httpRealm
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b24:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e93:$s5: GetKeyloggerLogsDirectory 0x29cb60:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcc96:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd468:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x2ab438:$s4: logins.json 0x2ab16e:$a1: username_value 0x2ab18c:$a2: password_value 0x2ab478:$a3: encryptedUsername 0x2fd3ac:$a3: encryptedUsername 0x2ab49c:$a4: encryptedPassword 0x2fd3ca:$a4: encryptedPassword 0x2fd348:$a5: httpRealm
1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea96:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:21.934236+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.7	49704	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:21.934236+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.7	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "e318fab0-811e-40a6-b0aa-1e21015956c8", "StartupKey": "Quasar Client Startup", "Tag": "Slimo", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: hKvlV6A1Rl.exe	ReversingLabs: Detection: 55%
Source: hKvlV6A1Rl.exe	Virustotal: Detection: 54%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hKvlV6A1Rl.exe PID: 7828, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49715 version: TLS 1.2

Source: hKvlV6A1Rl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.7:49704
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.7:49704

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 51.15.17.193:4782

Source: Joe Sandbox View	IP Address: 108.181.61.49 108.181.61.49
Source: Joe Sandbox View	IP Address: 51.15.17.193 51.15.17.193

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: hKvlV6A1Rl.exe, 00000001.00000002.2577358218.0000017E371B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: hKvlV6A1Rl.exe, 00000001.00000002.2582136305.0000017E515D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89)
Source: hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hKvlV6A1Rl.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38EBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38EBA000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: hKvlV6A1Rl.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49715 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hKvlV6A1Rl.exe PID: 7828, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC30295E	1_2_00007FFAAC30295E
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC589621	1_2_00007FFAAC589621
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC584E56	1_2_00007FFAAC584E56
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC59F6F0	1_2_00007FFAAC59F6F0
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC59B009	1_2_00007FFAAC59B009
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC5980E2	1_2_00007FFAAC5980E2
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC59B9F7	1_2_00007FFAAC59B9F7
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC59C295	1_2_00007FFAAC59C295
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC58AA4D	1_2_00007FFAAC58AA4D
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC597336	1_2_00007FFAAC597336
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC59E399	1_2_00007FFAAC59E399
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC588C79	1_2_00007FFAAC588C79
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC590E0F	1_2_00007FFAAC590E0F
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC590EFA	1_2_00007FFAAC590EFA
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC5810D1	1_2_00007FFAAC5810D1
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC585B24	1_2_00007FFAAC585B24
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC64214D	1_2_00007FFAAC64214D

Source: hKvlV6A1Rl.exe

Static PE information: invalid certificate

Source: hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs hKvlV6A1Rl.exe
Source: hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs hKvlV6A1Rl.exe
Source: hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs hKvlV6A1Rl.exe
Source: hKvlV6A1Rl.exe, 00000001.00000000.1318561254.00007FF6DAD27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs hKvlV6A1Rl.exe
Source: hKvlV6A1Rl.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs hKvlV6A1Rl.exe

Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Mutant created: \Sessions\1\BaseNamedObjects\CTX_bhIJfsdqLbmaqp
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e318fab0-811e-40a6-b0aa-1e21015956c8

Source: hKvlV6A1Rl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hKvlV6A1Rl.exe	ReversingLabs: Detection: 55%
Source: hKvlV6A1Rl.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: hKvlV6A1Rl.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hKvlV6A1Rl.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: hKvlV6A1Rl.exe

Static file information: File size 8588640 > 1048576

Source: hKvlV6A1Rl.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4b1a00
Source: hKvlV6A1Rl.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e200

Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hKvlV6A1Rl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hKvlV6A1Rl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: hKvlV6A1Rl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: hKvlV6A1Rl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hKvlV6A1Rl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hKvlV6A1Rl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hKvlV6A1Rl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hKvlV6A1Rl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: hKvlV6A1Rl.exe

Static PE information: real checksum: 0x8386fe should be: 0x838d27

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC1ED2A5 pushad ; iretd		1_2_00007FFAAC1ED2A6
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Code function: 1_2_00007FFAAC5A2DFA push esp; iretd		1_2_00007FFAAC5A2DFB

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

File opened: C:\Users\user\Desktop\hKvlV6A1Rl.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Memory allocated: 17E38B50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Memory allocated: 17E50D50000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Window / User API: threadDelayed 946	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Window / User API: threadDelayed 476	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Window / User API: threadDelayed 617	Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: hKvlV6A1Rl.exe, 00000001.00000002.2582136305.0000017E51605000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hKvlV6A1Rl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hKvlV6A1Rl.exe PID: 7828, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e51be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hKvlV6A1Rl.exe.17e48d59ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hKvlV6A1Rl.exe PID: 7828, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hKvlV6A1Rl.exe	55%	ReversingLabs	Win64.Trojan.CrypterX
hKvlV6A1Rl.exe	54%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38D91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38ED4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	hKvlV6A1Rl.exe, 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, hKvlV6A1Rl.exe, 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ipwho.is	hKvlV6A1Rl.exe, 00000001.00000002.2578044246.0000017E38EBA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578205
Start date and time:	2024-12-19 12:31:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hKvlV6A1Rl.exe renamed because original name is a hash value
Original Sample Name:	edb3d030a4a033bae41057c19437dff31c171573b65afab0acd433cbd0572a17.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 174 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse
	RegAsm.exe	Get hash	malicious	Quasar	Browse
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
OnlineSASFR	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.874967026449675
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hKvlV6A1Rl.exe
File size:	8'588'640 bytes
MD5:	ab0d88d920d75c9de43ccbdd901c8a53
SHA1:	638197f5a23428f1c15a0a5473b6558d263b0a0c
SHA256:	edb3d030a4a033bae41057c19437dff31c171573b65afab0acd433cbd0572a17
SHA512:	25e1f1f5afe0cb1920be2d6a1db59f11b9f34b0bd154d3d553eb0dc44ecbc810463a7e1dcca5a176d7a08f0a34ed3e669a56cd35f9cc5ed796bfa5385f0e15f7
SSDEEP:	98304:L6KJqPxBPsa29RMwzAAFySYrz0Cvt30F0BS9YR4:LHWPsa+RMwzVu0kJ0mBH4
TLSH:	40869C21131D91A0CDEA7531945B1762DA30FF0C913C67A58FF40AA57EFFA6069AE23C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x1404a1240
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67563719 [Mon Dec 9 00:17:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5FA14371B4h
dec eax
add esp, 28h
jmp 00007F5FA1436977h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5FA1436B12h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5FA1436B15h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5FA1436B0Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5FA14364E6h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5055dc	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82a000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x827000	0x1b6c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x82c600	0x4760	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x829000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x502d80	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x502c40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b3000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4b18a0	0x4b1a00	7e13a63bd3a9ea7ad10b369fb01dca02	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b3000	0x5313e	0x53200	379751b8665598bb041e23efb360aeec	False	0.527329064849624	OpenPGP Secret Key	7.109781406196381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x507000	0x31f3b0	0x31e200	ec2c27891a60a9b585e537197ea26680	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x827000	0x1b6c	0x1c00	907f1c68836feb61060889792d126b59	False	0.48758370535714285	data	5.530487452134769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x829000	0x68c	0x800	e7d6bb9ad0a93103290bf9d11f284c60	False	0.50439453125	data	4.937320036060456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x82a000	0x6f58	0x7000	60ea4ae7eeec875a73d3695c9e7db208	False	0.3858119419642857	data	6.018534395926453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x82a328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x82a990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x82ac78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x82ada0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x82bc48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x82c4f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x82ca58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x82f000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x8300a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x830510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x8307f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x830ae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x830b64	0x14	data			1.25
RT_GROUP_ICON	0x830b78	0x14	data			1.25
RT_VERSION	0x830b8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:32:21.934236+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.7	49704	TCP
2024-12-19T12:32:21.934236+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.7	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:20.303896904 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:20.423623085 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:20.423702002 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:20.432924986 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:20.552355051 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:21.842036009 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:21.842051983 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:21.842139006 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:21.847883940 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:21.934236050 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:21.934340000 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:21.967355013 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:22.243216991 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:22.296504974 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:22.987901926 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:22.987965107 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:22.988034964 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:22.989556074 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:22.989573956 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:25.392731905 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:25.392805099 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:25.394756079 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:25.394773006 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:25.395020962 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:25.399277925 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:25.439333916 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:26.005304098 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:26.005368948 CET	443	49715	108.181.61.49	192.168.2.7
Dec 19, 2024 12:32:26.005491018 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:26.125240088 CET	49715	443	192.168.2.7	108.181.61.49
Dec 19, 2024 12:32:26.364789963 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:26.484363079 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:26.484426975 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:26.603943110 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:26.874655962 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:26.921565056 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:27.066492081 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:32:27.109029055 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:52.077899933 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:32:52.197501898 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:33:17.203028917 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:33:17.322834969 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:33:42.328205109 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:33:42.447757959 CET	4782	49704	51.15.17.193	192.168.2.7
Dec 19, 2024 12:34:07.453269005 CET	49704	4782	192.168.2.7	51.15.17.193
Dec 19, 2024 12:34:07.573012114 CET	4782	49704	51.15.17.193	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:22.840961933 CET	51112	53	192.168.2.7	1.1.1.1
Dec 19, 2024 12:32:22.981759071 CET	53	51112	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:22.840961933 CET	192.168.2.7	1.1.1.1	0x6d99	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:22.981759071 CET	1.1.1.1	192.168.2.7	0x6d99	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49715	108.181.61.49	443	7828	C:\Users\user\Desktop\hKvlV6A1Rl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:32:25 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:32:26 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:32:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:32:26 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	1
Start time:	06:32:14
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\hKvlV6A1Rl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hKvlV6A1Rl.exe"
Imagebase:	0x7ff6da500000
File size:	8'588'640 bytes
MD5 hash:	AB0D88D920D75C9DE43CCBDD901C8A53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.2578044246.0000017E38F22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.2578044246.0000017E38D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.2582807874.0000017E516BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.2580358962.0000017E48D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000001.00000002.2586091584.0000017E51BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC64214D Relevance: 7.7, Strings: 1, Instructions: 6452COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC643759

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 65d1fe40980326add9b178beaf66fc85df12d03d6016169272c80568c2e870ca
Instruction ID: fdc88eeb6c5fa91f5426868866a3a7648d371a2f56aeee7f029eb2c7c6032938
Opcode Fuzzy Hash: 65d1fe40980326add9b178beaf66fc85df12d03d6016169272c80568c2e870ca
Instruction Fuzzy Hash: D2831951B1AE4B8FFBE6D32C465567567D2EF9A600B58A07AD00EC36DAFD18EC0903C1

Function 00007FFAAC59E399 Relevance: 6.1, Strings: 4, Instructions: 1091
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAAC59E65E
>0_L, xrefs: 00007FFAAC59E5D2
8%_L, xrefs: 00007FFAAC59EC72
=%_L, xrefs: 00007FFAAC59E770

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: 6$8%_L$=%_L$>0_L
API String ID: 0-1249359813
Opcode ID: fed804126df3c4f9feeaaf7abaf7995bbbc409f07ca11153452633a967c06b33
Instruction ID: 8553e12c7547d437eeb976289168138edeeb1b19ee4640628c34c10257282016
Opcode Fuzzy Hash: fed804126df3c4f9feeaaf7abaf7995bbbc409f07ca11153452633a967c06b33
Instruction Fuzzy Hash: A272C271A18A4A8FEB98DF18C495A7977E1FF99300F1440BDE45EC7292CE39EC468781

Function 00007FFAAC59F6F0 Relevance: 5.1, Strings: 3, Instructions: 1337COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAAC59FDDB
, xrefs: 00007FFAAC59FAD0
@%_H, xrefs: 00007FFAAC59FC60

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: $ $@%_H
API String ID: 0-1962768461
Opcode ID: ed36d71335d7860c133cc4e14a1f6ec1ddaeb2dc1192c883e6b0bd3551787d0e
Instruction ID: c557ee989fa35b5af06b0c2a9a93b77560b547d908b9d59bdf0d09ac160487d7
Opcode Fuzzy Hash: ed36d71335d7860c133cc4e14a1f6ec1ddaeb2dc1192c883e6b0bd3551787d0e
Instruction Fuzzy Hash: 5992F671A1DA4A8FEBA4DB6CC855A7437D5FF5A300B1441F9E04EC72A2DE1DEC098781

Function 00007FFAAC59B009 Relevance: 4.6, Strings: 3, Instructions: 899
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAAC59B175
b4, xrefs: 00007FFAAC59B31A
6, xrefs: 00007FFAAC59B80A

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: 6$b4$b4
API String ID: 0-1526618767
Opcode ID: e8cf1af21ea61827a858e828105006c5aaf10636e95fa56da7d428ebf0604a85
Instruction ID: 993fdd8c637a7f8847ba8e870781324c428afbce70b0db973c337e6bedccc577
Opcode Fuzzy Hash: e8cf1af21ea61827a858e828105006c5aaf10636e95fa56da7d428ebf0604a85
Instruction Fuzzy Hash: 8852C471A19E4A8FFBA8DB288455A75B7D1FF99300F0446BDE44EC3292DE29F80587C1

Function 00007FFAAC59C295 Relevance: 2.5, Strings: 1, Instructions: 1270COMMON

Download Yara Rule

Strings

^0_L, xrefs: 00007FFAAC59C5D0

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: ^0_L
API String ID: 0-1823739453
Opcode ID: a0cd4f9d99279928d12808170a5aac69fa3e94c0b93ec9269f0cdf395d92c347
Instruction ID: 1c1b317691bd61c3206af3969dc4ad8b6cba417e8eabfe6abf638955f788363a
Opcode Fuzzy Hash: a0cd4f9d99279928d12808170a5aac69fa3e94c0b93ec9269f0cdf395d92c347
Instruction Fuzzy Hash: 49820661A5EA8A8FF7A5D72884156B47BD1EF57310B0441FAE04EC72A3DE1DBC0A87C1

Function 00007FFAAC589621 Relevance: 2.5, Strings: 1, Instructions: 1247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 00007FFAAC5896C6

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3750035705
Opcode ID: 734fcd4f9f702929ade60c51b22f18b4a2ebe22b9b497463811623a61996af1d
Instruction ID: 60f491e121b9a3d89c9851ece19b2f7bbd2e30eeacd813fb932ca05e716c965f
Opcode Fuzzy Hash: 734fcd4f9f702929ade60c51b22f18b4a2ebe22b9b497463811623a61996af1d
Instruction Fuzzy Hash: DA82FA7161DA4A8FEB98EB2CD455A7577D1FF9A310F0480B9E44EC72A3DE24EC068781

Function 00007FFAAC584E56 Relevance: 2.5, Instructions: 2494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df4e47689fa14021262b7da271e0d70a2fffa1069d274f6daee399c243b3e89
Instruction ID: 7951c6ecc9735b73cd81dac9d8078a0d73bbaea346a97363eed1703ea1ab946b
Opcode Fuzzy Hash: 3df4e47689fa14021262b7da271e0d70a2fffa1069d274f6daee399c243b3e89
Instruction Fuzzy Hash: 7113A270A09A4A8FEB99DF18C451BB97BE1FF5A300F5481A9D04ED7292CE34ED45CB81

Function 00007FFAAC58AA4D Relevance: 1.1, Instructions: 1058COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aae4621992ae3bbc6c9fabf4a6b06fd4eb82aff6eb4b7f50361dd12d676a1c3
Instruction ID: 2964afee4684e9b4f677818171dfea5959bd20e80ca39bd5d6aa6795d89269c4
Opcode Fuzzy Hash: 9aae4621992ae3bbc6c9fabf4a6b06fd4eb82aff6eb4b7f50361dd12d676a1c3
Instruction Fuzzy Hash: EC728370A09A4A8FEB98EB2CC455B7577E5FF9A300F1485B9E04DCB2A6CE34EC458741

Function 00007FFAAC59B9F7 Relevance: .9, Instructions: 854COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a785186b280cfa32a2ccc0ee9a59397cf173eacc0bd25976cdbb873dafaeed9b
Instruction ID: 411c8a7848c39bda901263e540b9baeef74850c1304a44cb488abe7bbee939bc
Opcode Fuzzy Hash: a785186b280cfa32a2ccc0ee9a59397cf173eacc0bd25976cdbb873dafaeed9b
Instruction Fuzzy Hash: C5421671A1DA4B8FF365DB288445A7977D1EF96300F0485F9E48EC3196DE29F80687C1

Function 00007FFAAC588C79 Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7a0604522461a6ea51497cf718cc2f7b342c24606c34a0583a29531e56a005
Instruction ID: 599612f9cb5e60bcde06402075955ec13607a68832feec2097496d6f5e225847
Opcode Fuzzy Hash: 0d7a0604522461a6ea51497cf718cc2f7b342c24606c34a0583a29531e56a005
Instruction Fuzzy Hash: AE42C430A0DA4A8FEB98DB2884557B977E1FF5A310F1441BDE44EC72D2CE25ED458781

Function 00007FFAAC585B24 Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea8a0f2f56b79d390e2f9c49489594f1cae5fee4e1f0a6e4f8d550113c81e4f
Instruction ID: 4ec747fae6321bd046f0ac2eb832b1c2a840519ed12cfa66aa69122d1f11c8bd
Opcode Fuzzy Hash: cea8a0f2f56b79d390e2f9c49489594f1cae5fee4e1f0a6e4f8d550113c81e4f
Instruction Fuzzy Hash: D0024C34A19A1A8FEB98DF18C4457B9B3E1FF59301F5481B9E44ED3292DE34ED858B80

Function 00007FFAAC597336 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc601cf2ab3096641f58328be1ad3a5ac27d1bdac5af1fd9104b9c6b6eb0b98
Instruction ID: eccaf0c83bc579436ecce8e82877eda4cb3e2a4ad5ec64c7e972d8f2f9ac348f
Opcode Fuzzy Hash: 2dc601cf2ab3096641f58328be1ad3a5ac27d1bdac5af1fd9104b9c6b6eb0b98
Instruction Fuzzy Hash: 88F1A630909A8E8FEBA8DF28C8557E937D1FF55350F0482AEE84DC7291DB39D9458B81

Function 00007FFAAC5980E2 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7afba504eb6ffe75abaef91911bacdbe0141d9657a207aaaaa9bee11199c75e
Instruction ID: c8497a0371a713ed95daa38173d334180ea77e1e092e23cb59689a9856b63b5f
Opcode Fuzzy Hash: a7afba504eb6ffe75abaef91911bacdbe0141d9657a207aaaaa9bee11199c75e
Instruction Fuzzy Hash: CFE1C430908A8E8FEBA8DF28C8557E977D1EF55310F04826EE84DC7291CB79D9458BC1

Function 00007FFAAC30295E Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2591696809.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac300000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cb47ede43164d52a66deae3bfec21b09750dcb528827589bbc7c5efa106aa4
Instruction ID: 706124ca28fa6eaf2a707d066f13a72ca5d191e32ce7653ed3b88d76bc7682e7
Opcode Fuzzy Hash: 21cb47ede43164d52a66deae3bfec21b09750dcb528827589bbc7c5efa106aa4
Instruction Fuzzy Hash: 0FB1D441A0FAC76FE3C6A37C0426976AFE18F9725070984FAC18DCB5E7DC58D84983A1

Function 00007FFAAC591B28 Relevance: 6.8, Strings: 5, Instructions: 537
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hYI, xrefs: 00007FFAAC591C98
pYI, xrefs: 00007FFAAC591DB2
xYI, xrefs: 00007FFAAC591D79
pYI, xrefs: 00007FFAAC591CC5
hYI, xrefs: 00007FFAAC591CB4

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: hYI$hYI$pYI$pYI$xYI
API String ID: 0-700338209
Opcode ID: 7e5a900251d5abf64c2edbe6883f2ff231d2669e08d76a0185a8b8e6a086c124
Instruction ID: e3b0dd92f16db932948b42f1d5cb9966068044fe66c0a6bbe1697f7665959446
Opcode Fuzzy Hash: 7e5a900251d5abf64c2edbe6883f2ff231d2669e08d76a0185a8b8e6a086c124
Instruction Fuzzy Hash: 20024662D4E7978FE355977898524A93BE4DF57310B0841FAE08DCB2E3D91DA80E83D1

Function 00007FFAAC59E401 Relevance: 4.2, Strings: 3, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAAC59E65E
>0_L, xrefs: 00007FFAAC59E5D2
=%_L, xrefs: 00007FFAAC59E770

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: 6$=%_L$>0_L
API String ID: 0-2043559767
Opcode ID: d1df6547069584b4589ddb85ea935ba7f542112efef71165d7eefcb0cc1db3fb
Instruction ID: b1e2ddb15ca71a7f5a3736b8e344dac40843010e878c157ac2569d8ff6cb1c90
Opcode Fuzzy Hash: d1df6547069584b4589ddb85ea935ba7f542112efef71165d7eefcb0cc1db3fb
Instruction Fuzzy Hash: 57E1B370618A4A8FEB58DB18D855A7977E2FF99300F1481BDE45EC7292CE38EC46C781

Function 00007FFAAC6401BA Relevance: 3.9, Strings: 3, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC6407E9
"&_L, xrefs: 00007FFAAC6401D2
r6, xrefs: 00007FFAAC640804

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: "&_L$r6$r6
API String ID: 0-3696463462
Opcode ID: d8a06d40f6d790e9099ff1d1422f9f4c28697eeb414c4416045cc40e599c54e2
Instruction ID: bb7d45dbf7ccd80448856b87b657581766ef765589d918dddf7dd02d7d49c650
Opcode Fuzzy Hash: d8a06d40f6d790e9099ff1d1422f9f4c28697eeb414c4416045cc40e599c54e2
Instruction Fuzzy Hash: F1413871A1EB858FF359D76C99266757BC1EB56210F0421BED08FC32E3EC189C058386

Function 00007FFAAC582440 Relevance: 3.0, Strings: 2, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAAC59AC99
b4, xrefs: 00007FFAAC59AD6A

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: b4$d
API String ID: 0-2243634771
Opcode ID: 77006ceec1b330bd70f9ff8c7c6de7fa9cd5f4d1c9deb79e17c68bfbf87b7035
Instruction ID: 036e65d2d2e34f7a1ad72cf54e004ad78907ed850d7014345860bc468cb83592
Opcode Fuzzy Hash: 77006ceec1b330bd70f9ff8c7c6de7fa9cd5f4d1c9deb79e17c68bfbf87b7035
Instruction Fuzzy Hash: 22F1EE70A58B0A8FE758DF18C485575B3E1EF9A310B2485BDE44EC72A6DE39EC4287C1

Function 00007FFAAC583FA6 Relevance: 3.0, Strings: 2, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFAAC5844B7
r6, xrefs: 00007FFAAC584732

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: @$r6
API String ID: 0-2003788277
Opcode ID: aed0b147b90a42243f513c67aa0589c6607a4d148113270f67a8c65abaa10df2
Instruction ID: d71c82a0999301e4b151e3af3a8d42bf5fdf537c58b7ec2e1fb90548b69dec55
Opcode Fuzzy Hash: aed0b147b90a42243f513c67aa0589c6607a4d148113270f67a8c65abaa10df2
Instruction Fuzzy Hash: EAE12421A4E6478FF795973894622793BD5EF47310F0441BAE88ECB2D2DE18ED4A93C1

Function 00007FFAAC5917E5 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pYI, xrefs: 00007FFAAC591820
+&_^, xrefs: 00007FFAAC591901

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: +&_^$pYI
API String ID: 0-4082220545
Opcode ID: ddd39a9341d2b659a5d138dc4459cbb4768f25e0fa41542be56c811fea7a0675
Instruction ID: b62fed2c67470418caaa43326ce8cc0b8da9c3fb46c013d3add81797862a4a98
Opcode Fuzzy Hash: ddd39a9341d2b659a5d138dc4459cbb4768f25e0fa41542be56c811fea7a0675
Instruction Fuzzy Hash: C0617257D0D2A34BE721777CB4665EA3F908F4233570885F7E2CDCA1A3D90C648A8695

Function 00007FFAAC640718 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC6407E9
r6, xrefs: 00007FFAAC640804

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 0424c09b20f8e7570f93041208af19ee4de31a3a84b80c74173c192cf457d030
Instruction ID: 400ba1467ffc38f3751afaa510387490117a3a6e5edf23d0b5a1bcba65f18b20
Opcode Fuzzy Hash: 0424c09b20f8e7570f93041208af19ee4de31a3a84b80c74173c192cf457d030
Instruction Fuzzy Hash: EF41E362A1EA858FF399D76C9916674BBC1EB56310F1411BED08EC32E3E818AC0586C7

Function 00007FFAAC59D320 Relevance: 2.1, Strings: 1, Instructions: 872
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFAAC59D3FA

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 6a6e80f55f65abd2d0c02bfb8b205b84ff5499f8871be564c6873e2c02947140
Instruction ID: 8ca966a6dcab8883da876527321305decd4c73d98d74138b0bd5d6f3c6dee77c
Opcode Fuzzy Hash: 6a6e80f55f65abd2d0c02bfb8b205b84ff5499f8871be564c6873e2c02947140
Instruction Fuzzy Hash: 7352B93151DA4A8FEB94EF18C455AA97BE1FF5A300F5041B9E44DCB296CE29EC46CBC0

Function 00007FFAAC58FFA7 Relevance: 1.8, Strings: 1, Instructions: 558
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=&_H, xrefs: 00007FFAAC590170

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: =&_H
API String ID: 0-1524714763
Opcode ID: b128b3cfac7282741b398ea1a69187027ae8cc367869454e971ef5bb1b578152
Instruction ID: 5121e881e73944ec7cd3621f607e8601535ea0941f3bc997097e71a1e63b001b
Opcode Fuzzy Hash: b128b3cfac7282741b398ea1a69187027ae8cc367869454e971ef5bb1b578152
Instruction Fuzzy Hash: 4202D521A0EA4B8FE794D768C451A75B7E5FF9A300F1489FAD04EC7196CE29EC4987C0

Function 00007FFAAC582C7F Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC582FC6

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c8051b9cefddcf1719a1e95b624c78963d0aa1b256cfddef2bc2bb92694d36a5
Instruction ID: 1585ad40c1dbf86b0868e01495d5fb53f25740e35a651b54ddcdb97f5f7971b6
Opcode Fuzzy Hash: c8051b9cefddcf1719a1e95b624c78963d0aa1b256cfddef2bc2bb92694d36a5
Instruction Fuzzy Hash: CCE12872A4EA8B8FE795EB2C88155757FD0EF66310F0441FAE04DCB292DD28DD0A8791

Function 00007FFAAC588E03 Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

8h, xrefs: 00007FFAAC588EB0

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: 8h
API String ID: 0-2550175997
Opcode ID: bcce784e9ac52a4a2028cbd6a4be88198047103363c3b55a813490dff0128c5a
Instruction ID: 683e90fe317a7b50438db45914fe7a6525af96467569adc9abb979d8fca6709b
Opcode Fuzzy Hash: bcce784e9ac52a4a2028cbd6a4be88198047103363c3b55a813490dff0128c5a
Instruction Fuzzy Hash: 9DD1E321A0DA0A8FF798DB2C84417B877D5EF5A310F1481B9E44EC72D3DE28ED499391

Function 00007FFAAC58A659 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

D, xrefs: 00007FFAAC58A8CB

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3c762d962fda8c56a4b93879ef4ea2a437999381474bd20e760f17ff08060d3b
Instruction ID: 9f9adca9541d707d46eb22b7592d64135aa545bb13946faa7738bf6add786687
Opcode Fuzzy Hash: 3c762d962fda8c56a4b93879ef4ea2a437999381474bd20e760f17ff08060d3b
Instruction Fuzzy Hash: 98D1DB71A1CA0A8FEB94EF28C445BB877E1FF59300F158179E04ED7296DE34E9468B81

Function 00007FFAAC3036A9 Relevance: 1.6, APIs: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFAAC303787

Memory Dump Source

Source File: 00000001.00000002.2591696809.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac300000_hKvlV6A1Rl.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7132a475266bd0f91d94a21c53960e522df2433e43de1bb4d4ad35bc939b3f00
Instruction ID: 1d5ac9c3d2df8e9a1e5c922dcf0feede62e867bab7579aac1db417ce801c25bb
Opcode Fuzzy Hash: 7132a475266bd0f91d94a21c53960e522df2433e43de1bb4d4ad35bc939b3f00
Instruction Fuzzy Hash: 8E412C7180DA4C9FDB59DB6C8459AF9BFE0EF56310F0481AFD04DC7292CA34A909C791

Function 00007FFAAC58C425 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

`&_H, xrefs: 00007FFAAC58C46D

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: `&_H
API String ID: 0-1669765748
Opcode ID: d27ed418a7018652518ee7f8d9f1b0c40d543010d6af5f7047363aeaf8ef9a94
Instruction ID: fae97c879c9884b17faac8a017c88dd3e3db030414f5636b7ebe81d939d78919
Opcode Fuzzy Hash: d27ed418a7018652518ee7f8d9f1b0c40d543010d6af5f7047363aeaf8ef9a94
Instruction Fuzzy Hash: 78B10772B18F4A8FFB94D73C9055AB577D1EF89350B1045BEE44EC3296DE24E8468780

Function 00007FFAAC3036ED Relevance: 1.6, APIs: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFAAC303787

Memory Dump Source

Source File: 00000001.00000002.2591696809.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac300000_hKvlV6A1Rl.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e6a76669baaa9db441ace2a080917465b9af1b6d2dfceebedbf47c22aeaa4e14
Instruction ID: ba84d79aa6947c217992114353cd9cf10ff1b78a91412c83d2736cad99b4d7ac
Opcode Fuzzy Hash: e6a76669baaa9db441ace2a080917465b9af1b6d2dfceebedbf47c22aeaa4e14
Instruction Fuzzy Hash: A231F27180CA4C8FDB58DB58C449AE9BBE0EF65321F04826FD04AC3252CB34A805CB81

Function 00007FFAAC59A9C1 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC59AC99

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7a21998eafaf37dc559d428bddb2d493ed994a6f624f09f8905a9a8c6f8eeef9
Instruction ID: 4e740757f42ac0d57cbc3d2d0198b338fa48bec8d760a59f915b48ba87422683
Opcode Fuzzy Hash: 7a21998eafaf37dc559d428bddb2d493ed994a6f624f09f8905a9a8c6f8eeef9
Instruction Fuzzy Hash: 74A1CF30658B0A8FE75CDF08C48557573E1EB9A314B2485BDE44EC7296DA39E843CBD1

Function 00007FFAAC599B59 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC599BF9

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: eacb1ded96f31cb8c25b6f58da8f9f9421c7bf3b09fbf6d466f69ebb15d61dc1
Instruction ID: 513cae5da72004f9889b330cdaf8f90290d30248c36a4d4cbc88bccdaa428a03
Opcode Fuzzy Hash: eacb1ded96f31cb8c25b6f58da8f9f9421c7bf3b09fbf6d466f69ebb15d61dc1
Instruction Fuzzy Hash: 5B613692A5EB8B8FF756573848116A57BD5EFA3210B0581FAE04EC7193DD0DA80A83D2

Function 00007FFAAC592139 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

"&_^, xrefs: 00007FFAAC592201

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: "&_^
API String ID: 0-2790244243
Opcode ID: c93f25da60af419416bb8d90bbcdaf9a5ab5c5b9ee1d706bd303d8562b8ebf9f
Instruction ID: 6be15228f85d00f9526103944ab13ea4678f4ec3b2e4df0be34332f07793180a
Opcode Fuzzy Hash: c93f25da60af419416bb8d90bbcdaf9a5ab5c5b9ee1d706bd303d8562b8ebf9f
Instruction Fuzzy Hash: 66610876A0865B8FD711FF3CE8915EA37A0EF86325B0481B7E14DCB1A3CE289449C795

Function 00007FFAAC592150 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

"&_^, xrefs: 00007FFAAC592201

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: "&_^
API String ID: 0-2790244243
Opcode ID: ee996f8510945331e975f678f3533e857c907da74df99c5c1a124d2819ad7282
Instruction ID: 6f48a33be5d47362c20c03be75f6d428b949faa98c840daac0be05d7b9939fd0
Opcode Fuzzy Hash: ee996f8510945331e975f678f3533e857c907da74df99c5c1a124d2819ad7282
Instruction Fuzzy Hash: 4551A476A0865B8BD710FF6CE8915FA73A0EF85325B0481B6E14DCB1A3CE28E4498795

Function 00007FFAAC5820E2 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FFAAC582101

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: c63e41c9814eb2e1d457836df0e87a336a46cff36c27037d6239d0858ce9c74c
Instruction ID: d81f68be334c06e529be72927d69aea76c4bd4a3043b296562d590d84dd10b2c
Opcode Fuzzy Hash: c63e41c9814eb2e1d457836df0e87a336a46cff36c27037d6239d0858ce9c74c
Instruction Fuzzy Hash: 5E410B27E485274BD320BABDF4868F9B7A0DF85335708C177D28DCA163DA18644587D4

Function 00007FFAAC5910F2 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFAAC59116E

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 6e1c5d2cdf1fbf5d28fa393c67ffcbfc9b5451c2b3511534443bad7f8b9584e6
Instruction ID: 0f4e17b2bf1d0d121e3aeae3a8f7b1ee3d277920a8c603ef2616b47ed7f88239
Opcode Fuzzy Hash: 6e1c5d2cdf1fbf5d28fa393c67ffcbfc9b5451c2b3511534443bad7f8b9584e6
Instruction Fuzzy Hash: D0410967A0C5AA4FD711BB7CF4515EA37A0EF86330B0441B7E18DCB1A3CE28685983D5

Function 00007FFAAC5820D7 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FFAAC582101

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: 7176c1cc962346605f724ee78e25032342e5511590fe16865a66da1ed0bc35cb
Instruction ID: 8e23d480a4eff34be43de0fc42a576f73ef9df121ff03d1472d8a4fc68569c3d
Opcode Fuzzy Hash: 7176c1cc962346605f724ee78e25032342e5511590fe16865a66da1ed0bc35cb
Instruction Fuzzy Hash: E1311E27E585274BD3207ABDF4868FAB790DF85335708C177D28DCE1A3DA18514987D4

Function 00007FFAAC5820CF Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FFAAC582101

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: 58f107b3acbefbc6d20038908b6a84492286d826cb60ce912b5e0029218362f8
Instruction ID: e12447d4d0baf95c683e53414ac5bbc0c09b3f201a2fcc739a8e66b057b93d05
Opcode Fuzzy Hash: 58f107b3acbefbc6d20038908b6a84492286d826cb60ce912b5e0029218362f8
Instruction Fuzzy Hash: 7C313F27E5852B4BD3207ABDF4868FAB790DF85335B08C277C18DCE1A3DA18504987D4

Function 00007FFAAC593805 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC59392A

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 2906d3d68770045bf85ee9ff4e0d4bc971bce1db24c695bcccfd06ccb6493f2b
Instruction ID: 6fc69bd6d24d6c83ad40dcef0fbf88f5a50d6c39b49839a0fee7470b1506be01
Opcode Fuzzy Hash: 2906d3d68770045bf85ee9ff4e0d4bc971bce1db24c695bcccfd06ccb6493f2b
Instruction Fuzzy Hash: 8D414070A4A94BCFEB95DB2CC855BA877A5EF56300F5440F9E00DD7292CE2DEC498781

Function 00007FFAAC582EEE Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC582FC6

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 12967cc96b9a6bf5c5af549ca462edc26e32ec45cf74b1a5917b8352c2d2a0f7
Instruction ID: 821da5a5e460ea40a9854d37a1580ccc6690f960444a5f90a1f3a4aa1fc16d57
Opcode Fuzzy Hash: 12967cc96b9a6bf5c5af549ca462edc26e32ec45cf74b1a5917b8352c2d2a0f7
Instruction Fuzzy Hash: 9331062190EB8A8FE39A973888555707FE1DF5B314B0581FAD00ECB597DC69DC4AC391

Function 00007FFAAC591148 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFAAC59116E

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: f65189937837bc98eb2864211976782891e5d18fba70f97f9009ec869df72433
Instruction ID: dc4f3f93cd9c069389324b90f665b711f4ab210b8152efb1543616bec2a4be0f
Opcode Fuzzy Hash: f65189937837bc98eb2864211976782891e5d18fba70f97f9009ec869df72433
Instruction Fuzzy Hash: 43313937B0C56A4FD700AF6CF8515EA77A0EF86330B0441B7E54DC7153CA24985A87D5

Function 00007FFAAC58CA76 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

Y&_H, xrefs: 00007FFAAC58CB6E

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: Y&_H
API String ID: 0-4003802463
Opcode ID: 7d5c210feed6d8d8c242a8c6f9ce2efca2c8fbcb36736c017ebf745adbc64b68
Instruction ID: 7818611de8d273ae0ca794edf6c41cade1879ab415201e5325bfe4abc0a8d1c5
Opcode Fuzzy Hash: 7d5c210feed6d8d8c242a8c6f9ce2efca2c8fbcb36736c017ebf745adbc64b68
Instruction Fuzzy Hash: 0F3140B2E1DA4B8FF745E77884055BD7BE5EF95301F4444BAE04EC71D2DE24A9098380

Function 00007FFAAC58D9F4 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC58DA7A

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 9046d9e701117e58412ab71d58c4a6d57af9a9598421d20684297dd6e0fbe0c0
Instruction ID: b8555d83c8a6d296a798874dcd894a76a1642771ad7073b3bfa17178b3afe6ac
Opcode Fuzzy Hash: 9046d9e701117e58412ab71d58c4a6d57af9a9598421d20684297dd6e0fbe0c0
Instruction Fuzzy Hash: E7214971B0D70A4BE7189B2CD4495B4BBD6EBD5221B1582BFE04EC7293DC299C4383C1

Function 00007FFAAC59D0F0 Relevance: 1.1, Instructions: 1062COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501ea2337331e28c47d58ad85ac2da05a9296ada0aa5c2f022ae8d57adbe1d6e
Instruction ID: 398321e93c17aff4b82df7d7e6c6d32aa4ced6e627ec2d1c05bed9a68cf02e30
Opcode Fuzzy Hash: 501ea2337331e28c47d58ad85ac2da05a9296ada0aa5c2f022ae8d57adbe1d6e
Instruction Fuzzy Hash: D572DA3191DA4A8FEB94DF18C445AA57BE1FF5A300F5041B9E44DCB292DE29EC4ACBC1

Function 00007FFAAC59D1F0 Relevance: 1.0, Instructions: 1003COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89572e69181597ca741e7e1971d8d02b18f57634859de66710f6484e083d2bfa
Instruction ID: 02e1a007e37ea9bf0793dee96b69061093c134d040663ba8fb0afae8acb5e3b6
Opcode Fuzzy Hash: 89572e69181597ca741e7e1971d8d02b18f57634859de66710f6484e083d2bfa
Instruction Fuzzy Hash: F772B87191D64B8FEB94DF18C451AA97BE1FF5A300F5040B9E44DCB292DA29EC4ACBC1

Function 00007FFAAC59D407 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1620182fae61625aa167f2e31b85287b6e243ed65ce7c05fb3f210b5e6cce513
Instruction ID: 71a261c4f56a062f3ae04e11f38e1b20ac556be2abfb0ad463a9fb80355c160c
Opcode Fuzzy Hash: 1620182fae61625aa167f2e31b85287b6e243ed65ce7c05fb3f210b5e6cce513
Instruction Fuzzy Hash: 35324231A1994A8FEB94EF18C455AA97BE1FF69300F5041B9E40DC7296CE39EC56CBC0

Function 00007FFAAC5A245B Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e8a01024665483067f0eaf72ece0546d3015f26c0fe07b6eec8b7d953c0d65
Instruction ID: 3d2a58396e41834d644ed2a70e41517f6fcc87ca50cb4b5ee8594860859d6efc
Opcode Fuzzy Hash: f5e8a01024665483067f0eaf72ece0546d3015f26c0fe07b6eec8b7d953c0d65
Instruction Fuzzy Hash: 21327B30A1DA5ACFEB98EB28885576977E1FF59700F1481B9E00DC7296DE38EC45CB81

Function 00007FFAAC59DDED Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91acf76178a918ba9ed3a14783c017015e8bb6a3907cfdb7a9ad042aa4a78820
Instruction ID: f1990d229f5b994d31fe756984f8201eaedcd9378dad77ad8ae815bd11b65cca
Opcode Fuzzy Hash: 91acf76178a918ba9ed3a14783c017015e8bb6a3907cfdb7a9ad042aa4a78820
Instruction Fuzzy Hash: 7C22F27184E687CFF375872448165A43FE4EF57310B0881FAE49DCB5A2EA5EA80E87D1

Function 00007FFAAC59F6FD Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3994f14fb6ce5fa883bbc9c637d8244f4cdeef4b6e0607b727b9e6518884b8
Instruction ID: 3db7558603669c2e1c01196534159ec889948d22c45614bbb7d6706124439106
Opcode Fuzzy Hash: 2c3994f14fb6ce5fa883bbc9c637d8244f4cdeef4b6e0607b727b9e6518884b8
Instruction Fuzzy Hash: 6BF1E831A1990A8FFBA8DB6CC855A7437D1FF5A301B1441F9E44EC72A2DE2DEC498781

Function 00007FFAAC599FBC Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f235a6a231cd442334746a95f25645f903af300d3c4afbc74eabea48c1495d7a
Instruction ID: c7a4f41712be37a0d10548e5c12d8708561fbf90e2142574c93dada1d5b57188
Opcode Fuzzy Hash: f235a6a231cd442334746a95f25645f903af300d3c4afbc74eabea48c1495d7a
Instruction Fuzzy Hash: 14F11931A09A4F8FEB95DB68C455ABD77E1FF96300F0440BAE40DD7292DE29EC068791

Function 00007FFAAC5A0C69 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f336742e921b1dcbd33679bdb60b04bc1034a8adbd17fa6c008627e16ee192
Instruction ID: 1bf5c0be4a173f72513140aa37c6dffada33bdaacbfda909403328ef01679173
Opcode Fuzzy Hash: 71f336742e921b1dcbd33679bdb60b04bc1034a8adbd17fa6c008627e16ee192
Instruction Fuzzy Hash: 10E12B71A6EA468FF795D72884596747BD1EFDA710B0440B9E04EC7293DD18EC4A83C1

Function 00007FFAAC5A4A39 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2339e437b7bab2d9311c6b37abfed0fd763534b0f5e724fe57be55ab3e59d7
Instruction ID: 7b27903d27f0357ca6bc63702fddab4dc1abc51aae3cb6a0d0bdaefbaef6dcfd
Opcode Fuzzy Hash: db2339e437b7bab2d9311c6b37abfed0fd763534b0f5e724fe57be55ab3e59d7
Instruction Fuzzy Hash: 0BC1C671B1CA0E8FEB58EB6C9455AB9B7D1EF59700F1481B9E00EC3292CE24EC468785

Function 00007FFAAC5A3429 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82782bd692ef2f0734f390c8e4cefc42b6c22d571236353c8112845235a1ad26
Instruction ID: 9d08dcf812185bc789bc7f4e2c664b72509c360fcaad9edf2222c6c88ef912cd
Opcode Fuzzy Hash: 82782bd692ef2f0734f390c8e4cefc42b6c22d571236353c8112845235a1ad26
Instruction Fuzzy Hash: 96B15931A1DA4A8FF794E72CC45967577D1FF9A714F1484B9E04EC72A2CE29EC4A8380

Function 00007FFAAC583180 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7607f5607cdb1bb11b425b9882d600a8fd47a60b91405f75c378df9f21debed
Instruction ID: cfdc6cbdd3abe8e6aa4155e0c368da37da24fa19f0844b2aa50a0593f9e9b9d6
Opcode Fuzzy Hash: e7607f5607cdb1bb11b425b9882d600a8fd47a60b91405f75c378df9f21debed
Instruction Fuzzy Hash: 16B19631A0DA4A8FEB98EB2CD4516BD77D1EF8A314F14817DE44ED7282DE34E8068791

Function 00007FFAAC597CF6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77d8d7a8f2f7501ef71830a72c67bd37f106b414f5845b13ad7ddaa59f1c672
Instruction ID: 3f761df78bd4c64eb813ef113e4fe75ab60ea7a508007919037aa91723385b95
Opcode Fuzzy Hash: a77d8d7a8f2f7501ef71830a72c67bd37f106b414f5845b13ad7ddaa59f1c672
Instruction Fuzzy Hash: 1DB1C77050CA4E8FEB69DF28C8557E93BD1EF55350F04826EE84EC7292CA39D945CB82

Function 00007FFAAC586D81 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d16645ae3e52edc94ddf2385940409f34cf507c5880baccba00b6c0ba0ff52
Instruction ID: 72c68776e26621bdb3899346b4664267292c18997ecfb35754bddc245d2b855b
Opcode Fuzzy Hash: d9d16645ae3e52edc94ddf2385940409f34cf507c5880baccba00b6c0ba0ff52
Instruction Fuzzy Hash: A2910762B1DE4A8FF7A5E72C841567577D5EF9A340F0480B9E00EC7297DE28ED069381

Function 00007FFAAC5A572C Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a391999c42efe812f18ee12294673430cf5edf67646b79c022b52ceac4612e0
Instruction ID: d329b2b43299e251a3787f25b5d7991e05f44b6ea1ceedb671d9ce4283e5c4e2
Opcode Fuzzy Hash: 7a391999c42efe812f18ee12294673430cf5edf67646b79c022b52ceac4612e0
Instruction Fuzzy Hash: 0291B571B19E1A8FFB48E76894596BD77E1EF9A710F504079E00EC7292CE29EC4687C0

Function 00007FFAAC5834A1 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef974151c35db74cdd013bf004b9c35bd85e8773fcb561ad798a6feca074ee78
Instruction ID: 2b3e374b9c5d8a2609e8e5553161ee33958bf19e59f9266f6997d0e34afd871f
Opcode Fuzzy Hash: ef974151c35db74cdd013bf004b9c35bd85e8773fcb561ad798a6feca074ee78
Instruction Fuzzy Hash: 68A13931A4EB4A8FE7A5DB2CC4159B5B7E4EF56320F0441BAD04EC7293CE28E949C381

Function 00007FFAAC588DDD Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11778ff9b8ab77f12102b67cb9417a2926d2e8dbb8036c473e0a4f567122d9da
Instruction ID: 95684ec54cdd6ad973f41744d220ea349f7dcde157925f0b10973425802d05e5
Opcode Fuzzy Hash: 11778ff9b8ab77f12102b67cb9417a2926d2e8dbb8036c473e0a4f567122d9da
Instruction Fuzzy Hash: E1A1B321A09A0A8FFB98DB1C84457B977D5FF9A300F5480B9E48EC72D3CD28ED499790

Function 00007FFAAC588F26 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebda3c4883cf724173b96ef3efc19139e27d958a2df4f8cf5c5dcf7307def5c4
Instruction ID: b48e3c6ff8649658d203f9fb19c0cc029c05414ff1cf27dc35a0457e5f673b9e
Opcode Fuzzy Hash: ebda3c4883cf724173b96ef3efc19139e27d958a2df4f8cf5c5dcf7307def5c4
Instruction Fuzzy Hash: 4BA1B421A09A0A8FFB98DB1C84557B977D5EF5A300F5481BDE44EC72D3CE28ED499780

Function 00007FFAAC588EEB Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eacf5829fe16fac44c2da69969f972c8178e3a1204525e2f9795ac796d21e3
Instruction ID: 867a3f802c87fac3c61d970fa6b2f817811e6d802331f8214f19060b04abc4be
Opcode Fuzzy Hash: 46eacf5829fe16fac44c2da69969f972c8178e3a1204525e2f9795ac796d21e3
Instruction Fuzzy Hash: 0AA1A220A09A0A8FFB98DB1C84557B977D5EF9A300F1480BDE44EC72D3CE28ED499780

Function 00007FFAAC588ECD Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c30fe693a2a8eec631b565f5c1a8e42f0935e223e63e6a160bab0241ddff4a
Instruction ID: a5e012507c10cd7ba648be4d989877cb7839a037d0a0e511c085df569578a437
Opcode Fuzzy Hash: f6c30fe693a2a8eec631b565f5c1a8e42f0935e223e63e6a160bab0241ddff4a
Instruction Fuzzy Hash: 2AA1A221A09A0A8FFB98DB1C84457B9B3D5EF99300F5481B9E44EC72D3CE28ED499790

Function 00007FFAAC588F08 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127123130ba20e569b181fd79e9db86a41d28dd71637ba19c8c9c01c2b6b5aea
Instruction ID: f5aaede9fa072a84cad7c9618530d791c96750250bfb06ab593cad0f5fd92855
Opcode Fuzzy Hash: 127123130ba20e569b181fd79e9db86a41d28dd71637ba19c8c9c01c2b6b5aea
Instruction Fuzzy Hash: 7BA1A221A09A0A8FFB98DB1C84557B977D5EF99300F5481BDE48EC72D3CD28ED499780

Function 00007FFAAC588FC7 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df045d97f69edd001aef651b512a23466f4775b60e3ee0a28f3eeb179aa88d0
Instruction ID: 89c6321159916293b7cb6cea9ba6940ad8646aa2cf19d4665de020db711b5f46
Opcode Fuzzy Hash: 1df045d97f69edd001aef651b512a23466f4775b60e3ee0a28f3eeb179aa88d0
Instruction Fuzzy Hash: 94A19220A09A0A8FFB98DB1C8455BB977D6EF59300F1481BDE44EC72D3CE28ED499780

Function 00007FFAAC588F86 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156bf091a9c4eea9e76e8484f69a7e87cd44023eb0be2dfb615bc45b3b1cacf4
Instruction ID: 250c6b9f3af7a96dab5dfc1ab3f1d028d6c2976344fcf86fd6787e8927ccf935
Opcode Fuzzy Hash: 156bf091a9c4eea9e76e8484f69a7e87cd44023eb0be2dfb615bc45b3b1cacf4
Instruction Fuzzy Hash: 79A19320A09A0A8FFB98DB1C84557B977D5FF99300F5481B9E44EC72D3CD28ED499790

Function 00007FFAAC5A2FAC Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230bf7615c98f3df2b99ef66fe25f9fe476640443f5b80003e60c83853bd5657
Instruction ID: f5420501fe117ee4a4693b7efbc46d747a71063fb7b7e25d14bf6188f13bc47b
Opcode Fuzzy Hash: 230bf7615c98f3df2b99ef66fe25f9fe476640443f5b80003e60c83853bd5657
Instruction Fuzzy Hash: 50B12D31A5990ECFEF84EF58C895EA97BA1FF69344B444168E40ED7296CA24EC45CBC0

Function 00007FFAAC59EF79 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a64994b9c179670ce19d2c890a508db747c60e68bbc294b89dec6cdec607ca
Instruction ID: d3e59ec103bbd208f70463bef1cb2fb5ee4deb3367c1638987a057034eb9bd6a
Opcode Fuzzy Hash: 13a64994b9c179670ce19d2c890a508db747c60e68bbc294b89dec6cdec607ca
Instruction Fuzzy Hash: CD81F561B1DA468FFB98D76C88556782BD6EF96740B0481FAE04EC7293DD1DEC0A83C1

Function 00007FFAAC5A38A9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d621fec8bbd80dec25e3f5fcd643760616bbaef194809b16257c3345600bfa
Instruction ID: 47b29584f7c5ebb657ff92611f32acf800f603f5f719f34c9fbf0d69318c5e55
Opcode Fuzzy Hash: d5d621fec8bbd80dec25e3f5fcd643760616bbaef194809b16257c3345600bfa
Instruction Fuzzy Hash: 0281A430B5DA1A8FEB98EB2DD455A7877E1FF5A704B0441B9E04EC7296CE28EC0587C1

Function 00007FFAAC5A2097 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2443e4a9e91582693d3a830c42baf032eee871188a3c89a93b2357e4122c7a03
Instruction ID: 0c23826b122856aedad8a468d247c86d822b365d26c3781784965f1d39865eb7
Opcode Fuzzy Hash: 2443e4a9e91582693d3a830c42baf032eee871188a3c89a93b2357e4122c7a03
Instruction Fuzzy Hash: E481D63194EA4A8FFB98D7298C16AB477A5EF57710F0481FAE04DC7292CD24ED4987C1

Function 00007FFAAC59D8DF Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa242f966713ebe29a1ca97eb52bbeb8d14941be78796e5068f41af086ac9a6
Instruction ID: a22765a4645f79fd68762b33510bbd4a17fc226695a3ce30a094dd41a38269cc
Opcode Fuzzy Hash: ffa242f966713ebe29a1ca97eb52bbeb8d14941be78796e5068f41af086ac9a6
Instruction Fuzzy Hash: D791463161994ACFEB94EF2CC455AA57BE2FF69340F5040A9E40DC7296CE39EC56CB80

Function 00007FFAAC5A47FB Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58528c5db65d8c585ed1213ad5313aabfc2766e1e8fe029d032022759dca6ee1
Instruction ID: 04540232d37714db663dbf48b19fe86e41904e8bd1f789afc6f9cbac7f3b198e
Opcode Fuzzy Hash: 58528c5db65d8c585ed1213ad5313aabfc2766e1e8fe029d032022759dca6ee1
Instruction Fuzzy Hash: CF71053171DA468FE799E76C9419A647BE1EF5A700F0440FAE04DC72A3CE28EC46C785

Function 00007FFAAC5A0C30 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad7c7dfb36aab81fac8427ac5734aa393f4826e5cc400eb95ac4025bc0ec733
Instruction ID: 60c3d193e4e2407554f4a7617b21fc2ef216b693639f9cdb37059833fc69cf46
Opcode Fuzzy Hash: dad7c7dfb36aab81fac8427ac5734aa393f4826e5cc400eb95ac4025bc0ec733
Instruction Fuzzy Hash: 4C71F4628AF6879FF7659724481A1A57FD4EF97600F0484FAD48ECB193D91CA80E83D2

Function 00007FFAAC590007 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6748a3bed249d3e559ffd72729aab90434c7b0eea87f5a8b9fdb5726a54e7420
Instruction ID: 9b81e01f8033c27fe49f683eecfdd8895432837bf1d26fd27c9ec0409778a741
Opcode Fuzzy Hash: 6748a3bed249d3e559ffd72729aab90434c7b0eea87f5a8b9fdb5726a54e7420
Instruction Fuzzy Hash: CD71BF20A5DA07CBF798D758C450A75A2E6FFD9300F54CAB6E00EC2196DE3DE88997C0

Function 00007FFAAC583751 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f98cdb98301303abd30776a90d07ee401ea2060f315d174ec8278ff394f56c
Instruction ID: 8cb3d3bd33fbe581a94d728504d3a5409b05c5313802bf4f9ea5575710652894
Opcode Fuzzy Hash: 49f98cdb98301303abd30776a90d07ee401ea2060f315d174ec8278ff394f56c
Instruction Fuzzy Hash: 1151426190FA8A8FFB5AA73C88015717BD0DF47314F1445BEE48EC71D3DA18E90A8382

Function 00007FFAAC598C5D Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aad3c5a8572de2a4f7ea1a97b02caef719bd142323b5e231d6e17bcf5e5098
Instruction ID: 524e23269e9ecce32bc9478cd79d8ea39b237f8c8fd9da3579fbd3b5da1a28f4
Opcode Fuzzy Hash: a9aad3c5a8572de2a4f7ea1a97b02caef719bd142323b5e231d6e17bcf5e5098
Instruction Fuzzy Hash: 7751CC7190E64A8FE799E77888556B87BE1EF1B300F0441FAD04DDB2A2DA2DDC44C781

Function 00007FFAAC58D5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd6cc8bed276477479f04543212895a052e06a3fc88c7f8f7b12f6fe7897b09
Instruction ID: 9d4182bad04d387bff78e91345585620b29c6a29aa4cae40fe495e3a79d277fb
Opcode Fuzzy Hash: 9fd6cc8bed276477479f04543212895a052e06a3fc88c7f8f7b12f6fe7897b09
Instruction Fuzzy Hash: AA51AF71A1994A8FEB98EF2CC454AB977E2FF59310F0445B9E04EC7296CE24EC45CB80

Function 00007FFAAC584775 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37af80595b237007b704e165d4281de1d4e24a0ff2efec9741206eb2b3c81933
Instruction ID: 091698e76b7071ef5983036fc8ed04e9b2dc20197e766482259ad360b08aca62
Opcode Fuzzy Hash: 37af80595b237007b704e165d4281de1d4e24a0ff2efec9741206eb2b3c81933
Instruction Fuzzy Hash: 6351113160E98B8FFB94EB2CA465AB57BD0EF5B314B4440FAE44DC7292DE19EC458780

Function 00007FFAAC594C48 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b472c7003978edae1e065e66a9af44d249215d6a6cfad1a46dfe0f5ebf6ed5
Instruction ID: 9530b3c5d4b0809f7d9275eb2821e39cfa497f7d160b308e31e600219f9742ba
Opcode Fuzzy Hash: 68b472c7003978edae1e065e66a9af44d249215d6a6cfad1a46dfe0f5ebf6ed5
Instruction Fuzzy Hash: E0514F71918A1D8FDBA8DF58D845BE9B7F1FB58310F1082AAD40DE3251DE34A9858FC1

Function 00007FFAAC58E3A9 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9621f256daa89dc0b35bde4a407eb49c53e037a6c7fc5e70a6b5467475af9f49
Instruction ID: 55d825cb1e70f89aa7ef58f05657b8a1ca83a56b5b1d4d771ec6a3d5e261ba82
Opcode Fuzzy Hash: 9621f256daa89dc0b35bde4a407eb49c53e037a6c7fc5e70a6b5467475af9f49
Instruction Fuzzy Hash: AC5126A191DACB8FEB85EB7884569F57BF0EF56310B0441F6E00EC71A7DD28E8068384

Function 00007FFAAC5989BD Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058ea0ee3569e5780bc6a84a6997bf119a1d821935c5a946882385df514220b6
Instruction ID: eeb77bbb4a22743967b18cf821c6d2ac9d140f71e14ff06457de302cfe011f68
Opcode Fuzzy Hash: 058ea0ee3569e5780bc6a84a6997bf119a1d821935c5a946882385df514220b6
Instruction Fuzzy Hash: DE51A671E0A64E8FE788DB7888156B9B7E1EF16304F4445FAE00DD72A2DE2D9844C781

Function 00007FFAAC594C00 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2360d42216ea6889bde64d5e3a899dc0aeb15f1f0b660b1ec4d7ab71b4f9e30d
Instruction ID: 696340f90f90833e3b269465df12e4862791223d804ebe63246637b50dc39737
Opcode Fuzzy Hash: 2360d42216ea6889bde64d5e3a899dc0aeb15f1f0b660b1ec4d7ab71b4f9e30d
Instruction Fuzzy Hash: 6B515D71918A1D8FDB98DF58D845BE9B7E1FB58310F1082AAE00DE3255DF34A9848FC1

Function 00007FFAAC5876BB Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f0b49ede1f3a2cdb82640c96f4eeac3c54f5f7d4647d50a59bc137577d98d9
Instruction ID: 2d023b1c50cb173fec28125ff80c295dc5668f68c296d8ec04da660455d4f66e
Opcode Fuzzy Hash: 06f0b49ede1f3a2cdb82640c96f4eeac3c54f5f7d4647d50a59bc137577d98d9
Instruction Fuzzy Hash: 26413862B4DE4B8FF798D26C98455B57BC5EF9A260B1541BAF04EC3297DD14EC0683C0

Function 00007FFAAC58CDE9 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eed29d0bc8ab08b03ab12b3326fbc75bc83f3bba9f54a2d1477bd309f853b52
Instruction ID: 6ed5d94abc4580fb7021acfee6d2aa9ca301427fdf6f0c665f4168719533296d
Opcode Fuzzy Hash: 7eed29d0bc8ab08b03ab12b3326fbc75bc83f3bba9f54a2d1477bd309f853b52
Instruction Fuzzy Hash: E1413673A1DB868FE3AACB2C94555B47FE0EF57210B0482BAE04EC7593DE14E94983D1

Function 00007FFAAC58D1F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4bb5137b570c8c44884116ce19be8d1b57db1d92e5198faee2b6b5714f24ef
Instruction ID: 5fe485b1cf895b2468e1f231029d6c6d3260bc90bc78a04038ee820dfb5c8c15
Opcode Fuzzy Hash: 6e4bb5137b570c8c44884116ce19be8d1b57db1d92e5198faee2b6b5714f24ef
Instruction Fuzzy Hash: 1A518130A09A4B8FEB99DB28C451BB977E5FF06305F4444B9E40ECB1D2CE29E959CB41

Function 00007FFAAC1EE9F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2591300820.00007FFAAC1ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac1ed000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713b8acc94ca80c8c63222fcae493b01b2222e560f4156e67a8ada49db2c456c
Instruction ID: 7756e4b261f18ea2c7b428bdbb4d96b5f8d503f230defe1cef9b53dea7aaa7d0
Opcode Fuzzy Hash: 713b8acc94ca80c8c63222fcae493b01b2222e560f4156e67a8ada49db2c456c
Instruction Fuzzy Hash: 6F41057140EBC48FE7579B2898469623FF0EF57320B1945DFD08CCB1A3D624A849C792

Function 00007FFAAC587A72 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73ff14a7ad97f45661e739684a541377e423a36ca41499b9f42b801e2454e40
Instruction ID: bda10e09586661110a013d7e088f60174dfbbb8ef4d1f283d3c6a3542230d2ae
Opcode Fuzzy Hash: b73ff14a7ad97f45661e739684a541377e423a36ca41499b9f42b801e2454e40
Instruction Fuzzy Hash: 1D41F23150D789CFEB688B1C88566B57BE5EF56350F14406EF4CEC3292CA38E945C781

Function 00007FFAAC598F1D Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd1e1d6122b6484867437b086da6667cfb7efa8d8d62ab3bbe283ef970586a4
Instruction ID: d74abb3d17b2143f8b7a0b5e3caa7f3895cd3d61ef1c4f94a8568fe860dbc9b8
Opcode Fuzzy Hash: 6fd1e1d6122b6484867437b086da6667cfb7efa8d8d62ab3bbe283ef970586a4
Instruction Fuzzy Hash: 6541B971E0AA4FCFE795EB6884556B97BE1EF16300F4444FAE00DD72A2DA2DD848C781

Function 00007FFAAC5876AE Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538d013b729365d3125afcad09bf4f388fd6d47650c2f48474c5c0deedb67fe2
Instruction ID: 99460bba3f9234a1dbaa3c03a01f95118507e4440fcaf4ce451b29da1d00919c
Opcode Fuzzy Hash: 538d013b729365d3125afcad09bf4f388fd6d47650c2f48474c5c0deedb67fe2
Instruction Fuzzy Hash: A1311A62B4DA4A8FE754E72C98499757BD1EF9A350B0541FAF04EC7197DD14EC068380

Function 00007FFAAC59EFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6196423c878bb1d93f89c5dee509556fe8f3c53c458d787405c0a1b8386bcd51
Instruction ID: fdd91b34528272c04cbe7e5e250b6ed07636ff70224e49aacd3618d5345a7782
Opcode Fuzzy Hash: 6196423c878bb1d93f89c5dee509556fe8f3c53c458d787405c0a1b8386bcd51
Instruction Fuzzy Hash: B131D631B1DA068FFA98D76D98556B827CAEF86745F0541F9F08EC32D3DD2DAC0A4281

Function 00007FFAAC5A217B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8634e9a85dff4d3f8c9df26acb9f271fbd87741d5600e19f40cb124e52ec91c
Instruction ID: cd25f196ceb065bb0a4e4b51cec9a7a678136195cc1a454857ed8d93fb312bdb
Opcode Fuzzy Hash: f8634e9a85dff4d3f8c9df26acb9f271fbd87741d5600e19f40cb124e52ec91c
Instruction Fuzzy Hash: 4D41FF30A4991ECFEF98EB18C855B6877A1EF5A700F5481E9E00DD7292CE35ED49CB81

Function 00007FFAAC583780 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a0a75cf09901c756e1512b872795aa77fd7658637b2accb03321c239ff24f8
Instruction ID: fe7385ef9f416df1966da00665f910c5be56ddeb9cf3042795469b5169e81c2a
Opcode Fuzzy Hash: b6a0a75cf09901c756e1512b872795aa77fd7658637b2accb03321c239ff24f8
Instruction Fuzzy Hash: FD31D471A0E90A8FFB88EB2CD405A7577D5EF96354F4181B9E44DC3292ED28ED0647C1

Function 00007FFAAC5A332D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50af9b7f2455dcb3a2db0712ef8c8a9f1ee390a4cdb7113662bd9daa666f5a67
Instruction ID: 6e2f124f114a42fd7021cf02d5d7ccdefbda0fe50041e07a3dffbaea9d6f4226
Opcode Fuzzy Hash: 50af9b7f2455dcb3a2db0712ef8c8a9f1ee390a4cdb7113662bd9daa666f5a67
Instruction Fuzzy Hash: 41312B3170CA4A9FE784DB2CD444AA57BD1FF9A310B0441BEF04EC72A2CE39D8428781

Function 00007FFAAC5A2356 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d73a02936179568d011832559366a255e04294fd8459daf8d3653e66dbbb502
Instruction ID: c4a79c5c3515eca4a8942de1692930db22a6e69d23698b3a7f621bcdbfc96ca6
Opcode Fuzzy Hash: 6d73a02936179568d011832559366a255e04294fd8459daf8d3653e66dbbb502
Instruction Fuzzy Hash: D631447155EB998FE76556289C1A6B23BA8DB47720F0400EBE04DC3292ED24AC4AC3D2

Function 00007FFAAC591535 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7630aea2c7aed8c60303c0adc4c9e515e997a207f564b933f7cf0e5e889bbd
Instruction ID: 6b9efa469ff089bc0efae3c09a2aa97dfb5f616d4afb91f6e2568cb163539ac1
Opcode Fuzzy Hash: 8b7630aea2c7aed8c60303c0adc4c9e515e997a207f564b933f7cf0e5e889bbd
Instruction Fuzzy Hash: 93316B7190DB8A8FE755DB389454A717BE0EF56200B0845FAE44ECB2E3DD1DE849C780

Function 00007FFAAC590C78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1598979f56e89b59e7ef956d3b6959f698b4f624b2b6728e4777fbd8ab5e36b6
Instruction ID: 784fc1785d79bb0c9177e93c72582895e93daafade69ed8cc758165daa4dd66a
Opcode Fuzzy Hash: 1598979f56e89b59e7ef956d3b6959f698b4f624b2b6728e4777fbd8ab5e36b6
Instruction Fuzzy Hash: 1731B532A0C6164BDB58EA6CE0556FA73D1EF88325F14853FE14ED22A2DE2594458788

Function 00007FFAAC645098 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e544ecd5e8296eea9ba075517e3ee54aade6b1447abf9e0dfff47c2aee3d8ea
Instruction ID: 80777f5299ad25a7d88906bcde67545ede614ab43d727fc85346a359944d7c9d
Opcode Fuzzy Hash: 0e544ecd5e8296eea9ba075517e3ee54aade6b1447abf9e0dfff47c2aee3d8ea
Instruction Fuzzy Hash: 5C312965B1AE478FFBA6E33C45517756AC2DF9A610758A079D40EC32DAED18EC0943C0

Function 00007FFAAC6457AE Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdef7267b2340b512ffc575268d0f845a99d8d22b5aa24082ebbdb1ef9408ece
Instruction ID: 970217a4b76d882066c4eaf4a2e535dffe930b98a0db0361a8a53f57c10245d1
Opcode Fuzzy Hash: fdef7267b2340b512ffc575268d0f845a99d8d22b5aa24082ebbdb1ef9408ece
Instruction Fuzzy Hash: 6D215A62B1AE4A8FFADAE32C415573966C2DFCA610755A17AD40EC32DAFC18DC4603C5

Function 00007FFAAC599A79 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782aa84c99b5bc97f11a37f0a9bee2fb4fda919874d096712ca7831d35becd86
Instruction ID: 6b7796bfe6fe455599f0a75d90c6053b6c4ceaf7e6480733b2700a2df4eba98c
Opcode Fuzzy Hash: 782aa84c99b5bc97f11a37f0a9bee2fb4fda919874d096712ca7831d35becd86
Instruction Fuzzy Hash: 2621D931A1EB599FEB69A72C5C164A8BBA1EF9721074441BFE04DC3193CD1D980983D1

Function 00007FFAAC587390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e36132cda3f71dcbf186652318a1ea36b85352c1ab0492616705ed2e46ddef
Instruction ID: 3f8d8d68b4ad6ae211e81a931d887d8b9b9c26ea985aafba79b531630b1e760f
Opcode Fuzzy Hash: 61e36132cda3f71dcbf186652318a1ea36b85352c1ab0492616705ed2e46ddef
Instruction Fuzzy Hash: 5231F82161DF4A8FF781EB2C9454575BBD1FF99214F0442BBE84CC32A2DE68DD858382

Function 00007FFAAC645160 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d7bb298b759d6ed5d22d7e960f597958ac28acf28522facc0952b1c5ca7d81
Instruction ID: f8b07eac7318de88ed9ee611ee8edb090354a59710807abe15addd878b5b23bb
Opcode Fuzzy Hash: 69d7bb298b759d6ed5d22d7e960f597958ac28acf28522facc0952b1c5ca7d81
Instruction Fuzzy Hash: 2E213761B1EE4B8BFAE7E32C465077566C2DFDA200B58A17AD40EC3396ED18DC0543C1

Function 00007FFAAC64522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6582cb08324448268a4d06043dd5c6389d592a6585e875102e40553134f1455d
Instruction ID: 21fceaac10ff9c19552c060ecd8bb7deea0a9989833077629f96d52d7ab0250b
Opcode Fuzzy Hash: 6582cb08324448268a4d06043dd5c6389d592a6585e875102e40553134f1455d
Instruction Fuzzy Hash: D2213721B1EE4B8FFFD6E32C4115739A6D2DF9A200B58A07AD40EC3396EC18DC454381

Function 00007FFAAC590CD3 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfab22676ff351639f9734d3b0697ddf7ca0bd72f95406c149ddbc088090f479
Instruction ID: 94ca6c1bfc0348ec4a85833ee92c68e041b9e510a9d9f205242e7747c31b4bb4
Opcode Fuzzy Hash: dfab22676ff351639f9734d3b0697ddf7ca0bd72f95406c149ddbc088090f479
Instruction Fuzzy Hash: F821F732A0D7494FD799DF6C94156BA7BE0EF9A321F0445BFE04EC32A2CE2598448745

Function 00007FFAAC59AE7D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b023d214d0916ee2e9d629e9d27988c5861714cde327c7ad347aa0a5b4ed390
Instruction ID: 40ba989e51a632656474a00711c1680077e4be30ed980fdfa701ae114a38967e
Opcode Fuzzy Hash: 9b023d214d0916ee2e9d629e9d27988c5861714cde327c7ad347aa0a5b4ed390
Instruction Fuzzy Hash: 61318034519A4E8FEB84EF28C454BAA77E1FF55300F0084A9E41EC7292CB39E8158B80

Function 00007FFAAC582952 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130f15f6cbc0a773da199ca3ccc327006f3d87863a2b65e1ee6b5174b3eec23d
Instruction ID: 7c847e22b3320cc751f45737a432c279dbcc4e36ab03f6f743741838c2f198f9
Opcode Fuzzy Hash: 130f15f6cbc0a773da199ca3ccc327006f3d87863a2b65e1ee6b5174b3eec23d
Instruction Fuzzy Hash: 2C312751A29A4B8FE794E7288451AF9B7E1EF6A300F04C176D04FC75D7CC68E84A83A1

Function 00007FFAAC583169 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a42c46698d55de256e9e49353a916255ca42b8023ff3c2b993a3f9fc8d51c58
Instruction ID: f9b26514ec738ac994e1e2102e36df23e44073cba22138b2d63602d1b342217a
Opcode Fuzzy Hash: 3a42c46698d55de256e9e49353a916255ca42b8023ff3c2b993a3f9fc8d51c58
Instruction Fuzzy Hash: 3B31B031909B898FD789EB28C4156A97BE1FF9A314F1441BAE00DC7292DA34E806CB91

Function 00007FFAAC599915 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33defba5e8847f245aa5185e04cd5d3d002c5c38e59efef3c513f1c090be6fd2
Instruction ID: 8b4ef15459ea08d0afd804aeaf686f1a5d7068a9165a093e1db5b1bbaedf976f
Opcode Fuzzy Hash: 33defba5e8847f245aa5185e04cd5d3d002c5c38e59efef3c513f1c090be6fd2
Instruction Fuzzy Hash: 4721E471A19A4D8FDB85EB78C8999A97BF0FF5A31070441ABE04EC7262DA24D845CBC1

Function 00007FFAAC58D475 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c2a796016d873adb3968825c78c3a3e484a9a1755d018feea0c1ebe4cf0c5d
Instruction ID: 883e00c822691528aa3b7931f67a377f5b4daa335364b70f98a8e6ddf3224d0d
Opcode Fuzzy Hash: 73c2a796016d873adb3968825c78c3a3e484a9a1755d018feea0c1ebe4cf0c5d
Instruction Fuzzy Hash: 1931267058E9878FF7698328D46467576D4EF87210F1880BAE44ECB1E3DD58FD858B81

Function 00007FFAAC583FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4d4fc6c06ba0aad0e509bffbf6544c87135289b3b86ef1f8cd018bcd53810b
Instruction ID: 89fd7e738a01a5200ee58e567bb89b304fdd9383157da957a16b208aa1b3a3a0
Opcode Fuzzy Hash: 0c4d4fc6c06ba0aad0e509bffbf6544c87135289b3b86ef1f8cd018bcd53810b
Instruction Fuzzy Hash: 57214B21A0DB4A8FF398972CA81A6B577D5DB97260F0441BEE88DC7193DD14EC4783C2

Function 00007FFAAC5A20C5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8442da230272bd56b06571053a732fad02540ff723fdec6cd53c5cf20079f6
Instruction ID: dc429776622d2cb242aa3903c630d81a169e70b015b61c972b9fb1460c5ba700
Opcode Fuzzy Hash: 1f8442da230272bd56b06571053a732fad02540ff723fdec6cd53c5cf20079f6
Instruction Fuzzy Hash: 1E31752094E60A8FFA98DB158C52B6873A5EF57700F5480F9E44DD3282CD39ED4D8BC1

Function 00007FFAAC6439C8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fb7efc0fc861833d8631f6404eefb783516c596cd55b5399ca391e59d23e79
Instruction ID: a3f31203ed962ae4f41fc17433c380f149e80c1f6c0aaf403b0062d22fd54aef
Opcode Fuzzy Hash: e4fb7efc0fc861833d8631f6404eefb783516c596cd55b5399ca391e59d23e79
Instruction Fuzzy Hash: ED212512B1EE4A4BFBE6E32C4555679A6C2DFDA210759A17AD40EC339AFC18DC460380

Function 00007FFAAC5A0501 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49003dfe5332c134f5430f1a325b0f9193966532058a4816708ca0d8d6d626bf
Instruction ID: 5e5786aa29e2fce1a2c2228bebe3ad2abef511aacc886467d44f33a3d24bebc6
Opcode Fuzzy Hash: 49003dfe5332c134f5430f1a325b0f9193966532058a4816708ca0d8d6d626bf
Instruction Fuzzy Hash: 9C21F63171EE459FE799DB3C8455A65BBD0EF5A30071441B9E00EC7693CE29EC45C781

Function 00007FFAAC59EEA9 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d968df10aef0172cec6857578dbcbe296f89ebccb0a454c810ef4d2cffe824fe
Instruction ID: 8793f57cbe0bb27ecdf94ee23f64daf3442c99dca38b46d1a1fc7b3a49f336bc
Opcode Fuzzy Hash: d968df10aef0172cec6857578dbcbe296f89ebccb0a454c810ef4d2cffe824fe
Instruction Fuzzy Hash: 09213A2151DAC74FD716A7288451AB6BFE0EF57214B0542EEE08EC31E7CD5DA40AC385

Function 00007FFAAC64286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0e49a360a208a291940e4554c38c023bc8573bdd187861a1eefe41859fd65d
Instruction ID: fdcc4308874d135811857fa8bb91fe6f3988bd3c568fc1df3715436d483c57fb
Opcode Fuzzy Hash: 8a0e49a360a208a291940e4554c38c023bc8573bdd187861a1eefe41859fd65d
Instruction Fuzzy Hash: D1216A51B19E4A8FFB96E33C455463967C2DFD9200B68A179D40EC33D6ED28EC0943C0

Function 00007FFAAC645957 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e62711de916c9bae4b65b44a51a7457c6ad06f67250e1591e2e3f2fbca465c6
Instruction ID: 66b0cf9c7896ea9480f398cdba6db4161a01cc186080a2af466fb1185201aa96
Opcode Fuzzy Hash: 1e62711de916c9bae4b65b44a51a7457c6ad06f67250e1591e2e3f2fbca465c6
Instruction Fuzzy Hash: 12216A21B1AE8B4FFB96E32C4165739A6C2DFD9210B59A079D40EC33D7ED18DC050380

Function 00007FFAAC6439B2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2e9655ef1cf01b5328f7a78825c3635bf1d6a03c1c95d27bff1d75766b387d
Instruction ID: 8df5aff2a2d76501b41a730122419e5782bb2c7baac54c89d4b3bf0a62675956
Opcode Fuzzy Hash: 2f2e9655ef1cf01b5328f7a78825c3635bf1d6a03c1c95d27bff1d75766b387d
Instruction Fuzzy Hash: 0C213652B2EE478BF7A6D32C865267967C2DF8621075961BAD00EC3296FD18DC464381

Function 00007FFAAC64369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3382995a6c23dde0c3ca1a9608554a2e796c86f17925af475b51404ef6dbad
Instruction ID: 5059c876919b827b7b4a4731f55ba3916dcc73027adf552896e89c5079770be5
Opcode Fuzzy Hash: 0f3382995a6c23dde0c3ca1a9608554a2e796c86f17925af475b51404ef6dbad
Instruction Fuzzy Hash: 18212851B1DE4B4FFBD6E32C455567566C2DF9A210758A079D40EC3396FD18DC0543C4

Function 00007FFAAC5A0F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd294d0a35001ff3f285304fa5968cb01cbcfef85aa76b077d9cc25e667b8bfa
Instruction ID: 4e742eecbaab929ea8db64d02838382bebdcb7a84067f443a07a87f8b79270e0
Opcode Fuzzy Hash: bd294d0a35001ff3f285304fa5968cb01cbcfef85aa76b077d9cc25e667b8bfa
Instruction Fuzzy Hash: 1321503061DA498FE784EB1C8488A697BE1FF9D311F5445BEF04EC72A6CE29D8458B81

Function 00007FFAAC645565 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfd45dea1c9d996260cab7be4eebd04a93174853b2c24ff65b148c3b8d1203e
Instruction ID: b4dbf60b26d61289a4e5b012e692dfc63fd8397ed2838a0090a3b7238ab7acf4
Opcode Fuzzy Hash: 2dfd45dea1c9d996260cab7be4eebd04a93174853b2c24ff65b148c3b8d1203e
Instruction Fuzzy Hash: 25210721B1AE4B8FFB9AE33C4555639A6C3DFDA200759A079D40EC3396ED28DC054385

Function 00007FFAAC644667 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57d0b493d68a6c7c58ce159f48fd2827c35c4bf89cc0f88f8f074c7610b3043
Instruction ID: ba013ea63159f382020830e16829fa1632940d0a076db005b4c5a58bb9703c08
Opcode Fuzzy Hash: b57d0b493d68a6c7c58ce159f48fd2827c35c4bf89cc0f88f8f074c7610b3043
Instruction Fuzzy Hash: EE21F511B1AE4B8FFAE6E72C4565639A6C2DF9A200769A07AD40FC379AED18DC054380

Function 00007FFAAC587750 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d13a47d2b8d781c50fcc7a012adf1412793cfbe1260f81c42579937e1cbf72
Instruction ID: 690a58e26b8cf479c4042529ee92bcbc24bb26b820cb0c16f1660a8ca4e4a23e
Opcode Fuzzy Hash: 85d13a47d2b8d781c50fcc7a012adf1412793cfbe1260f81c42579937e1cbf72
Instruction Fuzzy Hash: C2113A23B5DE0F8BF6A8965CA84587577C5DB863A071542B9F00EC3296DC14EC0683D4

Function 00007FFAAC58C776 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa77c6f7b03910f73fdbebfbbf1d779c089c33647e4fa277452729546a85f9a
Instruction ID: b8ea382ab3230abe6600ce9f24b0807585fa692ad045ed61ace588e161348462
Opcode Fuzzy Hash: daa77c6f7b03910f73fdbebfbbf1d779c089c33647e4fa277452729546a85f9a
Instruction Fuzzy Hash: 8021368361DE8A4BEB89E33C84556B567D1EF9A210F0481BFE04FC3193CD08E9094384

Function 00007FFAAC6448CD Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b378f2b48a7479f02e8f6fefbab452f3061f43720fc97422990df9e29a2a77
Instruction ID: 0864a10eb74af9a826de0250bf0451b785bb71a580ee615b04e5a2ebcd4b6c8f
Opcode Fuzzy Hash: c5b378f2b48a7479f02e8f6fefbab452f3061f43720fc97422990df9e29a2a77
Instruction Fuzzy Hash: 7D213712B1AE4B8FFAE6E33C4551635A6C2DF8A200B69A079D40FC3297ED28DC0543C4

Function 00007FFAAC643A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125c6f2382679e8a1a5c168cc376b8d78d7cf0ff0bf2a580dbdbbb2ebe4c3311
Instruction ID: 4eaf745453fadafa005af7c404cbb5d2679d1ac87adf7ee176e4ed5b33d00a33
Opcode Fuzzy Hash: 125c6f2382679e8a1a5c168cc376b8d78d7cf0ff0bf2a580dbdbbb2ebe4c3311
Instruction Fuzzy Hash: FA214C21B19F4A8FFBE6E32C4551679B6C2DFD9200B55A179D40EC32D6FD28DC454381

Function 00007FFAAC643CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80fa97ae72f01088a3d223911c4de6c27cc22d090e0b06c0b0be9b6d090693c
Instruction ID: 0a985f72d50a1c290505ae72d3842e9907b7520fe5aa867a1a5cebf29addd8be
Opcode Fuzzy Hash: f80fa97ae72f01088a3d223911c4de6c27cc22d090e0b06c0b0be9b6d090693c
Instruction Fuzzy Hash: D7210721B19F4A8FFBE6E33C4551A3576D2DF8A600B59A179D40EC329AFD28EC054385

Function 00007FFAAC6426E9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3c0b1a2f601353a3f1417ce902ca426817741aa8392854bf1851d7067e727e
Instruction ID: 14e765e04e1e828f80bbf70d73cb2bc65fe0ae7231cb9645ccefb6e0a6d3d100
Opcode Fuzzy Hash: 3f3c0b1a2f601353a3f1417ce902ca426817741aa8392854bf1851d7067e727e
Instruction Fuzzy Hash: 6C213711B1AE4A8BF6E6E32D4151635A6D2DFD9210B68A079C40EC3396ED28EC454385

Function 00007FFAAC6432B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1a34dce114a384a0be109f3ebf4ad64da7a6c56f1b94bd2601baee797b014a
Instruction ID: 5df40a2bc54c4a96f3bd9ec81bdcf0cc10fda14d714b9a776deb1eac88dbfa31
Opcode Fuzzy Hash: 6b1a34dce114a384a0be109f3ebf4ad64da7a6c56f1b94bd2601baee797b014a
Instruction Fuzzy Hash: 40210A11B1EE4B4FFAE6E32C4551639B6C2DF9A200B59A079D40EC339AED18EC0543C5

Function 00007FFAAC642566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b711f6815b3898cfb4e378beb0fd95ff79c487caff78ad0bc24e1e33233ec8e7
Instruction ID: de2ee90edd1e7c88876bca077dd8b52ed2385c1903667d9484c9e42775487cdf
Opcode Fuzzy Hash: b711f6815b3898cfb4e378beb0fd95ff79c487caff78ad0bc24e1e33233ec8e7
Instruction Fuzzy Hash: 3F212951B1AE4A8BF7DAE32C456563962C3DFD9210B65A07AD40EC32DAEC18DC4A03C5

Function 00007FFAAC59A710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58286b7b0ca8b1acc28f1267fe4f29069e8702a155571cdd673d4a960f67562c
Instruction ID: e3d70b994b232e8a25282da767cd228f7d6d77c5020b210e1db73dac063e6ef0
Opcode Fuzzy Hash: 58286b7b0ca8b1acc28f1267fe4f29069e8702a155571cdd673d4a960f67562c
Instruction Fuzzy Hash: A021F631A0DA1A9BE75CDB1C94426B676D5EF8A710F00817EF44ED3282DD29EC0646D5

Function 00007FFAAC58A6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction ID: 5e3f77d5d9338a7b2aad34fe4cdaaf20a3e5adb62b8219f9fe7b1ff35e336f2f
Opcode Fuzzy Hash: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction Fuzzy Hash: 2721657190CA1C9FDB68EA58DC4A9F9B7F4EBA5321F00413FD44ED3211DA31A5498B82

Function 00007FFAAC583FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc598c56b79335c3718a0476cdbcfc1a7b42cc7ad682fac1e17b577c81fa695
Instruction ID: 061431799e12f4b865790ce85b0273d1c86080411cdfcd2e6aa1d5045581a2b6
Opcode Fuzzy Hash: 2dc598c56b79335c3718a0476cdbcfc1a7b42cc7ad682fac1e17b577c81fa695
Instruction Fuzzy Hash: 0E11EC3171DB0A9FF698971CA81AAB633C9DB97260F04417EF84EC7292DD15EC4643C2

Function 00007FFAAC5A2399 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a3b004c9808636448ce1c7f7ad77c68627272c8ef7387c9db55ce4094fbe5e
Instruction ID: 71ef36bd5118f715378233abe7bdd578f31477395b3f210719909e997d0f13c8
Opcode Fuzzy Hash: 55a3b004c9808636448ce1c7f7ad77c68627272c8ef7387c9db55ce4094fbe5e
Instruction Fuzzy Hash: BE21256155EBC99FE76647288C1A6B13FA8DB57620F0440EBE08CC71A3DD28AC4DC3D2

Function 00007FFAAC59AEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7be903beb2f808fe5472a453f2ff15eb015b0c89d353396b33c9741e9111f35
Instruction ID: 444beddd69dd19db7ff2f8f749834e51fc59118c5153e63c32e8204f7b12ba7d
Opcode Fuzzy Hash: e7be903beb2f808fe5472a453f2ff15eb015b0c89d353396b33c9741e9111f35
Instruction Fuzzy Hash: 26213E34618A4E8FEB84EF28C4547AA73E1FF59304F5045A9E41EC7296DF39E855CB80

Function 00007FFAAC587065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2799970ff220a596d0d0953c0826e6ad03f7cd231d474c20b1fb2d7588902ff
Instruction ID: facf187305a900ae558af9faa968fc9b4686251d081e18381c3c307348a5bb27
Opcode Fuzzy Hash: c2799970ff220a596d0d0953c0826e6ad03f7cd231d474c20b1fb2d7588902ff
Instruction Fuzzy Hash: 8821372161DA868FE755AB1C94496B07FE1DBA6250F0849AAF8CCC72B2D819DEC5C381

Function 00007FFAAC5995DD Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6120d908c57acbc779ed5ea01693e0213023b97c82a3824f73aaf63ae895ae0
Instruction ID: 375d5350601676dd7e0890b81c675d954e55ce71c90ffb34d482e1bafc761ed5
Opcode Fuzzy Hash: a6120d908c57acbc779ed5ea01693e0213023b97c82a3824f73aaf63ae895ae0
Instruction Fuzzy Hash: 37312C70909A4E8FEB94EF64C8457FD7BA1FF59300F5484B6E41DC2286DE3AA9448B81

Function 00007FFAAC598BCD Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342a718ddb270b0b853f3d2e7441829b8d1eadedac5e0d88fff1bd301559bf09
Instruction ID: b98e7079d697d5cb2dcd4bf0c4ce513515068905097a0769e72fff2942007e5e
Opcode Fuzzy Hash: 342a718ddb270b0b853f3d2e7441829b8d1eadedac5e0d88fff1bd301559bf09
Instruction Fuzzy Hash: F021815148F7C25FD35397B48C259927FE49F9716070D41EAE089CF4E3C54D994AC3A2

Function 00007FFAAC58E521 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cee6c33d5cb75566058d68ddd2fcf4c5c6cc7a1490a2e693395c73da736b7f6
Instruction ID: c07efe427bbdf4e28f7be401f516373b211568eca8cd2eb6b43dd221ad8c0828
Opcode Fuzzy Hash: 5cee6c33d5cb75566058d68ddd2fcf4c5c6cc7a1490a2e693395c73da736b7f6
Instruction Fuzzy Hash: 8321D17080D7CA9FE7459B6C88116B9BFF4EF4A300F0405EEE08DC71D3DAA495088785

Function 00007FFAAC598E7E Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4591e18b8740091063800560fdf0a5b81be9d05c58d161bc79039a50da272a40
Instruction ID: 257e77a39aa58115c13162510d68fec4fe471bb30760d68076287fe560bb5e36
Opcode Fuzzy Hash: 4591e18b8740091063800560fdf0a5b81be9d05c58d161bc79039a50da272a40
Instruction Fuzzy Hash: AD21384088F7C71FE39353B849655923FE58E47120B0E41EBE588CE0A7D48D884EC3A2

Function 00007FFAAC58CFC5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe36d40256e905f11c89ec8b97773b045a084893a5ef5fa256cf9734d330cd6
Instruction ID: 3151c712e45106409d541b0c581b832d6fc78bed3b4496e523f1cbf2acccca89
Opcode Fuzzy Hash: 8fe36d40256e905f11c89ec8b97773b045a084893a5ef5fa256cf9734d330cd6
Instruction Fuzzy Hash: E411910158FAC75FE34657B48C299E63FE5DF8711070D82EBE085CB4A3D84C599B83A2

Function 00007FFAAC5988C5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b350edd945260df3401cb0796b8d4be34105b1245801bc546fd3e692578dc6
Instruction ID: b8cc0efda34e8007691c255dcfb937782b5a66a31df555e3a6bc4cf6e5f9e7e7
Opcode Fuzzy Hash: 98b350edd945260df3401cb0796b8d4be34105b1245801bc546fd3e692578dc6
Instruction Fuzzy Hash: C5119A42A4FB8B4FE786A37808265646BE09F57290B0944F6E04CCB1E3DD4C9C0983A2

Function 00007FFAAC642C8B Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc8ce70da95f299dd60e09341c529c9557b3dc31dddd5759364744dc572a578
Instruction ID: e0fa26967720e930bb31853fc5955e75563d4a0992f831a23d195e7b7ff47650
Opcode Fuzzy Hash: adc8ce70da95f299dd60e09341c529c9557b3dc31dddd5759364744dc572a578
Instruction Fuzzy Hash: 4E113822719E4B4FFBE6E32C8150B39B6C2EF8A200B6961B9D40EC36D6ED18DC414380

Function 00007FFAAC644A86 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2651069ee704371fd1cd37ea420d099abd4273a18d336eea6384ce5a3ea80ec2
Instruction ID: c529a61d9fdfb6aa8aff6108b4732c32527a0047ae272369779a351c33ca8f76
Opcode Fuzzy Hash: 2651069ee704371fd1cd37ea420d099abd4273a18d336eea6384ce5a3ea80ec2
Instruction Fuzzy Hash: AC115761B0DE4B8FF7A7E33C4152679A6C2DF8A200B69A0B9D40EC32DAED18DC454385

Function 00007FFAAC642963 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b8aae12245e53886a549ae35a4ab54cee102c1911be28ac546b1d30cf9205
Instruction ID: f23695c0c116f38c52d5655825a0fd6f14601b0c768430f223ca937cc333396c
Opcode Fuzzy Hash: 0d4b8aae12245e53886a549ae35a4ab54cee102c1911be28ac546b1d30cf9205
Instruction Fuzzy Hash: A4112E6171DE4B8FFB97E32D8150639B6C2EF8A200B69A179D40EC32D6ED28DC454385

Function 00007FFAAC645A4F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215e7331cbac992fd77f134d31e42f30b27561f6299e05b3b9e67c6467880ada
Instruction ID: d8d1e17c66549bfbd4c7f11770e2c7ef790ace03ec151a3d9583bf33c3d04d44
Opcode Fuzzy Hash: 215e7331cbac992fd77f134d31e42f30b27561f6299e05b3b9e67c6467880ada
Instruction Fuzzy Hash: 301104A1B1AE4B4FFBA7E33C4551739B6C2DF8A200B59A0BAD40EC3296ED18DC454385

Function 00007FFAAC599760 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352b37d7c857bc5e64ab7d04eee08dc56624daee0bdb6e7ccff92112abbb8939
Instruction ID: bb9fb9b632e9da89c0f2c47c312582d42593ee9e593dab33dba71da3380130cb
Opcode Fuzzy Hash: 352b37d7c857bc5e64ab7d04eee08dc56624daee0bdb6e7ccff92112abbb8939
Instruction Fuzzy Hash: B2118631A4DE8E8FEB85EB2C94116B977A1FF9A310B0441B6E40DC7292CE39DC0987C1

Function 00007FFAAC58D3F5 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff1d68242fd98553dbb2006a4819891cfd4e686e136d23ef45e937f7d41860e
Instruction ID: f5721406419f048382c7c90a40f8db51a546d96041d2ba36329029031183af85
Opcode Fuzzy Hash: cff1d68242fd98553dbb2006a4819891cfd4e686e136d23ef45e937f7d41860e
Instruction Fuzzy Hash: 53119E2158EBC65FC34797748C20AA17FE5EF8B11030941EAE089CB6A3C91D994BC761

Function 00007FFAAC582468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d2327083fe58e7c2ba2b1c409b1b815b4ad72f828c9ab8a5eb160562b1397b
Instruction ID: 7f7027af81d5a60791d260e198f81ce6da37b7ce16dd977b1c7ff4504970a73d
Opcode Fuzzy Hash: a7d2327083fe58e7c2ba2b1c409b1b815b4ad72f828c9ab8a5eb160562b1397b
Instruction Fuzzy Hash: 16110622A9E5838BF715973458145E57AD4AF83310B5882FAF44DD71A3ED0EE88AC3D0

Function 00007FFAAC59159D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ae214d3aa08006259e76d96339e702cebbe5d0b72de56191109ab3f0c127a2
Instruction ID: 540464fdf28fa53e24bfbe795190bd9bdb1c7136d73535702ada9c22cecd1dd6
Opcode Fuzzy Hash: 93ae214d3aa08006259e76d96339e702cebbe5d0b72de56191109ab3f0c127a2
Instruction Fuzzy Hash: D311E671A1DB8A8FE795DB38C494A657BE0EF59300B0845EDE44ECB2D3DD19E808C780

Function 00007FFAAC5865F1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a865432c7a8580f710cd722b8caef9720be85fc49e232ce4a4d390f050e297d
Instruction ID: 404601f73ca9597526bfdb6290d33ab0ee8c3900a2287f9992e20050fc5d4e75
Opcode Fuzzy Hash: 0a865432c7a8580f710cd722b8caef9720be85fc49e232ce4a4d390f050e297d
Instruction Fuzzy Hash: CA11A33184964ACFD741EBB4C815AEABBF0FF06300F0546FAD059C7462DB789545CB91

Function 00007FFAAC59A495 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ceb02f1698aa15cffa9a94c411ada9a245df4131eb0e6c016089b0943b5c50
Instruction ID: b31f1f022b95221166dd5fa9a46c6195e5ceb06a79f70f89f378d120f9fa5e19
Opcode Fuzzy Hash: e2ceb02f1698aa15cffa9a94c411ada9a245df4131eb0e6c016089b0943b5c50
Instruction Fuzzy Hash: 7911E33188E6C34FF716532058164E13BA8AF43310B0A81F6E48CDB0A3D80EE98A83E1

Function 00007FFAAC5A5EAB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30685a9b34f8f8136a9c4ee4c9827a52f6bd01423541059c33d882b98882c3df
Instruction ID: 1133724309785338149941379325f23a07d2fa8e1b636806739ec8e8e1a230fa
Opcode Fuzzy Hash: 30685a9b34f8f8136a9c4ee4c9827a52f6bd01423541059c33d882b98882c3df
Instruction Fuzzy Hash: 1F01F572B0DA484FEB19966CA4068A97BE1DB9B720B1501FFE04DC7193ED15EC0A83C0

Function 00007FFAAC5A0D65 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e17d77019013661d84a3ae0c175a675997676cca8a14a7ee65a8fc1533c37f0
Instruction ID: 7f14ef968db9ba429bdecdec1f5da38b99d2baac2b0e9254f5306c9111fbf01c
Opcode Fuzzy Hash: 7e17d77019013661d84a3ae0c175a675997676cca8a14a7ee65a8fc1533c37f0
Instruction Fuzzy Hash: E101DB22A6EF478FF789932D1429274A9C1DF87610B0480FAE00EC71D2DD2DDC4943D1

Function 00007FFAAC5915B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862ae93a0332a5079a56b29fbc9c2bdd233958ed49f29b4a7883217b64345cb
Instruction ID: 6ac980ce251796983908332ef8c5f10ff2531ba555d565a70244470eedc34fe9
Opcode Fuzzy Hash: 2862ae93a0332a5079a56b29fbc9c2bdd233958ed49f29b4a7883217b64345cb
Instruction Fuzzy Hash: 1A110671A19A5A8FE798EB38C094A6677E4EF59200B0445FCE44FC72D2DD19E809CB80

Function 00007FFAAC5A4A60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b885d2c43bdfb359a71442d71f0ba25c7d92a61413266f3a029c740926482d
Instruction ID: f200b3cf10d2ae275ab5f33d6f27ee6e8d1d0bbd67406bd9534b68105e313239
Opcode Fuzzy Hash: 75b885d2c43bdfb359a71442d71f0ba25c7d92a61413266f3a029c740926482d
Instruction Fuzzy Hash: 73F0C87260CA185EA71CA529AC0B5F773D9D786631B00013FE48ED3152ED21BC1746D5

Function 00007FFAAC5A0D42 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a38692bf565b1ce0633513c8b5016d004c23de810c0027f014a9a4033340f
Instruction ID: 8625d10fc8e132ede8e8e2bf6b0c22560befe58aafac5e26d36bbf516be74e95
Opcode Fuzzy Hash: ca6a38692bf565b1ce0633513c8b5016d004c23de810c0027f014a9a4033340f
Instruction Fuzzy Hash: 8D01A712A5EA4B5FF749937924692B8AAC1DFC7614B5880FAE00EC71D2DD2DE84983C1

Function 00007FFAAC59C229 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b52b9fdc66803449154913bb4c9f532e4391c68c013e5dd4709e19dd81c4b2
Instruction ID: 4d10f433b1083c3ba141a7656dd5fa322d6cc01f21b643b595e2fb2dd98e9684
Opcode Fuzzy Hash: d9b52b9fdc66803449154913bb4c9f532e4391c68c013e5dd4709e19dd81c4b2
Instruction Fuzzy Hash: 9701A211A1DF8A0FE796E77854959F2B7E1DF9A21030982FBD04EC31ABDC18E8498385

Function 00007FFAAC58223A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b340ed3dae3d0249550375f6a6f8ea6c05d88960f0edff74dfba5169b1a28d46
Instruction ID: c568011715463a512289c4d0d1caac633c8c52a0b0eee18fe633437d6e5812ff
Opcode Fuzzy Hash: b340ed3dae3d0249550375f6a6f8ea6c05d88960f0edff74dfba5169b1a28d46
Instruction Fuzzy Hash: DD01266180EBCE6FE75297788845AB6BFF4DF56200F0544E7E44DCB193C824A608C392

Function 00007FFAAC58D099 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6adad1d2946ed4f41b648b76f48bfee7331b727012245bf1ca4704bff6aeb7
Instruction ID: 14868426572e1329b48918a118ff501bb3422ac05a79eea58c4fc271907d9fa6
Opcode Fuzzy Hash: da6adad1d2946ed4f41b648b76f48bfee7331b727012245bf1ca4704bff6aeb7
Instruction Fuzzy Hash: 6301D67190D7858FD3059B28941106ABFF0FB8A314F0506BFF4CDD7252DA289A058796

Function 00007FFAAC598965 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452b82c7f7249f300fdb7b0acd57d4dbe7653bf8955944e986c3a132625c6602
Instruction ID: 351307807e96d5670ca39f2cfd955b77374c6fcbb4fcefa71631eeb89ecdb015
Opcode Fuzzy Hash: 452b82c7f7249f300fdb7b0acd57d4dbe7653bf8955944e986c3a132625c6602
Instruction Fuzzy Hash: 16017C5190F7C74FF356A37848299A17FE49F57150B0985E7E088CB0E3D94CD94883D6

Function 00007FFAAC58D551 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a973c46f05b0347d8d3e06729e71aa8a45ec8f08040e07e32c84cb19c1948db
Instruction ID: 17a8beacca98b7bc268b72ff6ef7e31682a21780bf6cdb39844521e1be589ef8
Opcode Fuzzy Hash: 6a973c46f05b0347d8d3e06729e71aa8a45ec8f08040e07e32c84cb19c1948db
Instruction Fuzzy Hash: E8F0287184D68E9FE345CF584C09AF63FE9EF56241F09416BF00DC7282CA249508C7D0

Function 00007FFAAC599A1A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360a15f70767583edad8fd1cd7659e0060a6827994d79918a50ccd701876ef33
Instruction ID: 06fd1e634a5908a61827f21927188094952b55ecffdd5f57b21ea30e9bee101c
Opcode Fuzzy Hash: 360a15f70767583edad8fd1cd7659e0060a6827994d79918a50ccd701876ef33
Instruction Fuzzy Hash: A6016D5188F3C25FE767977448698A17FE58E4312074A81EFD5C9CF4A3E84E844EC362

Function 00007FFAAC5822AD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8e735ce15ae871fca12549fae9309baff96ada0aa4a0dcfed11d93fbf9b7b4
Instruction ID: 92c296b64e55c230652bb9a95fab604db96175a1ea0406f5dc5ff306966f4329
Opcode Fuzzy Hash: 3a8e735ce15ae871fca12549fae9309baff96ada0aa4a0dcfed11d93fbf9b7b4
Instruction Fuzzy Hash: C40126A1D0D6CE9FE755DB7448594F97FF4EF6A210F0445E6E00EC7092DA389A488341

Function 00007FFAAC5821D3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4f5535f180219cacf7a7ff6d26f33e76e5a9a6a0107b79f7b29fa1751eafab
Instruction ID: b71b1b4a19b6cfaeab4a69b0561fd86626ee4feb1298d23e6116d138281440f5
Opcode Fuzzy Hash: 3f4f5535f180219cacf7a7ff6d26f33e76e5a9a6a0107b79f7b29fa1751eafab
Instruction Fuzzy Hash: 7FF059136CEC0F1BF244B68D6C815F1B784E791330F58413AD60DC2081D489E91A13D0

Function 00007FFAAC586620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e5e2f0c878f536d0eeabe0dd3eb40f2cf32a808b4023d72f844a3503b795f
Instruction ID: 504cb8a60da59a667cbc9f4aa50645672c50d03c76f5cff79f797c935975482e
Opcode Fuzzy Hash: e12e5e2f0c878f536d0eeabe0dd3eb40f2cf32a808b4023d72f844a3503b795f
Instruction Fuzzy Hash: 5EF03C71D05A1E8EDB94EBA8D8056FEB7F4EF09304F40496AE01DD2191DF75A9448BC1

Function 00007FFAAC5A1454 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfcb122e203aaea4f11cd638be9b94a651274ab36c7090bd4959d0f313bbede
Instruction ID: cc3e347766097e05b0dafd95ab2eb1b3655d205a6e4874b6b1d1b842bc3e60fb
Opcode Fuzzy Hash: 5cfcb122e203aaea4f11cd638be9b94a651274ab36c7090bd4959d0f313bbede
Instruction Fuzzy Hash: F0F02813A4E6C78FE3628B386C591A57F55DF93014F4841BED18DCA1D3D855D84A8382

Function 00007FFAAC5A1616 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8050d1263b4db3cab38a15e8915b5814d6990969d43ba4d83c811adf7735af5
Instruction ID: 71507e5bb0714a6b3201ce357ecd4388b9f1ea7d326e68ddf5b4057f08b5beca
Opcode Fuzzy Hash: a8050d1263b4db3cab38a15e8915b5814d6990969d43ba4d83c811adf7735af5
Instruction Fuzzy Hash: AEF0F622F4DB0ADFE6A49A1D68491657386EF95600F58417ED00DC3586C835FD8583C1

Function 00007FFAAC583050 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188ec1ce979d61160e3dd02fe7151a89e013c0869198429b8deab6a75ca9887a
Instruction ID: eeecf2b7bd0950520470ab856a276572226a4acb71b1d1e8f9314248e4a0069a
Opcode Fuzzy Hash: 188ec1ce979d61160e3dd02fe7151a89e013c0869198429b8deab6a75ca9887a
Instruction Fuzzy Hash: 3FF05931A19F4A8BF7989B3C9005232B3D0EF45205F1044BDE84DC7592EF25EC424381

Function 00007FFAAC59DC9C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45842320e8a008e92d556ec9090f1b0b94ef3c758bf2c4e051be99783346e4d
Instruction ID: 6b6f21ff0004d84fbe0e21cc707c3a00ccb43ada5f50e5cb5e4ba13d19ed4c24
Opcode Fuzzy Hash: f45842320e8a008e92d556ec9090f1b0b94ef3c758bf2c4e051be99783346e4d
Instruction Fuzzy Hash: 88F08251B29D4B0BA689F77C9091AF992D2FFA4200754C1BAD00FC32AADD2CE84A4784

Function 00007FFAAC584D08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2c9ee740e5a1b91874dc35f6e70183993cf520a9932ded02db3b08ea280210
Instruction ID: b6a32a69b6dab26339deb724ae221eba6a83f028889716d025b3a25beb23d1b0
Opcode Fuzzy Hash: 3f2c9ee740e5a1b91874dc35f6e70183993cf520a9932ded02db3b08ea280210
Instruction Fuzzy Hash: 22F0FC3190DF198AF785E72840546B9BAD2DBC9254F484A3DE44DC61A1CFA8D68983C6

Function 00007FFAAC598912 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc669d412db3c3a1b9e9b25ecd947f30f6857176d87b986fa5b385b3a6208703
Instruction ID: 410ffb5c73c19bb4fa6025fbf382afa4a20fc5896397846d4109e12ea1e22282
Opcode Fuzzy Hash: bc669d412db3c3a1b9e9b25ecd947f30f6857176d87b986fa5b385b3a6208703
Instruction Fuzzy Hash: 45F0E241B1EA5B5FE6D5B33C581A9A8A9D0DF8A260B4445F6E04EC72E7DC0CCC0543C5

Function 00007FFAAC58345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction ID: d264ac5b2e0a3127d57beb3f7d0bfda0929293138c79a793355fc0a699baa70b
Opcode Fuzzy Hash: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction Fuzzy Hash: 94F0273140D60DAFE748EF09EC4A9FA77A8FF86220F00013AF44D82052D671A867C790

Function 00007FFAAC5997FA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a9297b9cb825e1eb36c361f3ae7db5f5905e04c7a9d0a58c59a152c030901e
Instruction ID: 072820285bef2f82da286168053be2d41d6cd988d4afda2d14c219eff35a35e8
Opcode Fuzzy Hash: f1a9297b9cb825e1eb36c361f3ae7db5f5905e04c7a9d0a58c59a152c030901e
Instruction Fuzzy Hash: 4DE07D3155CA4C8BDB40A65CA8004D5BBA4FB89308F00009EF54CC3141C2168915C381

Function 00007FFAAC58C749 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720605de119b6750813d6eb0220a370c8afb3166c4a410dff7e816ef2911e468
Instruction ID: d7cdc3a4f139ea75c9b1d0ec198df8ee107d5754f7db83f83d117d1843b648e5
Opcode Fuzzy Hash: 720605de119b6750813d6eb0220a370c8afb3166c4a410dff7e816ef2911e468
Instruction Fuzzy Hash: C2D0A753AAAE4F46FE809B1C78511F5A3C8FB97168F409375E44ED304ADE19E60B02C1

Function 00007FFAAC640FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594667646.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac640000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d3bc571c529cc7607f19d6af6b332ab586e368318066a64f508379fc7a57e9
Instruction ID: a5807afec4e7b93cc9c00218f82eb3d8c44c98cdef9195142a4074e7cad8ac58
Opcode Fuzzy Hash: 04d3bc571c529cc7607f19d6af6b332ab586e368318066a64f508379fc7a57e9
Instruction Fuzzy Hash: EAD0C71571A82157F254228D68433B5B285DB89714F605436E90DC72CACCCEACC542E6

Function 00007FFAAC5993C6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12d6c6f45bec0f05575d307bb233526c179d3aa551eb2ecaf9229646f4138d6
Instruction ID: 62289de4106e8296ae26462ee53e258f15ac2a675be1e2885582418a3016d3cd
Opcode Fuzzy Hash: d12d6c6f45bec0f05575d307bb233526c179d3aa551eb2ecaf9229646f4138d6
Instruction Fuzzy Hash: D2C01216B8680E496950635570021FCB204DBC6215BC154B5E10DC2082CD5F281402C1

Function 00007FFAAC5928A3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction ID: ffa3a20b99e6a84059f1f47cda9dba50b3f5eb8a791e4b5c7fc3e8c541bc0da8
Opcode Fuzzy Hash: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction Fuzzy Hash: B9A00202ECB42F41A54421AD79420D9B28AC797171BC57EB2F90C8815AAC8F59DA02C1

Non-executed Functions

Function 00007FFAAC590EFA Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

5&_^, xrefs: 00007FFAAC590F01

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID: 5&_^
API String ID: 0-1803669685
Opcode ID: 2ea1dac15246a36d5321080ee14c15b66aad95f8a10b16fc04e0fd229f3bb96e
Instruction ID: 3600208b51916a61ec6623aaefab6b70ac511f4c7a06db9463aa0e155a2ea794
Opcode Fuzzy Hash: 2ea1dac15246a36d5321080ee14c15b66aad95f8a10b16fc04e0fd229f3bb96e
Instruction Fuzzy Hash: 4B51B497D092634BE221B6BCF8624E63B90DF413397088173E2CD9E173DD19648A86D8

Function 00007FFAAC5810D1 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304ee79ffd2b02b18aa13e60ab5f796955346115faeb32fb85c453cd7ee430df
Instruction ID: 771ef33bc5d68b0611ef06c4b7d59001d3a2a0f9c72268a09dbe881698512a7a
Opcode Fuzzy Hash: 304ee79ffd2b02b18aa13e60ab5f796955346115faeb32fb85c453cd7ee430df
Instruction Fuzzy Hash: 31F12F57D0D1A34BE62177BDB4A24FB7FA48F4223970C81B3E28DDD1739E08554A82D9

Function 00007FFAAC590E0F Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2594223055.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac580000_hKvlV6A1Rl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfde25c8aee26255471de0eb025e391f72484caadf3e7cf46c21f661f2dd14f
Instruction ID: 5eac7731eed2ca4dc05a190cfb06c213e2555b4b011cb626ca23827aeaca5eb0
Opcode Fuzzy Hash: 5dfde25c8aee26255471de0eb025e391f72484caadf3e7cf46c21f661f2dd14f
Instruction Fuzzy Hash: F3918397D091634BE621B6BDF8624F63B90CF413397088177E2CD9A273DE18648A82DD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hKvlV6A1Rl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
hKvlV6A1Rl.exe

Function 00007FFAAC59E399 Relevance: 6.1, Strings: 4, Instructions: 1091
COMMON

Function 00007FFAAC59B009 Relevance: 4.6, Strings: 3, Instructions: 899
COMMON

Function 00007FFAAC589621 Relevance: 2.5, Strings: 1, Instructions: 1247
COMMON

Function 00007FFAAC591B28 Relevance: 6.8, Strings: 5, Instructions: 537
COMMON

Function 00007FFAAC59E401 Relevance: 4.2, Strings: 3, Instructions: 455
COMMON

Function 00007FFAAC6401BA Relevance: 3.9, Strings: 3, Instructions: 140
COMMON

Function 00007FFAAC582440 Relevance: 3.0, Strings: 2, Instructions: 525
COMMON

Function 00007FFAAC583FA6 Relevance: 3.0, Strings: 2, Instructions: 506
COMMON

Function 00007FFAAC5917E5 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Function 00007FFAAC640718 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Function 00007FFAAC59D320 Relevance: 2.1, Strings: 1, Instructions: 872
COMMON

Function 00007FFAAC58FFA7 Relevance: 1.8, Strings: 1, Instructions: 558
COMMON