Edit tour

Windows Analysis Report
HquJT7q6xG.exe

Overview

General Information

Sample name:	HquJT7q6xG.exe renamed because original name is a hash value
Original sample name:	d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb.exe
Analysis ID:	1578206
MD5:	c549fe02bb65c0c2977c741c7ed4fd80
SHA1:	8475e459ba2fe572c53b08c061a5b24e074832a1
SHA256:	d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

HquJT7q6xG.exe (PID: 1376 cmdline: "C:\Users\user\Desktop\HquJT7q6xG.exe" MD5: C549FE02BB65C0C2977C741C7ED4FD80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "1f6c9ecc-c030-43a4-bbf2-21326400cbb5", "StartupKey": "Quasar Client Startup", "Tag": "NEURO", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab81e:$x4: Uninstalling... good bye :-( 0x2ad013:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadd0:$f1: FileZilla\recentservers.xml 0x2aae10:$f2: FileZilla\sitemanager.xml 0x2aae52:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09e:$b1: Chrome\User Data\ 0x2ab0f4:$b1: Chrome\User Data\ 0x2ab3cc:$b2: Mozilla\Firefox\Profiles 0x2ab4c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd44c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab620:$b4: Opera Software\Opera Stable\Login Data 0x2ab6da:$b5: YandexBrowser\User Data\ 0x2ab748:$b5: YandexBrowser\User Data\ 0x2ab41c:$s4: logins.json 0x2ab152:$a1: username_value 0x2ab170:$a2: password_value 0x2ab45c:$a3: encryptedUsername 0x2fd390:$a3: encryptedUsername 0x2ab480:$a4: encryptedPassword 0x2fd3ae:$a4: encryptedPassword 0x2fd32c:$a5: httpRealm
00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab908:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea7a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: HquJT7q6xG.exe PID: 1376	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab81e:$x4: Uninstalling... good bye :-( 0x2ad013:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadd0:$f1: FileZilla\recentservers.xml 0x2aae10:$f2: FileZilla\sitemanager.xml 0x2aae52:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09e:$b1: Chrome\User Data\ 0x2ab0f4:$b1: Chrome\User Data\ 0x2ab3cc:$b2: Mozilla\Firefox\Profiles 0x2ab4c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd44c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab620:$b4: Opera Software\Opera Stable\Login Data 0x2ab6da:$b5: YandexBrowser\User Data\ 0x2ab748:$b5: YandexBrowser\User Data\ 0x2ab41c:$s4: logins.json 0x2ab152:$a1: username_value 0x2ab170:$a2: password_value 0x2ab45c:$a3: encryptedUsername 0x2fd390:$a3: encryptedUsername 0x2ab480:$a4: encryptedPassword 0x2fd3ae:$a4: encryptedPassword 0x2fd32c:$a5: httpRealm
0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab908:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea7a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.HquJT7q6xG.exe.2663dd50000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.HquJT7q6xG.exe.2663dd50000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a1e:$x4: Uninstalling... good bye :-( 0x2ab213:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.HquJT7q6xG.exe.2663dd50000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fd0:$f1: FileZilla\recentservers.xml 0x2a9010:$f2: FileZilla\sitemanager.xml 0x2a9052:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a929e:$b1: Chrome\User Data\ 0x2a92f4:$b1: Chrome\User Data\ 0x2a95cc:$b2: Mozilla\Firefox\Profiles 0x2a96c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb64c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9820:$b4: Opera Software\Opera Stable\Login Data 0x2a98da:$b5: YandexBrowser\User Data\ 0x2a9948:$b5: YandexBrowser\User Data\ 0x2a961c:$s4: logins.json 0x2a9352:$a1: username_value 0x2a9370:$a2: password_value 0x2a965c:$a3: encryptedUsername 0x2fb590:$a3: encryptedUsername 0x2a9680:$a4: encryptedPassword 0x2fb5ae:$a4: encryptedPassword 0x2fb52c:$a5: httpRealm
0.2.HquJT7q6xG.exe.2663dd50000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b08:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276ecd:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab81e:$x4: Uninstalling... good bye :-( 0x2ad013:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadd0:$f1: FileZilla\recentservers.xml 0x2aae10:$f2: FileZilla\sitemanager.xml 0x2aae52:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09e:$b1: Chrome\User Data\ 0x2ab0f4:$b1: Chrome\User Data\ 0x2ab3cc:$b2: Mozilla\Firefox\Profiles 0x2ab4c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd44c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab620:$b4: Opera Software\Opera Stable\Login Data 0x2ab6da:$b5: YandexBrowser\User Data\ 0x2ab748:$b5: YandexBrowser\User Data\ 0x2ab41c:$s4: logins.json 0x2ab152:$a1: username_value 0x2ab170:$a2: password_value 0x2ab45c:$a3: encryptedUsername 0x2fd390:$a3: encryptedUsername 0x2ab480:$a4: encryptedPassword 0x2fd3ae:$a4: encryptedPassword 0x2fd32c:$a5: httpRealm
0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab908:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea7a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a1e:$x4: Uninstalling... good bye :-( 0x2ab213:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fd0:$f1: FileZilla\recentservers.xml 0x2a9010:$f2: FileZilla\sitemanager.xml 0x2a9052:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a929e:$b1: Chrome\User Data\ 0x2a92f4:$b1: Chrome\User Data\ 0x2a95cc:$b2: Mozilla\Firefox\Profiles 0x2a96c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb64c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9820:$b4: Opera Software\Opera Stable\Login Data 0x2a98da:$b5: YandexBrowser\User Data\ 0x2a9948:$b5: YandexBrowser\User Data\ 0x2a961c:$s4: logins.json 0x2a9352:$a1: username_value 0x2a9370:$a2: password_value 0x2a965c:$a3: encryptedUsername 0x2fb590:$a3: encryptedUsername 0x2a9680:$a4: encryptedPassword 0x2fb5ae:$a4: encryptedPassword 0x2fb52c:$a5: httpRealm
0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b08:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276ecd:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:25.308060+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.8	49709	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:25.308060+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.8	49709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "1f6c9ecc-c030-43a4-bbf2-21326400cbb5", "StartupKey": "Quasar Client Startup", "Tag": "NEURO", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: HquJT7q6xG.exe	Virustotal: Detection: 59%			Perma Link
Source: HquJT7q6xG.exe	ReversingLabs: Detection: 47%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HquJT7q6xG.exe PID: 1376, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: HquJT7q6xG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.8:49709
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.8:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 51.15.17.193:4782

Source: Joe Sandbox View	IP Address: 108.181.61.49 108.181.61.49
Source: Joe Sandbox View	IP Address: 51.15.17.193 51.15.17.193

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: HquJT7q6xG.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: HquJT7q6xG.exe, 00000000.00000002.2742699003.000002663DAF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: HquJT7q6xG.exe, 00000000.00000002.2742699003.000002663DAF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: HquJT7q6xG.exe, 00000000.00000002.2737361539.00000266250C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: HquJT7q6xG.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: HquJT7q6xG.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: HquJT7q6xG.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: HquJT7q6xG.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: HquJT7q6xG.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HquJT7q6xG.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: HquJT7q6xG.exe, 00000000.00000002.2737361539.00000266250AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2737361539.00000266250AA000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: HquJT7q6xG.exe, 00000000.00000002.2737361539.000002662535E000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026624F81000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: HquJT7q6xG.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.8:49710 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HquJT7q6xG.exe PID: 1376, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AD50BDD	0_2_00007FFB4AD50BDD
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AD5295E	0_2_00007FFB4AD5295E
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AD51C15	0_2_00007FFB4AD51C15
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFE7336	0_2_00007FFB4AFE7336
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFEE399	0_2_00007FFB4AFEE399
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFEC1CA	0_2_00007FFB4AFEC1CA
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFDAA4D	0_2_00007FFB4AFDAA4D
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFE80E2	0_2_00007FFB4AFE80E2
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFEB009	0_2_00007FFB4AFEB009
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD9621	0_2_00007FFB4AFD9621
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD4E56	0_2_00007FFB4AFD4E56
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD7590	0_2_00007FFB4AFD7590
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD11F2	0_2_00007FFB4AFD11F2
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD10D1	0_2_00007FFB4AFD10D1
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFE0EFA	0_2_00007FFB4AFE0EFA
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFDBDA5	0_2_00007FFB4AFDBDA5
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFE0E0F	0_2_00007FFB4AFE0E0F
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD5D35	0_2_00007FFB4AFD5D35
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4B0923F1	0_2_00007FFB4B0923F1

Source: HquJT7q6xG.exe

Static PE information: invalid certificate

Source: HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs HquJT7q6xG.exe
Source: HquJT7q6xG.exe, 00000000.00000000.1459411524.00007FF7DB014000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs HquJT7q6xG.exe
Source: HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs HquJT7q6xG.exe
Source: HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs HquJT7q6xG.exe
Source: HquJT7q6xG.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs HquJT7q6xG.exe

Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Mutant created: \Sessions\1\BaseNamedObjects\Debug_KmtMHfp
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Mutant created: \Sessions\1\BaseNamedObjects\CTX_tZtnxT
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\1f6c9ecc-c030-43a4-bbf2-21326400cbb5
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Mutant created: \Sessions\1\BaseNamedObjects\Debug_GCwal

Source: HquJT7q6xG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HquJT7q6xG.exe	Virustotal: Detection: 59%
Source: HquJT7q6xG.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: HquJT7q6xG.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: HquJT7q6xG.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HquJT7q6xG.exe

Static file information: File size 5822816 > 1048576

Source: HquJT7q6xG.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x239200
Source: HquJT7q6xG.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e200

Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HquJT7q6xG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HquJT7q6xG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: HquJT7q6xG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: HquJT7q6xG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HquJT7q6xG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HquJT7q6xG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HquJT7q6xG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HquJT7q6xG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: HquJT7q6xG.exe

Static PE information: real checksum: 0x594ffa should be: 0x5921f9

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AC3D2A5 pushad ; iretd	0_2_00007FFB4AC3D2A6
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AD500BD pushad ; iretd	0_2_00007FFB4AD500C1
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFD2BA0 push eax; ret	0_2_00007FFB4AFD2C0C
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Code function: 0_2_00007FFB4AFF2DFA push esp; iretd	0_2_00007FFB4AFF2DFB

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

File opened: C:\Users\user\Desktop\HquJT7q6xG.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Memory allocated: 26624E70000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Memory allocated: 2663CF40000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Window / User API: threadDelayed 913	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Window / User API: threadDelayed 703	Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: HquJT7q6xG.exe, 00000000.00000002.2742699003.000002663DAF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HquJT7q6xG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HquJT7q6xG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HquJT7q6xG.exe PID: 1376, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.2663dd50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HquJT7q6xG.exe.26634f49ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HquJT7q6xG.exe PID: 1376, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HquJT7q6xG.exe	60%	Virustotal		Browse
HquJT7q6xG.exe	47%	ReversingLabs	Win64.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	HquJT7q6xG.exe, 00000000.00000002.2737361539.000002662535E000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026624F81000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HquJT7q6xG.exe, 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	HquJT7q6xG.exe, 00000000.00000002.2737361539.00000266250C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	HquJT7q6xG.exe, 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, HquJT7q6xG.exe, 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipwho.is	HquJT7q6xG.exe, 00000000.00000002.2737361539.00000266250AA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578206
Start date and time:	2024-12-19 12:31:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HquJT7q6xG.exe renamed because original name is a hash value
Original Sample Name:	d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 170 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse
	RegAsm.exe	Get hash	malicious	Quasar	Browse
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
OnlineSASFR	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.307781610407522
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HquJT7q6xG.exe
File size:	5'822'816 bytes
MD5:	c549fe02bb65c0c2977c741c7ed4fd80
SHA1:	8475e459ba2fe572c53b08c061a5b24e074832a1
SHA256:	d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb
SHA512:	b51e81d073dc1bbdeea1f0dcf66901f2996faa5f30657e354c0c9271ad0f58ce0cc20744f8287afd81904d10148032038f2bad33e45d49685f7dce73e0a52b3a
SSDEEP:	98304:fC0lmUrXmOH9wShg7JrBAwbzWMaA/BcV6LoFU4:flmUjY/rHKAL4U4
TLSH:	C646CF15530D81A0CEE6753560471B61EA70FE0C903C67268FF41AA67AFFB6169AE33C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x140228ef0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741830F [Sat Nov 23 07:23:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7294BE0B54h
dec eax
add esp, 28h
jmp 00007F7294BE0317h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F7294BE04B2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F7294BE04B5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F7294BE04ADh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F7294BDFE86h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x262b4c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x587000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x584000	0x1908	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x589200	0x4760	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x586000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x260670	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x260530	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23b000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x239180	0x239200	89b23ffe91ba1915965db517dfc0bb80	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23b000	0x286ae	0x28800	10d99212e840353f53e0a7f0d2cb831e	False	0.5425106095679012	data	6.832986970239195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x264000	0x31f3b0	0x31e200	ca895f41b09b65471927a2f2b74449f8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x584000	0x1908	0x1a00	72ad6cd2b564056f7e09b30ac98681d5	False	0.47521033653846156	data	5.400745429124744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x586000	0x68c	0x800	146b61c110142eb5ebf37900103a13fd	False	0.5048828125	data	4.938450847515963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x587000	0x6f58	0x7000	5c91438120cf664977c6d618d1c85dac	False	0.38570731026785715	data	6.017896594397065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x587328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x587990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x587c78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x587da0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x588c48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x5894f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x589a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x58c000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x58d0a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x58d510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x58d7f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x58dae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x58db64	0x14	data			1.25
RT_GROUP_ICON	0x58db78	0x14	data			1.25
RT_VERSION	0x58db8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:32:25.308060+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.8	49709	TCP
2024-12-19T12:32:25.308060+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.8	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:23.818048954 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:23.937632084 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:23.937722921 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:23.948456049 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:24.067907095 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:25.181176901 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:25.181308031 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:25.181451082 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:25.188487053 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:25.308059931 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:25.580013037 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:25.633810997 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:25.984967947 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:25.985016108 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:25.985093117 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:25.986084938 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:25.986104012 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:28.392915964 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:28.393012047 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:28.395978928 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:28.395986080 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:28.396397114 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:28.408941984 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:28.451375961 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:29.013819933 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:29.013986111 CET	443	49710	108.181.61.49	192.168.2.8
Dec 19, 2024 12:32:29.014409065 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:29.882725954 CET	49710	443	192.168.2.8	108.181.61.49
Dec 19, 2024 12:32:31.484452009 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:31.603967905 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:31.604031086 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:31.723599911 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:31.994539976 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:32.040142059 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:32.186862946 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:32:32.243263960 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:57.196470976 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:32:57.315989017 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:33:22.321472883 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:33:22.441121101 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:33:47.446686029 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:33:47.566437006 CET	4782	49709	51.15.17.193	192.168.2.8
Dec 19, 2024 12:34:12.571573973 CET	49709	4782	192.168.2.8	51.15.17.193
Dec 19, 2024 12:34:12.691150904 CET	4782	49709	51.15.17.193	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:25.839380026 CET	51521	53	192.168.2.8	1.1.1.1
Dec 19, 2024 12:32:25.978400946 CET	53	51521	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:25.839380026 CET	192.168.2.8	1.1.1.1	0xbdb9	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:25.978400946 CET	1.1.1.1	192.168.2.8	0xbdb9	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	108.181.61.49	443	1376	C:\Users\user\Desktop\HquJT7q6xG.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:32:28 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:32:29 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:32:28 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:32:29 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:32:17
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\HquJT7q6xG.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HquJT7q6xG.exe"
Imagebase:	0x7ff7daa90000
File size:	5'822'816 bytes
MD5 hash:	C549FE02BB65C0C2977C741C7ED4FD80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2737361539.0000026625112000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2737361539.0000026624F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.2744510495.000002663DD50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2739601417.0000026634F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2741164507.000002663D729000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4B0923F1 Relevance: 71.2, Strings: 52, Instructions: 6194COMMON

Download Yara Rule

Strings

P'J, xrefs: 00007FFB4B094483
CJ, xrefs: 00007FFB4B095738
`9J, xrefs: 00007FFB4B0951ED
H, xrefs: 00007FFB4B093759
0!J, xrefs: 00007FFB4B0940C1
,J, xrefs: 00007FFB4B0947EF
P'J, xrefs: 00007FFB4B0943FD
80J, xrefs: 00007FFB4B094B03
AJ, xrefs: 00007FFB4B095545
CJ, xrefs: 00007FFB4B0956D9
-J, xrefs: 00007FFB4B0948B9
-J, xrefs: 00007FFB4B094904
8,J, xrefs: 00007FFB4B094725
AJ, xrefs: 00007FFB4B0955DF
8 J, xrefs: 00007FFB4B09400B
8 J, xrefs: 00007FFB4B093FF7
80J, xrefs: 00007FFB4B094B9D
@$J, xrefs: 00007FFB4B0942B4
h4J, xrefs: 00007FFB4B094EF5
0!J, xrefs: 00007FFB4B094120
@$J, xrefs: 00007FFB4B0942EF
CJ, xrefs: 00007FFB4B095773
8 J, xrefs: 00007FFB4B094091
8 J, xrefs: 00007FFB4B094056
h4J, xrefs: 00007FFB4B094F54
p3J, xrefs: 00007FFB4B094EC5
AJ, xrefs: 00007FFB4B095559
p3J, xrefs: 00007FFB4B094E8A
P'J, xrefs: 00007FFB4B094448
AJ, xrefs: 00007FFB4B0955A4
,J, xrefs: 00007FFB4B094875
p3J, xrefs: 00007FFB4B094E3F
-J, xrefs: 00007FFB4B09493F
p3J, xrefs: 00007FFB4B094E2B
`9J, xrefs: 00007FFB4B0951B2
8,J, xrefs: 00007FFB4B0947AB
P'J, xrefs: 00007FFB4B0943E9
,J, xrefs: 00007FFB4B09483A
8,J, xrefs: 00007FFB4B094770
h4J, xrefs: 00007FFB4B094F09
`9J, xrefs: 00007FFB4B095153
h4J, xrefs: 00007FFB4B094F8F
0!J, xrefs: 00007FFB4B0940D5
80J, xrefs: 00007FFB4B094B17
0!J, xrefs: 00007FFB4B09415B
-J, xrefs: 00007FFB4B0948A5
@$J, xrefs: 00007FFB4B094255
,J, xrefs: 00007FFB4B0947DB
8,J, xrefs: 00007FFB4B094711
80J, xrefs: 00007FFB4B094B62
@$J, xrefs: 00007FFB4B094269
CJ, xrefs: 00007FFB4B0956ED

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 0!J$0!J$0!J$0!J$8 J$8 J$8 J$8 J$8,J$8,J$8,J$8,J$80J$80J$80J$80J$@$J$@$J$@$J$@$J$H$P'J$P'J$P'J$P'J$`9J$`9J$`9J$h4J$h4J$h4J$h4J$p3J$p3J$p3J$p3J$,J$,J$,J$,J$-J$-J$-J$-J$AJ$AJ$AJ$AJ$CJ$CJ$CJ$CJ
API String ID: 0-1395692969
Opcode ID: 6aadf11e93da753dbb4905be9555200eec76399506eac4fe3b001ff605c97350
Instruction ID: cf8bba3555fb3ba01927d8b5f2b7fad4329abfa06d45ba637324e649d7dea014
Opcode Fuzzy Hash: 6aadf11e93da753dbb4905be9555200eec76399506eac4fe3b001ff605c97350
Instruction Fuzzy Hash: 4083F892B0DE4B0BF7E5BE3C85652795AD2EFD8641B5881BAD14DC33E6ED28EC064340

Function 00007FFB4AD5295E Relevance: 10.2, Strings: 8, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(r&5, xrefs: 00007FFB4AD52B2F
q&5, xrefs: 00007FFB4AD52A5A
q&5, xrefs: 00007FFB4AD52A45
r&5, xrefs: 00007FFB4AD52B1D
r&5, xrefs: 00007FFB4AD52B08
0r&5, xrefs: 00007FFB4AD52B68
(r&5, xrefs: 00007FFB4AD52B44
8r&5, xrefs: 00007FFB4AD52B90

Memory Dump Source

Source File: 00000000.00000002.2750878863.00007FFB4AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad50000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: r&5$ r&5$(r&5$(r&5$0r&5$8r&5$q&5$q&5
API String ID: 0-4179559816
Opcode ID: 1a826dc2fcdc6b3ecdd08c2b9eecc463fe701aeb2c31b785d16bbc93a3047bef
Instruction ID: d05f678bb6e9324664bb213d73f2c66ac97de41f0d3b7178193554030d701716
Opcode Fuzzy Hash: 1a826dc2fcdc6b3ecdd08c2b9eecc463fe701aeb2c31b785d16bbc93a3047bef
Instruction Fuzzy Hash: CE817E8160EAC52FE743BBB899665BA6FE0CF5B11478C08EFD0C98F1A7D848544BD351

Function 00007FFB4AFD4E56 Relevance: 8.5, Strings: 5, Instructions: 2205COMMON

Download Yara Rule

Strings

`9J, xrefs: 00007FFB4AFD64C0
(~J, xrefs: 00007FFB4AFD6565
hs&5, xrefs: 00007FFB4AFD53AF
hs&5, xrefs: 00007FFB4AFD530D
hs&5, xrefs: 00007FFB4AFD5BB2

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: (~J$`9J$hs&5$hs&5$hs&5
API String ID: 0-2843619310
Opcode ID: e74d6e9649d19b498f9df1fb6a17798be9562d5fc323442429435778ce899fee
Instruction ID: bc8f40e867c24d5a0aa8ab19b9514e79bcafe4d63a14a8294de4a9eb9238c500
Opcode Fuzzy Hash: e74d6e9649d19b498f9df1fb6a17798be9562d5fc323442429435778ce899fee
Instruction Fuzzy Hash: 4CF2B5B0A1CA898FDB95EF28C4957A97BE1FF59304F1440E9D48ED7292CE35E842CB40

Function 00007FFB4AFEB009 Relevance: 7.2, Strings: 5, Instructions: 986
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hs&5, xrefs: 00007FFB4AFEB59D
ps&5, xrefs: 00007FFB4AFEB3B1
pJ, xrefs: 00007FFB4AFEB2AE
^J, xrefs: 00007FFB4AFEB486
^J, xrefs: 00007FFB4AFEB12B

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: ^J$ ^J$hs&5$pJ$ps&5
API String ID: 0-1887154776
Opcode ID: c0148bb0391eab6cc74e0c36b38f37f91e38867bd656f18a0610b445e727c69c
Instruction ID: d0f9e74ea014e26dab6b3a803e0133d95b9fca88504f1a6d4d8555b74357ba9c
Opcode Fuzzy Hash: c0148bb0391eab6cc74e0c36b38f37f91e38867bd656f18a0610b445e727c69c
Instruction Fuzzy Hash: BC62E4B1A2CB4A5FD799EE28C485676B7D5FFA8300F1441BDD44EC36D6CE28B8428781

Function 00007FFB4AFEC1CA Relevance: 6.4, Strings: 4, Instructions: 1397COMMON

Download Yara Rule

Strings

hs&5, xrefs: 00007FFB4AFEC547
^._L, xrefs: 00007FFB4AFEC5D0
(`J, xrefs: 00007FFB4AFEC65E
xhJ, xrefs: 00007FFB4AFEC2FD

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: (`J$^._L$hs&5$xhJ
API String ID: 0-1447669771
Opcode ID: 124d6a588a29c05406020d1f3de271fdbe7a32f191f52aa7bbe734a167e8da88
Instruction ID: 46873c1d72799d6d85dec0b8ece12c5f45493fe4ffb3c50dbb10420b23aa0860
Opcode Fuzzy Hash: 124d6a588a29c05406020d1f3de271fdbe7a32f191f52aa7bbe734a167e8da88
Instruction Fuzzy Hash: B5A218A190DB865FE365AF38C9565A63BD4EF56311B1401FAE48DCB1E3FD18680B83C1

Function 00007FFB4AFEE399 Relevance: 6.1, Strings: 4, Instructions: 1115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8#_L, xrefs: 00007FFB4AFEEC72
>._L, xrefs: 00007FFB4AFEE5D2
=#_L, xrefs: 00007FFB4AFEE770
0J, xrefs: 00007FFB4AFEE5C8

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 0J$8#_L$=#_L$>._L
API String ID: 0-3864647835
Opcode ID: 24ff3bb9c298326c9b132b0dc088e7f35a2af7ef16a211e24f7409f95a89ce6f
Instruction ID: ada6880604cfeb5622cb6e1b1f0d7316fc6c5125c6ebbbab50a884da04582f40
Opcode Fuzzy Hash: 24ff3bb9c298326c9b132b0dc088e7f35a2af7ef16a211e24f7409f95a89ce6f
Instruction Fuzzy Hash: DB7263B1A1CA4A5FDB98EF2CD4956A977D1FF98700F2401B9E44AC72D6CE34EC428781

Function 00007FFB4AFD7590 Relevance: 3.1, Strings: 2, Instructions: 621COMMON

Download Yara Rule

Strings

(~J, xrefs: 00007FFB4AFD7901
,+_H, xrefs: 00007FFB4AFD768E

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: (~J$,+_H
API String ID: 0-368664436
Opcode ID: 93807aa210aa2814755f0d4340ad1cd6383f0a0cac9c854e68c0ebfc8f824271
Instruction ID: 29f39268a380c32783acdb38a2d7c8722ec772d60fe83fa50bd3a6f5e4cee08b
Opcode Fuzzy Hash: 93807aa210aa2814755f0d4340ad1cd6383f0a0cac9c854e68c0ebfc8f824271
Instruction Fuzzy Hash: 64F126A1A0DE8A0FE79AEF3CD8556B47BD1EF5A31071901FAD48ACB1D3DD18AC068351

Function 00007FFB4AD50BDD Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

:M_I, xrefs: 00007FFB4AD50D04
q&5, xrefs: 00007FFB4AD51C92

Memory Dump Source

Source File: 00000000.00000002.2750878863.00007FFB4AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad50000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: :M_I$q&5
API String ID: 0-806256959
Opcode ID: c0362b4780859d33ac1629532c8432380b711f46fcb61ae10ef9b578fba9a0da
Instruction ID: 9289e7471ac27535e849e5d65a42914b1f4851799a8057b0e8644c57b28e01d4
Opcode Fuzzy Hash: c0362b4780859d33ac1629532c8432380b711f46fcb61ae10ef9b578fba9a0da
Instruction Fuzzy Hash: BAD1B591A0EAC24FF353BF7894692A67FA4DF17214F5C44FAD4C88B19BDC28990AC351

Function 00007FFB4AFD9621 Relevance: 2.5, Strings: 1, Instructions: 1215COMMON

Download Yara Rule

Strings

hs&5, xrefs: 00007FFB4AFD9AD8

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hs&5
API String ID: 0-470585854
Opcode ID: 1fc7750f58f230a0d46d858625794e87d4d449721a03e093d994fe2c287f4d0c
Instruction ID: 5d84809bdff6718c66bb1d8b9f8496c24c0a3d162ef2b784978fcc0f6d35424d
Opcode Fuzzy Hash: 1fc7750f58f230a0d46d858625794e87d4d449721a03e093d994fe2c287f4d0c
Instruction Fuzzy Hash: 4D72D171A1CA894FEB99FF2CC4956B577D1EF99300F5400FAE44EC7696DE28AC028741

Function 00007FFB4AD51C15 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

q&5, xrefs: 00007FFB4AD51C92

Memory Dump Source

Source File: 00000000.00000002.2750878863.00007FFB4AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad50000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: q&5
API String ID: 0-3942728726
Opcode ID: e3e825b6edb8b78ff9495d6cf189ba8021bd75abd305ccdd3e28af66725b4e9c
Instruction ID: 946054617f2be767ab595d41c3d806bd206d3b39263be1942c37c4e706b3f057
Opcode Fuzzy Hash: e3e825b6edb8b78ff9495d6cf189ba8021bd75abd305ccdd3e28af66725b4e9c
Instruction Fuzzy Hash: 6451429091E6C25FE343B7B8947D6A7BFA09F1B214F4C08E9D4C84F1ABC96CA41AD311

Function 00007FFB4AFDAA4D Relevance: 1.0, Instructions: 963COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa94a4f172067a6f92d7d0901c439c22999385b8e797044aa7a00e9fea40c2c3
Instruction ID: d4db84cb82adac2addbc477cf99a59d0b318d088ae1b38ba840f49eff5679517
Opcode Fuzzy Hash: fa94a4f172067a6f92d7d0901c439c22999385b8e797044aa7a00e9fea40c2c3
Instruction Fuzzy Hash: BF628E7061CA898FEB95EF3CC4596697BE1EFA9300F1444BED48DC72A6CE34E8468701

Function 00007FFB4AFE7336 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22773972eb217f9fb6cfbbce285968b093c30d539d9da849d8b22ea0e0126767
Instruction ID: f3ae2b42aaae9aec744e05c4b7afd823dc8d1c649b76147e982c26687b3e0242
Opcode Fuzzy Hash: 22773972eb217f9fb6cfbbce285968b093c30d539d9da849d8b22ea0e0126767
Instruction Fuzzy Hash: 3AF1957090CA8D8FEBA8EF28C8557E977D1FF64311F14426AE84DC7295DF3498458B82

Function 00007FFB4AFE80E2 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b64c6958726c1a5bed2088cd20aa422203a25307fbb43c090b13af121bb047c
Instruction ID: 7c427f6e914301c4fb6f98cbc29ddf5811f288d452fc5e395a4fae7b74a88bcc
Opcode Fuzzy Hash: 9b64c6958726c1a5bed2088cd20aa422203a25307fbb43c090b13af121bb047c
Instruction Fuzzy Hash: A5E1917090CA4E8FEBA8EF28C8557E977D1EB54310F5442AAD84DC7291DE74A845CBC2

Function 00007FFB4AFD5D35 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9273f7da5cb7d0946ffa3931eeefd0f122355773eda3c453b73a9995f5a6f999
Instruction ID: 26f1ac573e5f65328066eb8b192a5a58ca1d9aec8f686d7d55c020ee1af5d3ed
Opcode Fuzzy Hash: 9273f7da5cb7d0946ffa3931eeefd0f122355773eda3c453b73a9995f5a6f999
Instruction Fuzzy Hash: 02C14170E1CA598FEB99EF28C5457A9B3E2FB58301F2045BDD44ED3291DE34B8828B40

Function 00007FFB4AFDFF69 Relevance: 6.8, Strings: 5, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq&5, xrefs: 00007FFB4AFDFFF3
p!J, xrefs: 00007FFB4AFE0375
=$_H, xrefs: 00007FFB4AFE0170
Pq&5, xrefs: 00007FFB4AFDFFB7
Hq&5, xrefs: 00007FFB4AFDFFDD

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: =$_H$Hq&5$Pq&5$Xq&5$p!J
API String ID: 0-3622430329
Opcode ID: 82d381f8521d0532c2e524be9e07f1ad1575eb49de294295e3a3898ec4201e26
Instruction ID: d88ea0da9439d799057abce9aecf8a641f2695b14c4b62a2253a38a6f1ce61e0
Opcode Fuzzy Hash: 82d381f8521d0532c2e524be9e07f1ad1575eb49de294295e3a3898ec4201e26
Instruction Fuzzy Hash: 430205A191DA8A5FE795EF38C4506B6BBE1FF55300F2841FAC44DCB5D6CE28E8468380

Function 00007FFB4AFE1B28 Relevance: 6.7, Strings: 5, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pY)5, xrefs: 00007FFB4AFE1CC5
pY)5, xrefs: 00007FFB4AFE1DB2
xY)5, xrefs: 00007FFB4AFE1D79
hY)5, xrefs: 00007FFB4AFE1C98
hY)5, xrefs: 00007FFB4AFE1CB4

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hY)5$hY)5$pY)5$pY)5$xY)5
API String ID: 0-2094693620
Opcode ID: 3e4ff951a50697ffeb688cd344e1fd2d038a93e74e4fb3d8f5cfa66a2ac3ebd7
Instruction ID: 9e3613767c1cd4bcb8e735475a6c67214e18a2a7ab38d8be23dfb948a27a7b60
Opcode Fuzzy Hash: 3e4ff951a50697ffeb688cd344e1fd2d038a93e74e4fb3d8f5cfa66a2ac3ebd7
Instruction Fuzzy Hash: ACF138A290E7865FE316AF7CD8A20E57FD0EF56310B1805FAD08DCB1D3D91868168795

Function 00007FFB4AFEF6FD Relevance: 6.0, Strings: 4, Instructions: 1007
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H2J, xrefs: 00007FFB4AFEFA86
, xrefs: 00007FFB4AFEFAD0
@#_H, xrefs: 00007FFB4AFEFC60
, xrefs: 00007FFB4AFEFDDB

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: $ $@#_H$H2J
API String ID: 0-2185394523
Opcode ID: 973d7792b50b43df36be88b1fc0c4a480408c1be91865243049a158b6e1519ec
Instruction ID: c94d96a6e4dcef0b1fc46100a0328613e7c04b7c981ee0cee6f9c32a2c18e7be
Opcode Fuzzy Hash: 973d7792b50b43df36be88b1fc0c4a480408c1be91865243049a158b6e1519ec
Instruction Fuzzy Hash: 99624EB161C9495FEBA8EF2CC599A7937D1EF58300B6504F9E48EC72E2DE28EC418741

Function 00007FFB4B0901BA Relevance: 5.1, Strings: 4, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0'J, xrefs: 00007FFB4B0901C8
"$_L, xrefs: 00007FFB4B0901D2
0%J, xrefs: 00007FFB4B09024B
0'J, xrefs: 00007FFB4B09021F

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: "$_L$0%J$0'J$0'J
API String ID: 0-695594866
Opcode ID: 4af64153fd289833112ea06f484658e4f64c9a7f59396d8280b9d61de5d13649
Instruction ID: dbb4d39f99d4771722f79aee9e12e9d17133a087e7381479abe889543d76aef9
Opcode Fuzzy Hash: 4af64153fd289833112ea06f484658e4f64c9a7f59396d8280b9d61de5d13649
Instruction Fuzzy Hash: 51310EA2B1DB850FE35AAB7C98272B47BD1EF55211F4441FED48AC72E3EC095C468346

Function 00007FFB4AFE9FBC Relevance: 4.3, Strings: 3, Instructions: 519
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(~J, xrefs: 00007FFB4AFEA08F
(~J, xrefs: 00007FFB4AFEA102
(~J, xrefs: 00007FFB4AFEA13B

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: (~J$(~J$(~J
API String ID: 0-3156379771
Opcode ID: ac18ebf2c92c723f64e00ce01d1ed2022821b33257b73ba2abea5df72ddc3da5
Instruction ID: 53cd3f4f2103ba3fb74f8cbcbc64963d2e051b31e1f3afbae26118f8aeda4f9b
Opcode Fuzzy Hash: ac18ebf2c92c723f64e00ce01d1ed2022821b33257b73ba2abea5df72ddc3da5
Instruction Fuzzy Hash: 52F1F171A0CA4A4FDB95FF78C8556AA7BE1FF99310F5400BAD409C3296DE38AC428781

Function 00007FFB4AFEE401 Relevance: 4.2, Strings: 3, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>._L, xrefs: 00007FFB4AFEE5D2
=#_L, xrefs: 00007FFB4AFEE770
0J, xrefs: 00007FFB4AFEE5C8

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 0J$=#_L$>._L
API String ID: 0-1456614147
Opcode ID: 501e015c49af015a925ded8031f7c9369f40a498fbce8d4808e6cf7c75ffb36a
Instruction ID: e7d7e44829315d0f5022fd91c8689f6a18e512627a89cca7b9cb9ba0e6dea86a
Opcode Fuzzy Hash: 501e015c49af015a925ded8031f7c9369f40a498fbce8d4808e6cf7c75ffb36a
Instruction Fuzzy Hash: C1E18070618B4A9FE748EF28D8556A977E6FF98300F1441BDE44AC72D6CE34AC46CB41

Function 00007FFB4B095160 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

`9J, xrefs: 00007FFB4B095167
`9J, xrefs: 00007FFB4B0951B2
`9J, xrefs: 00007FFB4B0951ED

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: `9J$`9J$`9J
API String ID: 0-3113912669
Opcode ID: 1d3a3e8b875ed4cd042ab76e1d9dda0bd1bc5ae93df281b8f25ba11eceab882d
Instruction ID: 60b05721398c3b64d146ab598ccd2e644b530cb56c1b33947634498260dee49a
Opcode Fuzzy Hash: 1d3a3e8b875ed4cd042ab76e1d9dda0bd1bc5ae93df281b8f25ba11eceab882d
Instruction Fuzzy Hash: 8F21F691B0DF4B0BF7AABA3D89652795AD2DFD814176841BAD50DC73EAED18DC024340

Function 00007FFB4AFDCA76 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y$_H, xrefs: 00007FFB4AFDCB6E
ht&5, xrefs: 00007FFB4AFDCB51
pt&5, xrefs: 00007FFB4AFDCB80

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: Y$_H$ht&5$pt&5
API String ID: 0-3781393081
Opcode ID: 3aa8e067ae2181444fe8261ee8a1fe8f1f506ac6a0613e444b4002031fc910fc
Instruction ID: f40e895a7f24694d6d864a9893ef14b1bc6037ec2c999f71c1822eb3e26335c4
Opcode Fuzzy Hash: 3aa8e067ae2181444fe8261ee8a1fe8f1f506ac6a0613e444b4002031fc910fc
Instruction Fuzzy Hash: 8431E7E2D2D9CA4FE786FF38945A1B97BE1EF98300B1404FAD44AC71D2ED3868068741

Function 00007FFB4AFDE521 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X#J, xrefs: 00007FFB4AFDE551
Pq&5, xrefs: 00007FFB4AFDE56D
Hq&5, xrefs: 00007FFB4AFDE5B4

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: Hq&5$Pq&5$X#J
API String ID: 0-3178719546
Opcode ID: af33380963f63fb899a5b9e41fc9dcade35fab5b3bb04b0706c7c9ae07e702f7
Instruction ID: 790063fa76c1927ab1a4f4abab92409a167b6209b95073fa61c8bade50b4ac46
Opcode Fuzzy Hash: af33380963f63fb899a5b9e41fc9dcade35fab5b3bb04b0706c7c9ae07e702f7
Instruction Fuzzy Hash: A421AFB180D6C94FD746AF78D8656AABFF4EF5A300F1808EEE08AC7193DA6851458742

Function 00007FFB4AFF332D Relevance: 3.0, Strings: 2, Instructions: 473COMMON

Download Yara Rule

Strings

H2J, xrefs: 00007FFB4AFF3534
xBJ, xrefs: 00007FFB4AFF3497

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H2J$xBJ
API String ID: 0-2741165015
Opcode ID: b17133e72955f5fdcf164ee3a56837293d60cebad434927a22debd185d9e54b8
Instruction ID: ff03a9ca2b4d7908fc7e70e25cfd7d0abf01306aece947b46b2f59d012a19fcd
Opcode Fuzzy Hash: b17133e72955f5fdcf164ee3a56837293d60cebad434927a22debd185d9e54b8
Instruction Fuzzy Hash: 26E1E3B1A1CA4A4FE795EF3CC455AB577D1FF89310B2805FAE05EC76D2CE29A8428740

Function 00007FFB4AFE171C Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

pY)5, xrefs: 00007FFB4AFE1820
+$_^, xrefs: 00007FFB4AFE1901

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: +$_^$pY)5
API String ID: 0-1450111754
Opcode ID: b10b39f7fc31d5c76bdfc0f5701103ad1d9630ae2a6ee90b689e322197cf6a67
Instruction ID: 4a6a81a8cf4243aa62e5ae6a19d325adcadc78cf151e3619b840f011dec3d467
Opcode Fuzzy Hash: b10b39f7fc31d5c76bdfc0f5701103ad1d9630ae2a6ee90b689e322197cf6a67
Instruction Fuzzy Hash: E19103A290E3965AD312BB7DE4621E57FA4DF12234B0805F7D8CCCA0E3D918359AC7A5

Function 00007FFB4AFE9B59 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

xr&5, xrefs: 00007FFB4AFE9D1F
0uJ, xrefs: 00007FFB4AFE9BA5

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 0uJ$xr&5
API String ID: 0-241681401
Opcode ID: 388c632edfa50b1209e7f9e6baa15247da9addba3bae68778dff872254d8c3c9
Instruction ID: 1b599b2309bcde6330e30dfcee8d1b2efe37d9366e6413d27b8f2fee401f2f18
Opcode Fuzzy Hash: 388c632edfa50b1209e7f9e6baa15247da9addba3bae68778dff872254d8c3c9
Instruction Fuzzy Hash: 976138A2A0DB871FD356BF3C98911A2BFD4EF56210B1901FAD08DC75C3DD1CA80683A1

Function 00007FFB4AFF20A8 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

@lJ, xrefs: 00007FFB4AFF2310
@lJ, xrefs: 00007FFB4AFF2337

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: @lJ$@lJ
API String ID: 0-3136525581
Opcode ID: 54b0048dcff30484aca26cba5aecae653151d2d213fa075fb36f074372aff619
Instruction ID: e2611c69adb7729a5beabcf3ddc4f5d7194bd0d6c5d12ef3195cdf5969979634
Opcode Fuzzy Hash: 54b0048dcff30484aca26cba5aecae653151d2d213fa075fb36f074372aff619
Instruction Fuzzy Hash: 197191B1A0D9194FEB94FF68C951BA877A1EF59300F1400FAE44DD72C2CE34AD868B81

Function 00007FFB4AFDD9F4 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PTJ, xrefs: 00007FFB4AFDDA1A
PTJ, xrefs: 00007FFB4AFDDA4B

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: PTJ$PTJ
API String ID: 0-2388034289
Opcode ID: f5842e61ec18742bf675d7d38b8430652b41981ad3a1749214c7fd3f97ef687c
Instruction ID: f8d8778a78b1bfd720ccba16a23550678d0ccc4452cd43ad4e7effe4b0559ed3
Opcode Fuzzy Hash: f5842e61ec18742bf675d7d38b8430652b41981ad3a1749214c7fd3f97ef687c
Instruction Fuzzy Hash: 305122A2A0F6C10FE31A6F7898560B4BF95EF9631076940FBD089CB1D7D8299C468392

Function 00007FFB4AFDE3A9 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

(r&5, xrefs: 00007FFB4AFDE4E0
h^J, xrefs: 00007FFB4AFDE43D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: (r&5$h^J
API String ID: 0-1185439169
Opcode ID: 78d870a8e01af6e368f1425ab567d3112e16846ea48f13ec015efc5cfcc27692
Instruction ID: aaecf4146ef8bf05c2861f982fb0c1b256752f53611dcd30138812c45a69daa4
Opcode Fuzzy Hash: 78d870a8e01af6e368f1425ab567d3112e16846ea48f13ec015efc5cfcc27692
Instruction Fuzzy Hash: A741F5E1E2EACA4FDB46BF74D4555E57BA0EF1920071801FAE44ACB18BDD28E8178380

Function 00007FFB4AFDCDE9 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

CJ, xrefs: 00007FFB4AFDCEBC
CJ, xrefs: 00007FFB4AFDCEF7

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: CJ$CJ
API String ID: 0-1497514442
Opcode ID: 48d6408fce79fefd74baa79b85e9ebc6826d1bafec419b8da726d1729bb3a3c4
Instruction ID: 2a2da49990f60e379fd7d1036e389af7180060b2182116a236c8d071607b2b52
Opcode Fuzzy Hash: 48d6408fce79fefd74baa79b85e9ebc6826d1bafec419b8da726d1729bb3a3c4
Instruction Fuzzy Hash: 0B4129F290DAC60FD3ABDF38D9551A4BBE1EF55310B1441FAD089C71D3EE18A84A8381

Function 00007FFB4B095566 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

AJ, xrefs: 00007FFB4B0955A4
AJ, xrefs: 00007FFB4B0955DF

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: AJ$AJ
API String ID: 0-3270301191
Opcode ID: 6811ff8ea330499709b4606e7be9c729bd2b0acfc4e321e5a5abdb66a371d8f0
Instruction ID: b64083f54d72909ffc34b83b6b43cd11bf8dbc6b5e6e551eab4f66cc335f24e3
Opcode Fuzzy Hash: 6811ff8ea330499709b4606e7be9c729bd2b0acfc4e321e5a5abdb66a371d8f0
Instruction Fuzzy Hash: 8921F891B0DF4A0FE7A9BA3C896923959D2EFD815175841BAD54DC33ABDD28DC024340

Function 00007FFB4B0948CD Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

-J, xrefs: 00007FFB4B09493F
-J, xrefs: 00007FFB4B094904

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: -J$-J
API String ID: 0-939938383
Opcode ID: d1dc12f17f1361c945ac7b911416c994fa4c272595ecd505c5f1bd6e19edb3b5
Instruction ID: ee26ed8e8c68eaf3a95d246efbc95bc2beb4d2bf5803cf0cc724d3f1adca077b
Opcode Fuzzy Hash: d1dc12f17f1361c945ac7b911416c994fa4c272595ecd505c5f1bd6e19edb3b5
Instruction Fuzzy Hash: CD210792B0DE4B0BE7A9FA3C89652395AD2EFD825176840BAD50DC339BED28DC064340

Function 00007FFB4AFDFF19 Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

Xq&5, xrefs: 00007FFB4AFDFFCB
Hq&5, xrefs: 00007FFB4AFDFFDD

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: Hq&5$Xq&5
API String ID: 0-3787806190
Opcode ID: f0e6655b99946865039ba99cca8005c9b5063c10cb4cf174006ee2b4662687d3
Instruction ID: 8632e9ad37dc8df85d2c1de3cfb9cb1446ad5de8ead70779673a0c704fb39ced
Opcode Fuzzy Hash: f0e6655b99946865039ba99cca8005c9b5063c10cb4cf174006ee2b4662687d3
Instruction Fuzzy Hash: 0D01D2A291E6C25FE312AB78D4619A27FE6EF47310B5806FAC08ACB4D3D91D64479341

Function 00007FFB4AFED381 Relevance: 2.1, Strings: 1, Instructions: 814COMMON

Download Yara Rule

Strings

H2J, xrefs: 00007FFB4AFED98D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H2J
API String ID: 0-240407164
Opcode ID: 8773ff5754b9b4da7c4d1834a3f22ebb3c84058f2a6e8bbe1aeaea7d3966a4f2
Instruction ID: 814036e7b0259a4b4d2c693c9fb532a09acb62b18d2e5f56a09291349fb9eaf6
Opcode Fuzzy Hash: 8773ff5754b9b4da7c4d1834a3f22ebb3c84058f2a6e8bbe1aeaea7d3966a4f2
Instruction Fuzzy Hash: AB527170A1C9499FDB95EF28C855AAA7BE1FF59304F2401B9E44DC72D6DE28EC42C780

Function 00007FFB4AFED446 Relevance: 2.0, Strings: 1, Instructions: 720COMMON

Download Yara Rule

Strings

H2J, xrefs: 00007FFB4AFED98D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H2J
API String ID: 0-240407164
Opcode ID: f4b0fa3d383058d9de6cfef5f04d167167e78dbee3779b665dc02c063225257c
Instruction ID: 8ed7e109203b0e94b115ca408a0e158b257e9e4d15d0d6afd84d84150b0a4fb0
Opcode Fuzzy Hash: f4b0fa3d383058d9de6cfef5f04d167167e78dbee3779b665dc02c063225257c
Instruction Fuzzy Hash: 59326170A1C94A9FDB94EF28C895AAA77E1FF58304F2401A9E44DC72D6DE34EC52C780

Function 00007FFB4AFEBA79 Relevance: 1.9, Strings: 1, Instructions: 693COMMON

Download Yara Rule

Strings

@s&5, xrefs: 00007FFB4AFEBD06

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: @s&5
API String ID: 0-2039092783
Opcode ID: bc828a854683f64513996b902f29aa7d93fc14028f9ea4af4957d26f28d130f3
Instruction ID: bd41f13935fa4bf57f091f46d99792cb54ce7ff7255acb8bcfbce9938661539e
Opcode Fuzzy Hash: bc828a854683f64513996b902f29aa7d93fc14028f9ea4af4957d26f28d130f3
Instruction Fuzzy Hash: AE2213B0A2DA4A5FE35AEE3CC5855B677D5EF94300F5441F9D48EC3186EE28BC128781

Function 00007FFB4AFDC325 Relevance: 1.8, Strings: 1, Instructions: 560COMMON

Download Yara Rule

Strings

`$_H, xrefs: 00007FFB4AFDC46D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: `$_H
API String ID: 0-1610763802
Opcode ID: d738c0bdb2932efebbc267b4e68564738473b73bc487af17681d5362f45e9612
Instruction ID: 6cabe346de9af3ef1849f640e3c77423381822e0e18a6c5d1966a9747db0bee8
Opcode Fuzzy Hash: d738c0bdb2932efebbc267b4e68564738473b73bc487af17681d5362f45e9612
Instruction Fuzzy Hash: 78F1D4A2A1DB8A0FE796EE3CC4556B567D1EF98250B2401FAC44EC72C7ED28AC478740

Function 00007FFB4AFD2440 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4AFEAC99

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 67a6f5794a4303e2ca1a35110eb1de3d04c9ab5fc3a7735202bbb5ac754e3c92
Instruction ID: a3c8bb3e7d5cf22960da66d00929f9a00693859823c2eea67310dd815e9fc570
Opcode Fuzzy Hash: 67a6f5794a4303e2ca1a35110eb1de3d04c9ab5fc3a7735202bbb5ac754e3c92
Instruction Fuzzy Hash: 7AF1EEB0A1CA0A8FD759EF28C481576B3E6FF98302B6445BDD44AC7296DE34EC438780

Function 00007FFB4AFD8C79 Relevance: 1.7, Strings: 1, Instructions: 499COMMON

Download Yara Rule

Strings

^J, xrefs: 00007FFB4AFD909A

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: ^J
API String ID: 0-3056682247
Opcode ID: a35dfb45ba42040c1a255eb84e0d665be0d7f52c33d18dbf8e3ef40087da4299
Instruction ID: 5bc8dca9fafdae7a2e9ee31c34499afdcc214b50228db5276b0dfa009b58ba23
Opcode Fuzzy Hash: a35dfb45ba42040c1a255eb84e0d665be0d7f52c33d18dbf8e3ef40087da4299
Instruction Fuzzy Hash: F8F1CF70A0CA894FEB59EE78C5457B977E5EF99300F6401BED48EC36D2CE38A8468741

Function 00007FFB4AD536A9 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFB4AD53787

Memory Dump Source

Source File: 00000000.00000002.2750878863.00007FFB4AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad50000_HquJT7q6xG.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 222f757a9e106e25d1c6369321ee1e9dd7eeced927f717a3dd7e56a62c02f5ba
Instruction ID: 33182edf54d32aa9c6f8341099078bea1fa34b15bcba637bbd76bf3bd21b4726
Opcode Fuzzy Hash: 222f757a9e106e25d1c6369321ee1e9dd7eeced927f717a3dd7e56a62c02f5ba
Instruction Fuzzy Hash: 5441167290CA8C8FDB19EF68C8596E97FE0EF56310F0441AFD049D7292CB24680ACB91

Function 00007FFB4AD536ED Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFB4AD53787

Memory Dump Source

Source File: 00000000.00000002.2750878863.00007FFB4AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad50000_HquJT7q6xG.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2bd6a29f091a9441f62fde076f5508d4fa2e5d4397e891dba136e38ac45ee610
Instruction ID: ab28e6d7407f0db9c7c225e238f33168274937ede17f426a66da1556a53a2f41
Opcode Fuzzy Hash: 2bd6a29f091a9441f62fde076f5508d4fa2e5d4397e891dba136e38ac45ee610
Instruction Fuzzy Hash: 6331D07190CA5C8FDB59DF68C8596E9BBE0EF65320F04426FD049D3292DB34A816CB91

Function 00007FFB4AFD2D79 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFB4AFD2FC6

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 8caabd87da67255ff4ef8f7ae5ab4e09fdd3e1b7ed50c777fc6c868ad214cea7
Instruction ID: 865703a1e2bc4fbe6c86d41483043734961880d7a9576450b44c6e001880653e
Opcode Fuzzy Hash: 8caabd87da67255ff4ef8f7ae5ab4e09fdd3e1b7ed50c777fc6c868ad214cea7
Instruction Fuzzy Hash: 9EB148B2A0DAC94FE356FF78D5551A9BBE4EF49310B1405F9D48ACF193DD289C068780

Function 00007FFB4AFD6D81 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

hs&5, xrefs: 00007FFB4AFD6E91

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hs&5
API String ID: 0-470585854
Opcode ID: db35d786dd25e6b2348fedb1cda833cd132fcf2890f3c36f083fb2602c94db32
Instruction ID: f3ae72d09f2f1905029cc97c030aff236e63c6bcd524b2fa98a2c999b16279e9
Opcode Fuzzy Hash: db35d786dd25e6b2348fedb1cda833cd132fcf2890f3c36f083fb2602c94db32
Instruction Fuzzy Hash: 9D91C0A1B1DE8A4FE7D6EF3CD5552B927D5EF99240B1404F9D04EC72D2DE29AC028340

Function 00007FFB4AFEA9C1 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4AFEAC99

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b92a3eaa2bb17cd89ec7b17651aed7205085e7ac9cd64ee258f501aaa65e24da
Instruction ID: 73595b872c4372546442d774f8c9f7aec1bd41421c6a287af41306f00822f632
Opcode Fuzzy Hash: b92a3eaa2bb17cd89ec7b17651aed7205085e7ac9cd64ee258f501aaa65e24da
Instruction Fuzzy Hash: 6DA1EE70A1CB4A8FD75DEF18C48557673E5FBA8302B6445BED84AC7286DA34E843CB81

Function 00007FFB4AFD9000 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

^J, xrefs: 00007FFB4AFD909A

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: ^J
API String ID: 0-3056682247
Opcode ID: 779a6f9f7ee23b2ab70c815269ea8536964af1fe83dc088d15721a4da05c8180
Instruction ID: 2409d3720cf954d857969f592514af86db21d756fe9dcfde6da2411f12d0a7ac
Opcode Fuzzy Hash: 779a6f9f7ee23b2ab70c815269ea8536964af1fe83dc088d15721a4da05c8180
Instruction Fuzzy Hash: 1EA1CE60A0CA894FEB55EE7CC5857A877E5EF58300F6441FDD48EC7AD2CE38A8458741

Function 00007FFB4AFD3FA6 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFB4AFD44B7

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0e756ccb24a08104b6efd38208e8dd5c77296ec4ae378e175c7da3bf25d11ad4
Instruction ID: 27348d2ce830c9b7ace3234f1c405fd19b4549b059ddbc32de014fd22782e695
Opcode Fuzzy Hash: 0e756ccb24a08104b6efd38208e8dd5c77296ec4ae378e175c7da3bf25d11ad4
Instruction Fuzzy Hash: B981C7B1B0D78A4BE7A5EE28D54537977C5EF85311F6406BED88BC72C1DE18A8428382

Function 00007FFB4AFED8D0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

H2J, xrefs: 00007FFB4AFED98D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H2J
API String ID: 0-240407164
Opcode ID: 9e0d17f652a9f4018c1b7b8cc803954b01a7f63e05a898da4c08e30b1630aef6
Instruction ID: 5e285a3bfd3cbe8d8dae2d27eb765e909f393be4b9ff687bec411eaa4d6a15bf
Opcode Fuzzy Hash: 9e0d17f652a9f4018c1b7b8cc803954b01a7f63e05a898da4c08e30b1630aef6
Instruction Fuzzy Hash: 5F91737061C9499FDB85EF3CC495AAA77E1FF99304B2401A9E04DC7296DE35EC42C780

Function 00007FFB4AFE2139 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFB4AFE2201

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: a3922735325c7c410e6fa81a08fff51fee0e93e049db604644cc01723a2c42c3
Instruction ID: 0b3a8c393bbd16b34a3f098ce85805f3fe928864fe24c5d669cae05749158ee6
Opcode Fuzzy Hash: a3922735325c7c410e6fa81a08fff51fee0e93e049db604644cc01723a2c42c3
Instruction Fuzzy Hash: 3C6115B281D7998FDB02FF38E8921E97B60EF05324B0445F6D48CCF0A7C928A456CB95

Function 00007FFB4AFDD3F5 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

0nJ, xrefs: 00007FFB4AFDD4D3

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 0nJ
API String ID: 0-348585754
Opcode ID: 9de47695d80faca62cb96d308cd7e8520c1cf7ce7cba37bcde7002c67b0a007f
Instruction ID: 449bd5daadc59f018511eac89756fb4a6e43b2bf7107952266682b36d8ad9603
Opcode Fuzzy Hash: 9de47695d80faca62cb96d308cd7e8520c1cf7ce7cba37bcde7002c67b0a007f
Instruction Fuzzy Hash: CD51047154EAC65FD357AF38C8646B57FE4EF86210B2901FAD08EC75E2C91CA846C351

Function 00007FFB4AFE2150 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

"$_^, xrefs: 00007FFB4AFE2201

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: "$_^
API String ID: 0-2781572093
Opcode ID: 126ca7eb5788f3b043ce834a7d9fa69a68e10727589ab743eac3d15eeb29b739
Instruction ID: 456e8751ec964f2338078ee8933edd6b0b86115a2ed1bb6435db6bcd755a39a3
Opcode Fuzzy Hash: 126ca7eb5788f3b043ce834a7d9fa69a68e10727589ab743eac3d15eeb29b739
Instruction Fuzzy Hash: 0851D0B28196598FDB02FF78E8921E977A4EF14324B0445B6D84DCF0A7CD28A456CB94

Function 00007FFB4AFE10F2 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFB4AFE116E

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 35ad430a1166bc84df99f04a4488d599db8bde84b1898d9f0adb91de20444eb7
Instruction ID: cfb663278d32dc43b2460a81b3b1d2c0498764a23c682a52e9dd413732a77a78
Opcode Fuzzy Hash: 35ad430a1166bc84df99f04a4488d599db8bde84b1898d9f0adb91de20444eb7
Instruction Fuzzy Hash: 9441E46290D6A94BD702BF78F8A11E53B60EF45330B0415F7D8898F0A7CD64786AC7E1

Function 00007FFB4AFD2EEE Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFB4AFD2FC6

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: e77dd1c5840bdd0243111ae3c4acb2102062a5d070bfe40daa2469153a709781
Instruction ID: 69c7abb720ed479fee37cc4650f20665daf1a83f00ac654dd4fa1b5a8a6a8616
Opcode Fuzzy Hash: e77dd1c5840bdd0243111ae3c4acb2102062a5d070bfe40daa2469153a709781
Instruction Fuzzy Hash: 403102A190EBC60FE39BAF7888955A47FE1EF4A21470805FEC48ACF197DC69584AC741

Function 00007FFB4AFE1148 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FFB4AFE116E

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: 9c2f2dd19138097617cca653adcb00541ee8ed37cc6cc89bbc08e1a123dc1860
Instruction ID: d00e33aafb82cdc3f9e2245170e5375f1ad8db6398f1ec054706a6246c1ef3af
Opcode Fuzzy Hash: 9c2f2dd19138097617cca653adcb00541ee8ed37cc6cc89bbc08e1a123dc1860
Instruction Fuzzy Hash: 3531237290DAA94FCB02BF68F8911EA37A0FF45330B0415B3E849CB197CA646866C7D1

Function 00007FFB4AFD294C Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

hs&5, xrefs: 00007FFB4AFD297D

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hs&5
API String ID: 0-470585854
Opcode ID: e708e2c288287b17166daa263c918dc9221dd6620932ac029e064f3cfa50d135
Instruction ID: 4119945a871d0c3636f76e0416c31d3cfcd2abccaf84b038767bcd6299d2740f
Opcode Fuzzy Hash: e708e2c288287b17166daa263c918dc9221dd6620932ac029e064f3cfa50d135
Instruction Fuzzy Hash: 69212891B2DA8A0FE749BF78C4622F977D5EF59300F5484F6804ACB6C7CC68A8069391

Function 00007FFB4AFD223A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

`9J, xrefs: 00007FFB4AFD2271

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: `9J
API String ID: 0-2457592886
Opcode ID: 407705ef5a54e8b176a66b3dc9744d61db965ab756a3582c6bcc871d781c7c68
Instruction ID: 516c0235ffb04360e7fffa6aac0e847249900f1767bd0965eb0781a2c938c334
Opcode Fuzzy Hash: 407705ef5a54e8b176a66b3dc9744d61db965ab756a3582c6bcc871d781c7c68
Instruction Fuzzy Hash: 47F04C6181DBC91FE712AB7498151E67FF4EF56200F4944D7E899CB193DC186519C342

Function 00007FFB4AFD22AD Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

hs&5, xrefs: 00007FFB4AFD22F2

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hs&5
API String ID: 0-470585854
Opcode ID: f9ae6c952091464f3faeaad73624ddb59e7d05ebb5db38ef736d2d6b51a23259
Instruction ID: b07d2410227bb095c75cb446ce2c940dde87a6c45bfabbb93b0055da97afa79d
Opcode Fuzzy Hash: f9ae6c952091464f3faeaad73624ddb59e7d05ebb5db38ef736d2d6b51a23259
Instruction Fuzzy Hash: E4F046B181E6C80FF306AFB4882A0E97FE4EF85200F0804EAE459CB083ED6820158341

Function 00007FFB4AFE8912 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

hq&5, xrefs: 00007FFB4AFE8947

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: hq&5
API String ID: 0-529024400
Opcode ID: b255fcae8277f98f4a0099748809fdc91cb1d6cdb02377229f41fed0727aa5e5
Instruction ID: cf09dde40dfaf8570b7f3f76e663f3c66f62c09b630da692eae7c6a63ea900bf
Opcode Fuzzy Hash: b255fcae8277f98f4a0099748809fdc91cb1d6cdb02377229f41fed0727aa5e5
Instruction Fuzzy Hash: BAF0E580B1D95B0FE692BB7C982A1BC6AD4DF5E160B9405F6E48AC32D7DC1CA8425380

Function 00007FFB4AFF2356 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62eb1f67070baba14ccbe38deba9ea4ed01baa39b2c806b8079680472c95eb5
Instruction ID: 09974ef999fdfcd44301497cf097836addba32464691afa45a1a96168935a8db
Opcode Fuzzy Hash: c62eb1f67070baba14ccbe38deba9ea4ed01baa39b2c806b8079680472c95eb5
Instruction Fuzzy Hash: 7B2272B0A1CA598FDB98EF68C8556A977E5FF58300F1441FAE04DC7296DE34AC41CB81

Function 00007FFB4AFF05EC Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5064b3340134c9622acca36a65bb2f2813d15160e6275b7d2d9f9e89ac4959ab
Instruction ID: 8dcd1350722abca8df6e67bb7edb8e191f32cbec27ae47a7af19ffdd9b35268e
Opcode Fuzzy Hash: 5064b3340134c9622acca36a65bb2f2813d15160e6275b7d2d9f9e89ac4959ab
Instruction Fuzzy Hash: 581228B1A0DA854FE795EF38C4556A87BD1EF99310F2400FEE58DC72D6EE28AC428341

Function 00007FFB4AFEDDED Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be6544546f4df5807ae80ada54f481fd13bcb73506760dce2d54ab442c379c9
Instruction ID: d2e3c8073144d67ff192432df8c072991120aa5aefa20cb66f18290abd78a5b0
Opcode Fuzzy Hash: 7be6544546f4df5807ae80ada54f481fd13bcb73506760dce2d54ab442c379c9
Instruction Fuzzy Hash: 57F119B190D7866FE365EF38E9561B63BE1EF56310B2901FAC48DC71E3DA1C68868341

Function 00007FFB4AFDA609 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a400f163a4010bf7cffc229ba5d652fb0871778288a82c37ae8f4910ffc857
Instruction ID: 5c962393c7aca6f27973500b7bbee546579cc52c043470422adebbf3303c44e6
Opcode Fuzzy Hash: 74a400f163a4010bf7cffc229ba5d652fb0871778288a82c37ae8f4910ffc857
Instruction Fuzzy Hash: 79D1C171A0CA498FDB99FF38C4556B8B7E5FF98300F5441BAD44EC3296DE38A8428B45

Function 00007FFB4AFF01FC Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5590ac425f9a7b2da84816fe0de5658a340e21b9b6d5581559a94fdf4d80d32d
Instruction ID: 2881e46a0604cf5cce81730b949c02f2fc51e1c96552d88c152b5c8f1577d072
Opcode Fuzzy Hash: 5590ac425f9a7b2da84816fe0de5658a340e21b9b6d5581559a94fdf4d80d32d
Instruction Fuzzy Hash: F3D107A191DA854FF365EF38C9562A47BE0EF56200B1505FFE98DC71E3EE1C680A8342

Function 00007FFB4AFF4A39 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1cd1ba244801410d17aad5d781dc5fbdd025a6a3f8a589e8df770c0af44963
Instruction ID: 6f17467c7fe1dbcd2497ee7821348ba3a27fd9a8f37bf9578500ed9da2f56a80
Opcode Fuzzy Hash: 7e1cd1ba244801410d17aad5d781dc5fbdd025a6a3f8a589e8df770c0af44963
Instruction Fuzzy Hash: D6C19FB1B1CA094FEB58FF7CC455AA977D5EF98310F1001BAE44EC32D6DE28A8468781

Function 00007FFB4AFF2399 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9aa79ed6cb5c5cc73c2f04a2f7b14b443a63a5a0e77a7a4b160cc9a377cb06
Instruction ID: cd539da58735fe4f2c7b691db864846215daf17e95c60d18f1b5750faf008234
Opcode Fuzzy Hash: be9aa79ed6cb5c5cc73c2f04a2f7b14b443a63a5a0e77a7a4b160cc9a377cb06
Instruction Fuzzy Hash: 91C1A170A1CA498FDB98EF68C8556A977E5FF59300F1401EAE44DC72D6DE34AC42CB81

Function 00007FFB4AFE7CF6 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f212a868872921132bb9ebba640e2363482924255ad59c3f3846aa16fa8535d4
Instruction ID: f7d471616f3a6ca1568291c949d8b44bc98fca2e266753f24452f74b0efc2542
Opcode Fuzzy Hash: f212a868872921132bb9ebba640e2363482924255ad59c3f3846aa16fa8535d4
Instruction Fuzzy Hash: 30B1C57050CA8D8FEB69EF28D8557E97BD1FF55310F1442AAE84DC7291CE349845CB82

Function 00007FFB4AFD8DFC Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1518842ab08abfd301ae84ff92a14f017889416f2de61d2ee9fe719ae84b80
Instruction ID: c2efa75bf2a53539c765f44307788bac5a4d00e3ebdb0f68b432f5a121ca12f4
Opcode Fuzzy Hash: dd1518842ab08abfd301ae84ff92a14f017889416f2de61d2ee9fe719ae84b80
Instruction Fuzzy Hash: 03B102A0A0C6864FE75AAFB8C5947A87BD5EF15300F6401FCD48ECB6D3CE28A8468300

Function 00007FFB4AFD3180 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8749254a1f44cb6ae9515f55d63d1719fefb86934172086d655d159424cb18b6
Instruction ID: ac3d9c3908c844f2b5b770bfe04d9459fd7e427ad0679269c29e8872dcdc8db5
Opcode Fuzzy Hash: 8749254a1f44cb6ae9515f55d63d1719fefb86934172086d655d159424cb18b6
Instruction Fuzzy Hash: 99A19D71A0CA894FEB99EF78D5512FD77E5EF89315F2405B9D45EC72C2CE28A8028B40

Function 00007FFB4AFD34A1 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc983f5e1318f54aca795d160f9624a1c16eb382b4639c07d85dab4c33b78251
Instruction ID: d5d4dc81a515c1086af2df9a3c282f373135b09af095ca6599236f93d693b614
Opcode Fuzzy Hash: fc983f5e1318f54aca795d160f9624a1c16eb382b4639c07d85dab4c33b78251
Instruction Fuzzy Hash: 9591F1B1A0DB894FD7A6EF38C4556F5BBE4EF55310B1406FAD14AC7292CF2CA8458381

Function 00007FFB4AFEEF79 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb985167f28d6ba39d3a44b4a00cd75242e57f515d685c4218a5259ff8736e6
Instruction ID: 6d869bd83061cf4f31cbf8156e65f276b15208e66bc2e661e7ef50eb7d831535
Opcode Fuzzy Hash: cdb985167f28d6ba39d3a44b4a00cd75242e57f515d685c4218a5259ff8736e6
Instruction Fuzzy Hash: 7F81E4A1B0D9495FEB99EF3CD9952792BD6EF99740B1400FAE08EC72D2DD1C9C028381

Function 00007FFB4AFF2FAC Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804ead70742a05361ca23090f2d89d83bd847a8d13c9818bc5335184553016db
Instruction ID: 89aea157f1fc33346c166905fc136b10ebcd58222f267032e3ac44889ebf61cc
Opcode Fuzzy Hash: 804ead70742a05361ca23090f2d89d83bd847a8d13c9818bc5335184553016db
Instruction Fuzzy Hash: 0BA1DC71A1C90E8FDF84FF68C991EEA77A5FF58340B5401A5E419D7296CA24E852CB80

Function 00007FFB4AFF38A9 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cabab6d2000bf96624080f9bce0f70ade2da14914c608a96cba6afc63e06a8
Instruction ID: 3a941d6ed41e0c574a439287669ca4d88ea7fac93e52e25a7b0f158f830dcec4
Opcode Fuzzy Hash: 30cabab6d2000bf96624080f9bce0f70ade2da14914c608a96cba6afc63e06a8
Instruction Fuzzy Hash: CB917F70B1CA594FDB98FF2CD855AB977E5EF99300B1401BAE05EC72D6CE24AC428781

Function 00007FFB4AFD8E4D Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef12899a4c7caac0c8db7b9d18d29ece75ea3351d35450cd6150b5b22a8a1c9
Instruction ID: c469208da2b2d335db65340a1a5ea74083c52a141bf33198d1925071f2be2c70
Opcode Fuzzy Hash: 2ef12899a4c7caac0c8db7b9d18d29ece75ea3351d35450cd6150b5b22a8a1c9
Instruction Fuzzy Hash: 9091C3A0A0C6894FE759AE7CC5957A97BD5EF59300F6441FCD48FC7AD3CE28A8468340

Function 00007FFB4AFEFF7B Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2782969dd0cd9f55662e25d208b6cb19ef617ca6aaf37643d0c096671cf6bb3b
Instruction ID: c9be36fdbf4cb0f74011a8ef80d7a1c8a8a0105a29a7fb38c3cac6b4ca53fe27
Opcode Fuzzy Hash: 2782969dd0cd9f55662e25d208b6cb19ef617ca6aaf37643d0c096671cf6bb3b
Instruction Fuzzy Hash: E9712AB151DB854FE765FF38C4565A57BE0EF5A301B2405FED4CDC72E2EA28A80A8341

Function 00007FFB4AFD8F42 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a0b82c25efc28e40bd5932ee5abbfc515192e5c0485b6329937f40d14d30ec
Instruction ID: 6d0d1a998bf98891731e206a8d159ab38930a84dc2390f9700e966b8078cf7bd
Opcode Fuzzy Hash: 68a0b82c25efc28e40bd5932ee5abbfc515192e5c0485b6329937f40d14d30ec
Instruction Fuzzy Hash: B4819160A0C6894FE799AE7CC5947B97BD5EF59304F6441FDD48EC7AD3CE28A8468300

Function 00007FFB4AFECD7E Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7380f51c535d7d73059165df3812dffceae5fb843f53e19113c32bbc4376a464
Instruction ID: a7f65ea742ecba3a7273773f428386d133f979cdcf7c5c840c12ae2047f37da7
Opcode Fuzzy Hash: 7380f51c535d7d73059165df3812dffceae5fb843f53e19113c32bbc4376a464
Instruction Fuzzy Hash: BF61C071B1CA5C5FDB94EF6CD8556A9BBE1FF99311B0401FAE00DC7296CE28AC028781

Function 00007FFB4AFD8F7D Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cdb87a7501d9a17f53f62de7796542e547ac5c34ca6b7dce4acd79acd0dbc0
Instruction ID: 3ff4093cb16ea07dd33a52967d70496e35ef1f56462523f348accc7567825c8f
Opcode Fuzzy Hash: e9cdb87a7501d9a17f53f62de7796542e547ac5c34ca6b7dce4acd79acd0dbc0
Instruction Fuzzy Hash: AC818060A0CA894FEB95AE7DC5947B977D6EF58304F6441FDD48EC7AD3CE28A8468300

Function 00007FFB4AFD8ECD Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cf023e60ee1ae75a3177577c36b63fc4a1881a3da6862b4028115399a76f9a
Instruction ID: bf42a150138597a9db119858ed478d6d9a5376851c1b06410280d0b481c72628
Opcode Fuzzy Hash: a5cf023e60ee1ae75a3177577c36b63fc4a1881a3da6862b4028115399a76f9a
Instruction Fuzzy Hash: 75719060A0C6894FEB95AE7DC5957A977D6EF48304F6441FCD48EC7AD3CE38A8468340

Function 00007FFB4AFD8EEB Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5ead18736763550cc53dd6f1a2f416a15f70a1b6113f1cb40f9aff96e1e2e1
Instruction ID: aa618453e706a0131d1fdbf10aefb3b9e1d53bf62fa0d17cd9ba9c3c7d715c27
Opcode Fuzzy Hash: cb5ead18736763550cc53dd6f1a2f416a15f70a1b6113f1cb40f9aff96e1e2e1
Instruction Fuzzy Hash: 7B718F60A0C6894FEB99AE7DC5947A977D5EF58304F6441FDD48EC7AD3CE28A8468300

Function 00007FFB4AFD8F26 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba53c6b9908f338d6e166ab76d213346b2ce9219e4051202a0db8a7ae47f7ff7
Instruction ID: 7c867c52322a4e4b018e2552142be01069ba31345165b85b7077015fd4148eb7
Opcode Fuzzy Hash: ba53c6b9908f338d6e166ab76d213346b2ce9219e4051202a0db8a7ae47f7ff7
Instruction Fuzzy Hash: 10718060A0C6894FEB95AE7DC5957A977D6EF58304F6441FCD48EC7AD3CE28A8468300

Function 00007FFB4AFD8DDD Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075f01a565fd5059e5e35630ec073621f8b4e583239dc9fb3cddab71a323e3e2
Instruction ID: ca594ed16fe19a608814b63cae84cffcccd2b9b34e14ca2c37acf544858e920c
Opcode Fuzzy Hash: 075f01a565fd5059e5e35630ec073621f8b4e583239dc9fb3cddab71a323e3e2
Instruction Fuzzy Hash: EF719060A0C6894FEB95AE7CC5947A977D6EF58304F6441FCD88EC7AD3CE38A8468300

Function 00007FFB4AFD8FC7 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0b7932c5971dd443efd5df0ab865dc31de51620631ee77f13b8f1e4fa904ec
Instruction ID: a03293663533ca5f7b2e9f2995922cbeed590f26bbd22f472967c647ef76f0ca
Opcode Fuzzy Hash: 7c0b7932c5971dd443efd5df0ab865dc31de51620631ee77f13b8f1e4fa904ec
Instruction Fuzzy Hash: 3F817E60A0CA894FEB95EE7DC5947A977D6EF58304F6441FDD48EC7AD3CE28A8458300

Function 00007FFB4AFF4820 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c239012c460b86c61a14eef2d15e5ae1da0912b767147b17f7c7e36ff95c9e3b
Instruction ID: ab7c17bf35b233c44249f091ad34bb29c97a8494876946383fb142894f94c860
Opcode Fuzzy Hash: c239012c460b86c61a14eef2d15e5ae1da0912b767147b17f7c7e36ff95c9e3b
Instruction Fuzzy Hash: D461AE6171CA894FE799EF3C9865A647BE1EF9A301B1401FEE049C72E3DD18AC468781

Function 00007FFB4AFD8F08 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2559c0145ac7bc59b222d7f1ab2c876f1ce18d7836b083a7f1eb430f7d7819a3
Instruction ID: 0ce26e05c867b35d49f7cfca4327ebecd43a777b91606ab71e2ac05334851296
Opcode Fuzzy Hash: 2559c0145ac7bc59b222d7f1ab2c876f1ce18d7836b083a7f1eb430f7d7819a3
Instruction Fuzzy Hash: 92717060A0C6894FE795AE7DC5947A977D5EF58304F6441FDD48EC7AD3CE28A8468300

Function 00007FFB4AFE4BE0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f42f24bda7fe20c097fcf403cfc752e1516329dd6a511c35b3913963387ac23
Instruction ID: 7d5d2adb9be5238e617a6000f5076e629f95a0683fb4160b17aad311f9687545
Opcode Fuzzy Hash: 5f42f24bda7fe20c097fcf403cfc752e1516329dd6a511c35b3913963387ac23
Instruction Fuzzy Hash: C351707090CA5C8FDB69EF28D8557E9BBF1EB58310F1082EAD44DD3252CA34A9858B81

Function 00007FFB4AFE0007 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebec4e67d0b7f1d4ad053d73aa8dd6cb77489cf7efbd1052df3c27a5025dca78
Instruction ID: c8588a61987b0a34fdbedc99001060e69394096da0ff41de77f9fdb1fc368d8d
Opcode Fuzzy Hash: ebec4e67d0b7f1d4ad053d73aa8dd6cb77489cf7efbd1052df3c27a5025dca78
Instruction Fuzzy Hash: 69718460A5C9479BF7A5EF29C150676A2E6FF94300F7481F5C80EC69DADE3CE8858780

Function 00007FFB4AFD7750 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af1536f1f2b762991a9a7e99db26067943eb79e60f4aa36ce20444a1282e128
Instruction ID: 1b25084bf0dbad38772578c2fbb08780f310dabf170743d865ba51831eaa55b8
Opcode Fuzzy Hash: 3af1536f1f2b762991a9a7e99db26067943eb79e60f4aa36ce20444a1282e128
Instruction Fuzzy Hash: 84514AB2A0DE890FE35ABA7CD8465B57BC5EF4536072502FDD48EC7197DC19AC028391

Function 00007FFB4AFDD5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0bc34d1dec4c1f398342e716d9f692c721d173291ba6ef4f5e9c328544e17f
Instruction ID: 5e9e7cd31f751a2feaeaaccd06d97ca790d61b6cebf1ce3620f82797384f7f6d
Opcode Fuzzy Hash: ad0bc34d1dec4c1f398342e716d9f692c721d173291ba6ef4f5e9c328544e17f
Instruction Fuzzy Hash: 13519DB1B1D9894FDB99FF6CC454AA977E2EF58310B2401B9E04EC7296CE24EC41C780

Function 00007FFB4B09220A Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbda5c4f56ba2007ab43fd4c54e62bbc9dbe955c71a1597c1a3e6d14445c410
Instruction ID: 4d70ce815fdf190451b9b09a66a42e6564a39d894a69929f9545c8006f60d5ad
Opcode Fuzzy Hash: 0fbda5c4f56ba2007ab43fd4c54e62bbc9dbe955c71a1597c1a3e6d14445c410
Instruction Fuzzy Hash: 1B512050B2CD170BEA85BE6EC596779A1CAFF98701FA480B9E20DC37D6DD58EC064381

Function 00007FFB4AFD3751 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2123112f568cc5f7aeafc795120f3f4408af27bb2c727dd7de22a235d393c8
Instruction ID: ca0bc0c74385ca7d561c0c28066de7836f53de1b5dfbeef34558ad28e230d23e
Opcode Fuzzy Hash: 2f2123112f568cc5f7aeafc795120f3f4408af27bb2c727dd7de22a235d393c8
Instruction Fuzzy Hash: A25101A590CAC91FE756BB3899051B67FD4DF46224F280AFED5CAD31D3DE19A8028381

Function 00007FFB4AFD91FD Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baece19517528694d7220622a03814afb98f5ce8089b6917445076e8c93e11e
Instruction ID: caa40c8800aaf2104cce3ab2e4f7421bcc21ec72c2ceb076f25ba8ae9d8b2c32
Opcode Fuzzy Hash: 6baece19517528694d7220622a03814afb98f5ce8089b6917445076e8c93e11e
Instruction Fuzzy Hash: 3751E360A0C6450FE799AE39C1953B9B7C6FF98305F6441BDD88FC7AD7CD2CA8468244

Function 00007FFB4AFE8C5D Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93054a9ff33ccf8eb9f1665e7a1e6db77980729fd53a7d999ce6aeb5677072c
Instruction ID: e654f6ac9dabaaabaeecb273442fd5555a9b628a795d64ce0bc42a0f88b03bc5
Opcode Fuzzy Hash: d93054a9ff33ccf8eb9f1665e7a1e6db77980729fd53a7d999ce6aeb5677072c
Instruction Fuzzy Hash: B051C0B191D9495FEB91FF7888596A97BE0EF59300B5800FAD449DB2E2DE289841C740

Function 00007FFB4AFD4775 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e26cd6a61dd55bf27ad79fa0375532f93dbc48c59392c73ad882815af10068
Instruction ID: 1e1b347d8b98ab23b86dd6310b37205d5ee95dda398308a7ba72e7cf4a2f411b
Opcode Fuzzy Hash: 31e26cd6a61dd55bf27ad79fa0375532f93dbc48c59392c73ad882815af10068
Instruction Fuzzy Hash: 2D41F57160D8C94FFBA1FF6CE455AB57BD4EF1A311B1800FAD48AC7292D916EC028340

Function 00007FFB4AFE375C Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16dceda12949d98e2cb66965c4cffc7f6930d2a1a99e4331be6e43695ccb0ac
Instruction ID: 2b6d9e7e66439937dfd8071ac020aa731f22f221ecd16a4126c90610a4cc116c
Opcode Fuzzy Hash: b16dceda12949d98e2cb66965c4cffc7f6930d2a1a99e4331be6e43695ccb0ac
Instruction Fuzzy Hash: 5F51B0B191D5899FEB95EF78C8587EA7BA1EF49300F6401F9D04DC7192CE28A941CB00

Function 00007FFB4AFF0061 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a1ab1a7f6de88bcbb22ed4013f7183d1891229a91d0544dc4026f88a21e96d
Instruction ID: 33d69e05e529cbfa77051824578fc711dda0d689ea463e77c0f3c8cb29953143
Opcode Fuzzy Hash: 04a1ab1a7f6de88bcbb22ed4013f7183d1891229a91d0544dc4026f88a21e96d
Instruction Fuzzy Hash: 9351F9B051D7854FEB65FF38C9065657BE0EF55300F2405FFE98AC71E2EA18A8098382

Function 00007FFB4AFE14BE Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fee5a84c063622e4443de5f6130dff1ad70a232846d8c69284f65731d45b88
Instruction ID: 7c46b4f9a578d038a1ee10ca744bd15662d43b8d5c6b87b1f18cb68648700a30
Opcode Fuzzy Hash: 06fee5a84c063622e4443de5f6130dff1ad70a232846d8c69284f65731d45b88
Instruction Fuzzy Hash: 8141156191EA895FD795EF39C4A46B17BE1EFA920071804FED84ECB2E3DE18E805C741

Function 00007FFB4AFE89BD Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260c2a5cce04a7321309edf283ee25caaae0da41a7b4865cca91b2b8f4d853a0
Instruction ID: 4bb5135c52efe6a0bb500ca4cbffc16c93b4f5d60efa2a2ae377c4ea6e1c495f
Opcode Fuzzy Hash: 260c2a5cce04a7321309edf283ee25caaae0da41a7b4865cca91b2b8f4d853a0
Instruction Fuzzy Hash: 0051A0B191DA4D6FDB85FF78C8592B97BE1EF09300B9404FAD449D72E2DE299841C740

Function 00007FFB4AFEDC9E Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871ebc47bffc98a3dbcf7bf1cbdde91edaa7b057d570a048f2f64a085145f3c3
Instruction ID: a19ee0512db739f218d6c65f1e7a913c11ec82a9bd78b1b4ea81fdec30bbb6a5
Opcode Fuzzy Hash: 871ebc47bffc98a3dbcf7bf1cbdde91edaa7b057d570a048f2f64a085145f3c3
Instruction Fuzzy Hash: 7541D171A1DF4A4FD3A5FE78E4905B27391EF9932432401FAD409C7696DE29E8428380

Function 00007FFB4AFD7A72 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4328a079bcdc192b8f60ce4e93745ac5405b8d288c8ce441b26b89fafa3393e1
Instruction ID: 38f1414f6cf8d1fe4815defbb782f97d4203eebf834daf3fe2607620035dc226
Opcode Fuzzy Hash: 4328a079bcdc192b8f60ce4e93745ac5405b8d288c8ce441b26b89fafa3393e1
Instruction Fuzzy Hash: E441C4B050CBC84FDB5AAF2CD8556B57BE5EF56310F6401AEE48BC72A2CA35E841C741

Function 00007FFB4AFEEFA0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9203f55163ab72646d2243c0564c4b8a5ce88c2708286bcac2767b4da4461fd7
Instruction ID: 7fa2221825f34ec95d147283ee689488dcf9e42d7be275abbcae8618c1880374
Opcode Fuzzy Hash: 9203f55163ab72646d2243c0564c4b8a5ce88c2708286bcac2767b4da4461fd7
Instruction Fuzzy Hash: 6831A061B0CA190FEBD8EE3DD9956B927C6EF89745B1400F9E58DC72D3DD28AC028345

Function 00007FFB4AFE28A3 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59dd548d53f1359f303e2cb204c562c36b6341deb0c6a2ce99d948dfe52516b
Instruction ID: 56457f06a069febb656a092da40dee0443a7a1a143576771dae931c4ae16bb7e
Opcode Fuzzy Hash: b59dd548d53f1359f303e2cb204c562c36b6341deb0c6a2ce99d948dfe52516b
Instruction Fuzzy Hash: 0A41C3C380E7C21FE72A1FF859561696FD5EF526403AD44F9D0C48F0EBB8289D0A9386

Function 00007FFB4AFD20B0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46dbc5fdd30edcac09724355ff0b7d00180ecc9487647cf7acb09f03f608c1e
Instruction ID: 2ffafcb09c6f83a553394d28a623ce44bf82b6d3afd2930039fd8ea7be86a85e
Opcode Fuzzy Hash: f46dbc5fdd30edcac09724355ff0b7d00180ecc9487647cf7acb09f03f608c1e
Instruction Fuzzy Hash: 164117B380E7854AE2037BB8F8A20E437549F1122870C85F6D8AECA0D7CD1C7599D6F5

Function 00007FFB4AFDD1F9 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ea94ba2935a57bcc9c43ecdd98fdc9fc90d47072e79abb04d6e49f5f0affa0
Instruction ID: 944126e927a4ff767a942a2adc5b02bad581379b17e1028a7daad155e905570e
Opcode Fuzzy Hash: a4ea94ba2935a57bcc9c43ecdd98fdc9fc90d47072e79abb04d6e49f5f0affa0
Instruction Fuzzy Hash: 49414B7060EA8A8FDB96EF28C461BA937A5FF55305F5400F9E44ECB1D2CA29E855C701

Function 00007FFB4AFF2185 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940eb0a4c4e23d54a6392b01d288faa30eca1e366a01752d2210202cc7351ae0
Instruction ID: 7d60f528579951d492892904e02c16e19d4e08f5dcd46ab5b2f3634dc4c34615
Opcode Fuzzy Hash: 940eb0a4c4e23d54a6392b01d288faa30eca1e366a01752d2210202cc7351ae0
Instruction Fuzzy Hash: 4B410DB0A0C91D8FDB94EF68C991BA877A1EF99300F2441E9E44DD72D2CE34AD46CB41

Function 00007FFB4AC3EA03 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2750145558.00007FFB4AC3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ac3d000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638e54fa392da7926332df365ff9f32a2fbd778ac99a7cc86170975d997a0e1b
Instruction ID: 34c37c093824a61b7b30491b8a165ae56d8d008e78f3e2e62ff6b955e3411b79
Opcode Fuzzy Hash: 638e54fa392da7926332df365ff9f32a2fbd778ac99a7cc86170975d997a0e1b
Instruction Fuzzy Hash: 4B41BF7140DBC48FD796EF28D8859523FF4EF56320B1905DFE088CB1A3D625A846CBA2

Function 00007FFB4AFF04B0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac183b686755de4c43c2ee4aeed3f08cc9c39fc02521f22a6e8800887033ff49
Instruction ID: 1da6796d7513d5689650200940dacca42e9a7162e3524b6a9dcaf684dcc0ee43
Opcode Fuzzy Hash: ac183b686755de4c43c2ee4aeed3f08cc9c39fc02521f22a6e8800887033ff49
Instruction Fuzzy Hash: 4331046170CA485FE789FF3CC4556A9B7E1EF99310B1401FAE049C32E2DE6898428381

Function 00007FFB4AFD3780 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237a47e38bbde45cd0b0e7c811f6fc73d86cf2e145e988886f452345bc733c18
Instruction ID: 4ec0a00504f236c318aeaae389caf790d7e5fdc3fa64ef6f16d3b49225434e46
Opcode Fuzzy Hash: 237a47e38bbde45cd0b0e7c811f6fc73d86cf2e145e988886f452345bc733c18
Instruction Fuzzy Hash: 1E3103B560C9891FFB46FA3895056B63BD5DF9A314F1405FDD98ED3192EE29E8024380

Function 00007FFB4AFE9A1A Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df8cd8cc33b509929fadaa8d99e3bc829e35443fdb0dc17e8e41c7b9bebcea8
Instruction ID: 7b18d34bd5a826cd36775188df033cf62c8f8cc34af15cc94874f0cc0ca6b7f6
Opcode Fuzzy Hash: 2df8cd8cc33b509929fadaa8d99e3bc829e35443fdb0dc17e8e41c7b9bebcea8
Instruction Fuzzy Hash: D4312761A1EB891FD75AAE78DC554E97FA1DF87220B1801FFE049C7193CD199806C391

Function 00007FFB4AFE8F1D Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974b71294754fbca6d4c6f1443b068e50d9fcf910a2013a20d35188c972c95d5
Instruction ID: 1e86db2074fa0032ffe1de89302ebdfdbf46fb36b9e4ee12d94a6d07ed49b2b4
Opcode Fuzzy Hash: 974b71294754fbca6d4c6f1443b068e50d9fcf910a2013a20d35188c972c95d5
Instruction Fuzzy Hash: 9C41D4B191DA8D5FEB85FFB884592BA7BE1EF49300F9404FAD049D71E2EA289801C740

Function 00007FFB4B090718 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3ff6b92194411b9226264d8c6c7c0c90ec39196ee6501529ae97645d0e1b6b
Instruction ID: 84c1a9deb4ce60747cc26aeae9f610ce0833c8de18df00d634ec4a1e09b6c2e7
Opcode Fuzzy Hash: 0a3ff6b92194411b9226264d8c6c7c0c90ec39196ee6501529ae97645d0e1b6b
Instruction Fuzzy Hash: AC312CA2F1DB450FE258AE3C9456374B7D1EB59321F44427DD58DC33E3E91968028782

Function 00007FFB4AFEF6F0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa588c7c4f42ea486dab9debbb1e76dc06fb978409e9fde292e059c0254ca8cd
Instruction ID: 3887e57994e35b3159cd260ff9cd48351f4623698f798e96a390afd7eda05643
Opcode Fuzzy Hash: aa588c7c4f42ea486dab9debbb1e76dc06fb978409e9fde292e059c0254ca8cd
Instruction Fuzzy Hash: 9D31C771A0C9095FE7A8EE3CC446A6677D5FF58351F2405F9D48DC32E1DA25AC068781

Function 00007FFB4AFD2DBA Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c9466f17cfde0dd9616d05dbc4446da418e6014360c645a55b99d030642b8a
Instruction ID: 392d592ead85c7982ef0b9ced531353f92b5bfc4befafb4b393da6ca04ea5070
Opcode Fuzzy Hash: e5c9466f17cfde0dd9616d05dbc4446da418e6014360c645a55b99d030642b8a
Instruction Fuzzy Hash: 8931D8B2A0D4C94FE762EF6CD5555A9FBE8FF9931071401F5D089CF5A1D9289C078780

Function 00007FFB4AFE0C78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14904d347379d45cf1d9b31e3563a0654fc23ba643688e524b336f2eabf6320
Instruction ID: 0374cb577ebae5ecf97134c8e29b53597eedaec1017d7a616626be619df55f07
Opcode Fuzzy Hash: b14904d347379d45cf1d9b31e3563a0654fc23ba643688e524b336f2eabf6320
Instruction Fuzzy Hash: F03102B2A0C6158BDB59FE6CE0552FAB3D1EF48324F14057FE84EC7283CE24A4428B94

Function 00007FFB4B0957AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ee1569254051ac4173226d1a03311f0a8b2fb23f0d9a4368ffe89257d3eda2
Instruction ID: 8c4b4698fa9d929c01d14b19c757327ff655f49f448f45ff5ab501357aeb1bd8
Opcode Fuzzy Hash: c4ee1569254051ac4173226d1a03311f0a8b2fb23f0d9a4368ffe89257d3eda2
Instruction Fuzzy Hash: F521E682B0DF4A0BE7A9BE3C99562795AD2DF8815179941BAD44DC33EBEC28DC424380

Function 00007FFB4B095098 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be98d769cb5856eb2d46ee67bf99fb424b53b1fd69ddc1f11917b872db4b5a9
Instruction ID: ad83a278d4aacca69fdd04477254767a1fa4699be09b05cd5ce57a1fcc08435b
Opcode Fuzzy Hash: 5be98d769cb5856eb2d46ee67bf99fb424b53b1fd69ddc1f11917b872db4b5a9
Instruction Fuzzy Hash: 9C310891B0DF470BF7A5BA3D85652796ED1EF98501B9840BDD54DC33EAED18EC024380

Function 00007FFB4AFD7390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b357820cf9ddc082571d63e0261a2659cc4fbbae0e6190d922640678e1e104dc
Instruction ID: 816ed51c0c231e70b644775bf1d20ea8bd80d4ab3b0ffa14bde8ea2876fad246
Opcode Fuzzy Hash: b357820cf9ddc082571d63e0261a2659cc4fbbae0e6190d922640678e1e104dc
Instruction Fuzzy Hash: 2731E4A1A1DE890FE782FE38D4541797BD1FF99214B1406FAD84DC72E2DE2DA8418341

Function 00007FFB4B09522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e40f2a454751b730ec4b78a611048d6981dd9a436fc1ae5c09e253072f6dc4
Instruction ID: 055014039f181a56526247a7679018fc2f68d5c0e68de15ad0b37b9332449adc
Opcode Fuzzy Hash: e5e40f2a454751b730ec4b78a611048d6981dd9a436fc1ae5c09e253072f6dc4
Instruction Fuzzy Hash: A121F882B0DF4B0BE3A5BE3D89552756AD2DFD9541B5841BAD54DC33A7ED18DC024340

Function 00007FFB4AFEAE7D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fa0dc71f00a90370f6a83ac11713e319c421c7d4f4c14cb6f498da02ef59fc
Instruction ID: ae85d927dad3708b7b20ec220f70eaa80f9b851684237c1395cb8b13f62147d8
Opcode Fuzzy Hash: 55fa0dc71f00a90370f6a83ac11713e319c421c7d4f4c14cb6f498da02ef59fc
Instruction Fuzzy Hash: 1E316E70A18A8E8FDB84FF28C4547AA77A1FF58305F5045A9E41AC7296CF39E8558740

Function 00007FFB4AFE0CD3 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015c12d43f220b211984de683ec45a4c33878ad8d1acf944eb384ace30f445f
Instruction ID: 99d32cf77fa7cf770471d0fe4494fe94c432aa3167b5260e20e760da99691318
Opcode Fuzzy Hash: e015c12d43f220b211984de683ec45a4c33878ad8d1acf944eb384ace30f445f
Instruction Fuzzy Hash: 4C310072A0C7884FD799EF3894552AABBE0EF49320B1401BFE48EC72D2CA2558018755

Function 00007FFB4AFE9915 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f26efab71f44a7b7ef04f9fc85f0e38ee435012719ea9adcfd982505cab8d87
Instruction ID: 3aa1f517c7ba9336e7d08749ea6a19ee2bb21538218ae205aa6e3f6a86fec2e6
Opcode Fuzzy Hash: 3f26efab71f44a7b7ef04f9fc85f0e38ee435012719ea9adcfd982505cab8d87
Instruction Fuzzy Hash: 3A210771A0DA4D9FDB85EF7CD8999AABBF0FF5931071401ABE049C7262DE249C41CB81

Function 00007FFB4AFD3169 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89d702da032d1671af9029be606af9c29529583b5ad64ddb32fdfdd513f867c
Instruction ID: 50d3e44a6a5340375fc650fb1ca02a4e9cf832af23e377a089f4c9fd8ad41888
Opcode Fuzzy Hash: d89d702da032d1671af9029be606af9c29529583b5ad64ddb32fdfdd513f867c
Instruction Fuzzy Hash: F831DE71A0DB884FD74AEF78C8551E97BE1EF8A315B1401BED449C7293CB38A816CB40

Function 00007FFB4AFD3FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4c1519aa6099723dd5394ee9dc8b0f69454aadcb0ba88fae94dcbca3a00f1b
Instruction ID: b54b0ec308d334be2652ce777793db766589a80c22b1aa4e70042df5eaf88851
Opcode Fuzzy Hash: 3a4c1519aa6099723dd5394ee9dc8b0f69454aadcb0ba88fae94dcbca3a00f1b
Instruction Fuzzy Hash: DB21BBA1A0C7850FF399AB2CA84A6B537D5DB96261F1801FED48EC31D3DD19AC438382

Function 00007FFB4B0939C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee89fe23e58ff8247f27fd475fead92c4a8bb397e37ab072bc9ce6f8521f92a8
Instruction ID: f9efbb8c90209bc65bd841bf7e4b8ece49b4cf2879b65647567fef2dd8cddb35
Opcode Fuzzy Hash: ee89fe23e58ff8247f27fd475fead92c4a8bb397e37ab072bc9ce6f8521f92a8
Instruction Fuzzy Hash: D721D392B0DE4A0BE7E9BA3C895627916C2DF982117A841FAD54DC33ABED28DC024340

Function 00007FFB4B095958 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0225e20047b01812d0c5759231839d99e23f39f83a401016857e6e97613e625
Instruction ID: 27e7900eeb46d6576dcfec3868ae6a55ecd43243f81d040661e78e25b9589e0e
Opcode Fuzzy Hash: b0225e20047b01812d0c5759231839d99e23f39f83a401016857e6e97613e625
Instruction Fuzzy Hash: A8212B82B0DF4B0BF7A9BA3C85552741AD2DFC81117A941BAD51EC33DBDD28DC024340

Function 00007FFB4AFEEEA9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988a9ff89185a2bb36e8ce3c67953257838fe119322cf94f1159ec917166ba8b
Instruction ID: 052a7eefdf0e514885135307e1c496899ebe2fb4feec128bce442f3e75811f9e
Opcode Fuzzy Hash: 988a9ff89185a2bb36e8ce3c67953257838fe119322cf94f1159ec917166ba8b
Instruction Fuzzy Hash: 1E21876191DBC60FD316BB389850AB6BFE0DF56210B1802FED08AC71D7CD2CA40AC351

Function 00007FFB4B09286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28d0dda400c54424122564bdce8c7ca81058fd2ba49395e7dd129d6a7d65dc3
Instruction ID: 8587a15d99212420b3300457bc50ae4b299e8fd53d0678a3ea0d3623076af859
Opcode Fuzzy Hash: d28d0dda400c54424122564bdce8c7ca81058fd2ba49395e7dd129d6a7d65dc3
Instruction Fuzzy Hash: 0C212891B0DE4A0FE7A5BE3C89552756AD2EFD82417A840BED04DC33EBDD28DC064340

Function 00007FFB4B0939B2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6941e667730d81bbfbfd11d9ae513ba4f81ac17e2bb993dfed46f19d41e314
Instruction ID: 0c35c394ae90490be24405705129822133de28427b028d65daaae49c6426eb65
Opcode Fuzzy Hash: 6d6941e667730d81bbfbfd11d9ae513ba4f81ac17e2bb993dfed46f19d41e314
Instruction Fuzzy Hash: 39210692B0DE4B0BF3A9BA3C895627416D2DF8825179841FAD18EC33E6ED19DC024340

Function 00007FFB4B09369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8729294a0a84d4461c4c63e88f8a01876024d3d2028b21dc16c75b04c5597bfa
Instruction ID: f68f56cf6cee2eac00a6a67112b936bca349fea029f3c49d706d48f203b1a50d
Opcode Fuzzy Hash: 8729294a0a84d4461c4c63e88f8a01876024d3d2028b21dc16c75b04c5597bfa
Instruction Fuzzy Hash: AA21FB91B0DF4B0FF7E5BA3C895517569D2EF982417A880B9D54DC33ABED19DC064340

Function 00007FFB4B094668 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c6694d9b9135f3e0599336e3ba5dc31bca13c7794efb8cd5425a9cdff048e7
Instruction ID: ab97ed7ec39e5dd50197d8090a0c1c2f9777399694f5c210081ef6cfcafe3c05
Opcode Fuzzy Hash: 64c6694d9b9135f3e0599336e3ba5dc31bca13c7794efb8cd5425a9cdff048e7
Instruction Fuzzy Hash: C821F591B0DE4A0FF7A9BE3C896527915C2EFD82117A841BAD54EC73EBED28DC024340

Function 00007FFB4AFF0F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da46fcdb8281359318a3b31b538894d19501cf1761af86c9316cbdd2d2afcb33
Instruction ID: a27f5c168b8a60e1f3dda19dacdb1bdea11424267e652a647ca251cbc796a3f6
Opcode Fuzzy Hash: da46fcdb8281359318a3b31b538894d19501cf1761af86c9316cbdd2d2afcb33
Instruction Fuzzy Hash: 63213CB061CA499FE784FF28C594A2977D1FF98311F6405BEF44EC32A6CE24E8418B45

Function 00007FFB4B0926EA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e636d611925d8bde93c198b528cccd60dfbc124ff0c30aa708c0d38b944f6c1
Instruction ID: d932fb9a0e878d78e2335076c32170f92ec096de6cd298020f545917048e31df
Opcode Fuzzy Hash: 6e636d611925d8bde93c198b528cccd60dfbc124ff0c30aa708c0d38b944f6c1
Instruction Fuzzy Hash: DC21D491B0DE0B0BE7E9BE3C995527565D2EFC8251BA881BAD50DC33EBDD28DC064340

Function 00007FFB4B093A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c158563929ebb43f33f0ec05516bf5c3691e6168612418966d1f6b2dabb983b
Instruction ID: c4ad547fca5b970f5ca4b9833d25f9cf9ea45b0053611d6f278f5a8181ef3d6b
Opcode Fuzzy Hash: 8c158563929ebb43f33f0ec05516bf5c3691e6168612418966d1f6b2dabb983b
Instruction Fuzzy Hash: A221F892B0DE4A4BF7A9BE3C895527566D2EFC825176841FAD10DC33EAED28DC024340

Function 00007FFB4B0932B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848474215b6190f04474f37a645226c3b46f2188e8361ec1411ac9fe05463f91
Instruction ID: 981f5459d24255993698a5d99eac0f2d081c384ef52e417b95c5e3885a184e2f
Opcode Fuzzy Hash: 848474215b6190f04474f37a645226c3b46f2188e8361ec1411ac9fe05463f91
Instruction Fuzzy Hash: 2521C5A1B0DE4A0BF7A9BE3C895627965D2EF882117A841B9D54DC33EADD28EC024340

Function 00007FFB4B093CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ab65f77655d37102236f8bd62c1b30d44ef9dcb82baab4a0452ced24afb20d
Instruction ID: b49101e3d92491662e48a5cecd0172e90b3df8cef679de7acb95e29b82b45976
Opcode Fuzzy Hash: b3ab65f77655d37102236f8bd62c1b30d44ef9dcb82baab4a0452ced24afb20d
Instruction Fuzzy Hash: C9210A92B0DE4A0FF3AABE3C896523565D2EFC86417A841B9D10DC33EBED28DC024340

Function 00007FFB4B092566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c706ddff22b4577952a1e80ac24530563c98c9130d3b5873d683f18c476f86
Instruction ID: f544d121eaf50917b6802db02272e98f436518c8975aad6327cb8a383da3159c
Opcode Fuzzy Hash: 18c706ddff22b4577952a1e80ac24530563c98c9130d3b5873d683f18c476f86
Instruction Fuzzy Hash: 4F21C551B0DE0A0BE7A9BE3C896527925D3EFD8211B9941BAD54DC33EBDD28DC464380

Function 00007FFB4AFE0B28 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3166d5a8c725ec89730a22d1a1fa6cb9d7e60bd886016b6dc26f580b8b3df6e5
Instruction ID: f9dc58ce60d3297adb6b7db6312595d1e12a039dd90151a25af76ca76c306baa
Opcode Fuzzy Hash: 3166d5a8c725ec89730a22d1a1fa6cb9d7e60bd886016b6dc26f580b8b3df6e5
Instruction Fuzzy Hash: 852168A291EBC91FE346AE3894610F67FD0DF5621071805FBD889CB1D3DD0859468385

Function 00007FFB4AFDA6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction ID: fa9d585cd826828ad2682067a1aff2ae3cc60b69e0cada0bda68968ae9b709ba
Opcode Fuzzy Hash: 08c7f5c547a9d53a3e831805ce6b077ba7abd4708d45406eae9109d6977fdc3a
Instruction Fuzzy Hash: FC21657190CA1C4FDB58EE58DC4A5F9B7F8EBA5321F10413FD44ED3251DA31A5458B82

Function 00007FFB4AFEA710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ebd6e90d3a302d83178a5bdf609981b32a61bd597244b15ac3d45c3cb61fdf
Instruction ID: 7a81dbb6e789213b6d2b79d7a108a68b8140fd370062bc403310f8dfeae9a88a
Opcode Fuzzy Hash: a7ebd6e90d3a302d83178a5bdf609981b32a61bd597244b15ac3d45c3cb61fdf
Instruction Fuzzy Hash: A421D471B0DA5A5BD358FE6C98412B776D6EF89351F5002BEE44EC32C2DE28AC4242C5

Function 00007FFB4AFDC776 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571c182ccb56d3e61b22f5de179e346cccb3ebcdf0654624ce23b180bfb9c3e3
Instruction ID: b8c8cd83faf709a0bcbe0503b7d3d282a44641bb4ed1093211e0ea4508e2e22a
Opcode Fuzzy Hash: 571c182ccb56d3e61b22f5de179e346cccb3ebcdf0654624ce23b180bfb9c3e3
Instruction Fuzzy Hash: 8C2106D2A2DECA0BE79ABB7885556B56BD5EF98250B1400FAD04FC71C7DC1CA80A8340

Function 00007FFB4AFD3FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09449e6111aa079ea78719f080bbdce3e6ca7aee198b08a29ebc6dfaa57d62b9
Instruction ID: 84eeb67f2823cf52c64d1c16d327026c3eae760242f59095e32a4d3a72089377
Opcode Fuzzy Hash: 09449e6111aa079ea78719f080bbdce3e6ca7aee198b08a29ebc6dfaa57d62b9
Instruction Fuzzy Hash: B911ECA170CA491FE699BE2CA84E7B537D9DB95221F1401BEE48EC3292DC15AC428282

Function 00007FFB4B09214D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3772650e3f71af0aafb76b815ec62ad5f19131f7b640a1c749cf8a061731810b
Instruction ID: 8646cd88e9e88bd1a920ad18c2bd7a377d077072ea0889409b7cdd7bdd94c36c
Opcode Fuzzy Hash: 3772650e3f71af0aafb76b815ec62ad5f19131f7b640a1c749cf8a061731810b
Instruction Fuzzy Hash: 0D2192A244EBC50FE3539B7859A51A07FB1AFA7111B4E80EBC188CB2F3E8194C668341

Function 00007FFB4AFD7065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcf74510970c2f1c1ff104634e988f4017325e420dda841fb456362649d3558
Instruction ID: 7f5bb7a0d7680fd143a1307e7cb8b408f5e17fb96e3e8cb22c7789b4482f0e70
Opcode Fuzzy Hash: 1fcf74510970c2f1c1ff104634e988f4017325e420dda841fb456362649d3558
Instruction Fuzzy Hash: E72149A161CA950FE342AF2CD4496B07FD1DBA9210F1809FED8C9CB1F2E919D8C1C341

Function 00007FFB4AFEAEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction ID: dfe6eac0d42707dee72785525daca8e5867c2e3334ac914e629c69ff84cef909
Opcode Fuzzy Hash: 505d9f1e11d039dc4273098cdb80bc3f8bf233fa78f0da3cdb6649bba18dc71f
Instruction Fuzzy Hash: 59212A74A18A8E8FDB88FF28C4547AA77A1FF58305F6049A9E41EC7285CF35E8518B40

Function 00007FFB4AFE95DD Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbe07e974c90d5d4309f8b7063a7c0e5aa1c01b6aefac637ecec30238b4afae
Instruction ID: aeb396b59afcdb841b7a195d7fcb12b0ce79a3a02fffe45f9e11165b5dc9746b
Opcode Fuzzy Hash: 0fbe07e974c90d5d4309f8b7063a7c0e5aa1c01b6aefac637ecec30238b4afae
Instruction Fuzzy Hash: DE313AB090CA4E9FEB94EF64C5857AE7BA1FF48300F6004B6E42DC21C2DF39A8408B51

Function 00007FFB4AFE9A79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c90e0f1b4187cdb75e48ae6b4ec8f3a6ee55fb0755894454e678e6ebd6691
Instruction ID: 6a885e6e1f08f926781093e84683e5f9d768b40419fd5bbedcd7d34fa1a0f946
Opcode Fuzzy Hash: 152c90e0f1b4187cdb75e48ae6b4ec8f3a6ee55fb0755894454e678e6ebd6691
Instruction Fuzzy Hash: 0821E471B1DB5C1FD759AE2CEC554E97BA6EFD5620B1802FBE008C3292CD286C128391

Function 00007FFB4AFF351E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b80fba1c55f9f9c055250c2cbd750938813ea38fb65e413618ca4a5ba9a9825
Instruction ID: c0759dba7c3ea0955d2f2f15153ab5c8e11cc75a27c68fc8b7f415c836c96f88
Opcode Fuzzy Hash: 3b80fba1c55f9f9c055250c2cbd750938813ea38fb65e413618ca4a5ba9a9825
Instruction Fuzzy Hash: 7421607061CA4A4FE795FF38C595AB567D5FF84314B6405BEE05AC36E2CE29A842C700

Function 00007FFB4AFE37AD Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a650569363443c5b6c511453c8c7918a2e0cf339684eb3b02a6193c0bb8b0
Instruction ID: 1073bf5b634d3f1f5749795101549e556d2c9bda5e87004a3a7f74174063ee8f
Opcode Fuzzy Hash: d30a650569363443c5b6c511453c8c7918a2e0cf339684eb3b02a6193c0bb8b0
Instruction Fuzzy Hash: 1C31BAB091D589AEE795BF74C4592FABBA6EF49300F6400FED04DC7192CE386946CB01

Function 00007FFB4B095A50 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cc24b8b82021c1423943e3048407b59f899ae20c27cdc4f23992bdb60ae471
Instruction ID: 50e27cfb3dd39d46362fe65c15fc6c8f0568c67baa11c5ca49c6a546faf161cf
Opcode Fuzzy Hash: 02cc24b8b82021c1423943e3048407b59f899ae20c27cdc4f23992bdb60ae471
Instruction Fuzzy Hash: DB11B691B0DF4B0BE7AABA3C856527959D2EF8821175941FED54DC33ABED2CD8024344

Function 00007FFB4B092964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47d6ac514ee6a77b3e1bfbd36a3e45d403ba8d24a440a65613f040961b98ef0
Instruction ID: fcb0d9efcb507d618dfcbcd790c36502a703396baea88ce0956fe8eee18fd7ac
Opcode Fuzzy Hash: c47d6ac514ee6a77b3e1bfbd36a3e45d403ba8d24a440a65613f040961b98ef0
Instruction Fuzzy Hash: FE112B92B0DE4B0BE7AABA3C845527455D2EFC8211B5941FAD44DC33EBED28DC064340

Function 00007FFB4B092C8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43296cddf192d8b7529c5162f205df498d6d68518651fe03c02e0562bb8a3d36
Instruction ID: 9dd9b4ec34217f6c00d47deb43877ebe053dfbed6139c986cfb738ecababac67
Opcode Fuzzy Hash: 43296cddf192d8b7529c5162f205df498d6d68518651fe03c02e0562bb8a3d36
Instruction Fuzzy Hash: 44112B91B0DF4A0FF7AABA3C896523955D2EFC8151B5941FAD51DC73EADD28DC024340

Function 00007FFB4B094A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587d24484169b10479b609e7573efa03a155570a56b63a17851c98c9f6ed53d4
Instruction ID: 05818952a14c08ada850f2fcbe91e03dffcacd02a40a8eab7a953665ddae1ffc
Opcode Fuzzy Hash: 587d24484169b10479b609e7573efa03a155570a56b63a17851c98c9f6ed53d4
Instruction Fuzzy Hash: FE11E691B0CE4B0BE7AABA3C856523955D2EF8811179941FAD44DC73EBED28DC024340

Function 00007FFB4AFDCFC5 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2af0068570574e377c35b0be23a12d3db585e7b23ebdc0f97e2274a3b2f6bdf
Instruction ID: c6a476375fede183c187ffc9e28167c36b703c1ef7debb34b816874ba61d0047
Opcode Fuzzy Hash: b2af0068570574e377c35b0be23a12d3db585e7b23ebdc0f97e2274a3b2f6bdf
Instruction Fuzzy Hash: A511B20158EAC60FE3472BB48C295E23FE4DF8B11031D42EBE085CA4A7C84C498B8361

Function 00007FFB4AFE9760 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e14dceaad9610b334682e1c1db12528196fec694e2aa363a161f23bc008e2c4
Instruction ID: 3a46e184f60d7ffee9c5bb55b54b9fb5e8ef1535cfaf82b811898426c8dce9a7
Opcode Fuzzy Hash: 7e14dceaad9610b334682e1c1db12528196fec694e2aa363a161f23bc008e2c4
Instruction Fuzzy Hash: BC118E70A0DA9E4FDB85FF28D4512EA77A1EF89300B6401F6E049C3296CE38AC458781

Function 00007FFB4AFD2468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac58f48df032ad0f4bf1d1f1d8cbc7ae828058e3d2f02f049c82b0b491677ffc
Instruction ID: 17017c34ad7714b93508647cbc0952b4e5180356b59f6d07aa5d543f07703f71
Opcode Fuzzy Hash: ac58f48df032ad0f4bf1d1f1d8cbc7ae828058e3d2f02f049c82b0b491677ffc
Instruction Fuzzy Hash: A61163B285D6861BE3167F34D8045E67BE4EF81312BA941FAD444C71D7DE0CA8878390

Function 00007FFB4AFE159D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2102cb26f8c180e1fa7f55058b7589be4d055124d01f8a2afca2828d1a1461
Instruction ID: 7adc9aa0e2604a0989d5cf2af073ac75b899aa0e292fb1438373cc1f72122a15
Opcode Fuzzy Hash: cd2102cb26f8c180e1fa7f55058b7589be4d055124d01f8a2afca2828d1a1461
Instruction Fuzzy Hash: 7711B1A191DB884FD795EF39C4A5AA57B90FF68200B4804FDD44ACB2D3DE18E805C740

Function 00007FFB4AFD65F1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b505d63842ad0829eae7972cb1333744abff732a6a4cefdf8f90d7b79b788055
Instruction ID: 6b183700efab74adaf3c0b6c83783895f7f65f61967db4c670d45b6bdb67a7c1
Opcode Fuzzy Hash: b505d63842ad0829eae7972cb1333744abff732a6a4cefdf8f90d7b79b788055
Instruction Fuzzy Hash: 0411C17180D68A8FC782EFB4C8556EABBF0EF46210F0545FAD049CB4A2DB789545CB91

Function 00007FFB4AFEA495 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1971800c7bd8234c383da7aa68c11560e12933ad8c48f33ff3c28ad316c53ea8
Instruction ID: 19f8d3c4be005997eafd2ca057f530692e018b1947e6f3e480a760fa62df3092
Opcode Fuzzy Hash: 1971800c7bd8234c383da7aa68c11560e12933ad8c48f33ff3c28ad316c53ea8
Instruction Fuzzy Hash: 5F11E77185D6C11FE3277B3098154E23BA8AF4231179A01F7D448CB4E3D90D698683A1

Function 00007FFB4AFE15B0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb38713bc2c607e40783b362d7d9abc5b59a374891785c6286b259d2495841cc
Instruction ID: 542534b907f059a9fefaee3888af07ddf190f966f1ff1d8f191b6ab9e4f86cbd
Opcode Fuzzy Hash: bb38713bc2c607e40783b362d7d9abc5b59a374891785c6286b259d2495841cc
Instruction Fuzzy Hash: E011E371619A485FE7A8EF39C494A627BD4FF68300B0404FCD84EC72D2DE18A805C740

Function 00007FFB4AFF0D65 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6953063c452d319380be182ab4123e67296a2ad34cde4ce4c7d9fb2162958af6
Instruction ID: d3c0588f5dbe252f0c481d65ac1bf9188978135759717a5aa33d1e34717ee67a
Opcode Fuzzy Hash: 6953063c452d319380be182ab4123e67296a2ad34cde4ce4c7d9fb2162958af6
Instruction Fuzzy Hash: 2B012D61E1DE4A0FE789BE3C95682B9A5C1DF85310B2440FBD40CC72D6ED1C9C414381

Function 00007FFB4AFF0D42 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1dc0fa040dcc2153ebeb0f7d46a8b9a29141e01734fa9115162518edac988
Instruction ID: 1b5df653e3cb0e3c6c55c8b10d0572e1c344afb7b33a40e8fe2059b65790b39a
Opcode Fuzzy Hash: ceb1dc0fa040dcc2153ebeb0f7d46a8b9a29141e01734fa9115162518edac988
Instruction Fuzzy Hash: F6012B51B0D94A0FE749BE38A5652BD76C1DFC5311B2400FBD50DC71D6ED1CAC414381

Function 00007FFB4AFD4CF1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb19d73ec8d3da8c94b515c8ad00428e2f6e7c6737e3a0ba5062f89068af175b
Instruction ID: 8aa651c986918475e00854a6ca9dc1a47be1f32010e29ac4daefa62201cd6571
Opcode Fuzzy Hash: cb19d73ec8d3da8c94b515c8ad00428e2f6e7c6737e3a0ba5062f89068af175b
Instruction Fuzzy Hash: C40108A140C6950FD757AF38C4452E97FD1DB85224F180AF9D08DCA0E2C96859868386

Function 00007FFB4AFF1616 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659f1b2310f0efb2eaa8374c40fc9b7de39544fbc202d50e7781355a0b1dd297
Instruction ID: 5520d8e052edc15a6ac306f888c13d746a2fda4922e0e55ab97468249b37ea80
Opcode Fuzzy Hash: 659f1b2310f0efb2eaa8374c40fc9b7de39544fbc202d50e7781355a0b1dd297
Instruction Fuzzy Hash: 2CF02B52B0DA490BD6B0ED2CAC4156433C6DF94210F2805FFD20CC32C6CD28B8424382

Function 00007FFB4AFD6620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469bfeee5977b5e90d3ed9b5fe3449061caec7491098242fac785860cdd28cdf
Instruction ID: dfb54185f3bb04553857c7f70ef4d6cb0ae03c8842f8d7269006cc3ae449dc9b
Opcode Fuzzy Hash: 469bfeee5977b5e90d3ed9b5fe3449061caec7491098242fac785860cdd28cdf
Instruction Fuzzy Hash: AEF03C71D18A1E8EDB91FFB8D8056FEB7F4EF18300F4005AAD41DD2591DB75A9408B80

Function 00007FFB4AFD345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction ID: effe4147cb528f44c8ed27459b7c357aeaaf030c1ff49a42b2248f6fedee397f
Opcode Fuzzy Hash: a617dffe55f7a3ef53caf3553b42194313d82e2f9b0e202c93752f99058ddafc
Instruction Fuzzy Hash: 3AF020B190C20C5FDB18FE1AEC4A9EE37A8FF86220F10053AF40D82092DA356862C750

Function 00007FFB4AFD3050 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05a81c3bd48ee6452e5a6a18782a1fd6bb71c360fd76410e93b935021573bc9
Instruction ID: 1abe6a9238c272a6ad233b654b43905205546aa1bb29458b1e61c333f47848bb
Opcode Fuzzy Hash: f05a81c3bd48ee6452e5a6a18782a1fd6bb71c360fd76410e93b935021573bc9
Instruction Fuzzy Hash: EAF0B461B1CA854BE759BE3CD5092A533D5EF45209B2509FDD88AD71A2DF28DC068240

Function 00007FFB4AFE97FA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9261b74a648590d8362a2349e13524614ad02dbc49f5042cbe9e8c1646b2906
Instruction ID: e4c33ada0e83e857f0eef0e848e7a03c6ed8fae08fd673d66a2317fefdee6fd8
Opcode Fuzzy Hash: b9261b74a648590d8362a2349e13524614ad02dbc49f5042cbe9e8c1646b2906
Instruction Fuzzy Hash: D0E07D3190C98C5BDB80AE2CEC004C6BB90FF85304F00019EF44CC7149C2114601C381

Function 00007FFB4AFDC749 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe996e423a53193755fa0bd5a6ba58a5f34b0dc021d72ca908bb6aefe49b5f15
Instruction ID: ecf70b2843da85244ba09ac8194fe311e7c176fb8eee41fff3ea27f887b5dbfa
Opcode Fuzzy Hash: fe996e423a53193755fa0bd5a6ba58a5f34b0dc021d72ca908bb6aefe49b5f15
Instruction Fuzzy Hash: 9DD05B93B6C58F06E7467D74F5410B55389FB95555F7042B1D44FD20C5ED1955034180

Function 00007FFB4B090FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754619828.00007FFB4B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b090000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: a337fe7963974fe5c98379244895e94935cdef1432177f9fbe955cab6f0c4b03
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: 49D0C95172D41207F65839ACAD423F97289DB88B55F644877E50DC23E6CCDE6C8102D2

Function 00007FFB4AFD2D3B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c06982fc1559078013f105dc170c6a8195ba8c82ee5a40b001498f571c18b1e
Instruction ID: 19cbb614e3c97e11674bc72767becb9b9da8473f0b8b38e1c4df7f78b2ffa375
Opcode Fuzzy Hash: 3c06982fc1559078013f105dc170c6a8195ba8c82ee5a40b001498f571c18b1e
Instruction Fuzzy Hash: 41E0C281B2E9850BE246A73C80223796BD38FC9700F8800F8D84DC32DBCC1DAC135352

Function 00007FFB4AFF1481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction ID: acfc40308ead799278cc43e06bd296f8bc12b71b1cd1fa95b3fe3638acac7d8f
Opcode Fuzzy Hash: fdbed73e7a052cc813fa43bf80d36e0e61864c362e32c81fcedc532627e37afc
Instruction Fuzzy Hash: 9ED0A92274E64D4EC231AE38B8002AAB381EBC1221F6007FBD20DC2289CC2A84824282

Function 00007FFB4AFE93C6 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10edd855349bf2d6d89e71c50a15b0ac0e3df50be9185088bdd3a86e5cd0683d
Instruction ID: bbb22dabdadb1d191cc0e7237127ed06d85e393d9f2d2bda1c1de92766fff49c
Opcode Fuzzy Hash: 10edd855349bf2d6d89e71c50a15b0ac0e3df50be9185088bdd3a86e5cd0683d
Instruction Fuzzy Hash: 78C01252A8E80A099A90BA68B4422FEF2449B85210BD11472E00DC25C2CD4A281002C1

Non-executed Functions

Function 00007FFB4AFD11F2 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

2%_^, xrefs: 00007FFB4AFD1201

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 2%_^
API String ID: 0-4094711381
Opcode ID: 0f7d54620c7a9a961ba9dde37ddd8cbf311858f116ba1dabf726cb0e5ba4a1e2
Instruction ID: 93b5a9d25b82981983d88232556617473c94105eb966601200800c56aafe900f
Opcode Fuzzy Hash: 0f7d54620c7a9a961ba9dde37ddd8cbf311858f116ba1dabf726cb0e5ba4a1e2
Instruction Fuzzy Hash: 7AB147D780E6928AE20377B8F8A21E53B54DF0222D70C46F2D8DE49097DD0C7557D9B9

Function 00007FFB4AFE0EFA Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

5$_^, xrefs: 00007FFB4AFE0F01

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID: 5$_^
API String ID: 0-1745159387
Opcode ID: 58c734dfdb27f4fa29a4d42c3f48e42a2ed10056c34235e2aa8bd2c1f4518af5
Instruction ID: 12fddd80130de21faaf053573cb2142c1400fa31c9459c7370761262839ff72e
Opcode Fuzzy Hash: 58c734dfdb27f4fa29a4d42c3f48e42a2ed10056c34235e2aa8bd2c1f4518af5
Instruction Fuzzy Hash: 4B51E7E7D0E2618AE602BB7CF4A20E57794DF1533870815B6D8CD8E053D848345FDAA8

Function 00007FFB4AFDBDA5 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073e8202de0e6066f41605dfa936c7fea23c5d12f76c1f6c4323349ff6460ac4
Instruction ID: 882465cba3e5ca12a7aa7b95db44ec3b73f826117a493967814c80ce21e827f9
Opcode Fuzzy Hash: 073e8202de0e6066f41605dfa936c7fea23c5d12f76c1f6c4323349ff6460ac4
Instruction Fuzzy Hash: E5F1037161CA894FEB96EF3CD858AB577E5EF59300B1900FAE44DC72E2DA29EC418341

Function 00007FFB4AFD10D1 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6473a1fdb0c09a1de68bb76a42f8605e99adcb0a58d6fcbc9e545c4bb88875ae
Instruction ID: 2b16fa4b26a5f6dfd04373656b51c6358ed18f9309635efb5e93c381ca098a5e
Opcode Fuzzy Hash: 6473a1fdb0c09a1de68bb76a42f8605e99adcb0a58d6fcbc9e545c4bb88875ae
Instruction Fuzzy Hash: D2D166D780E69286E60377B8F8A21E53B548F0222D70C46F2D8DE49097DD0C766BD9B9

Function 00007FFB4AFE0E0F Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2754123474.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4afd0000_HquJT7q6xG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ba64cea308cfdc44d216101e8e87622044de0a45e79cb1a59f4162c5359e4a
Instruction ID: 054ce688377fb42ecf1d0d8d86288381b9e234865be0bc2fdd0ca3283f06d4ad
Opcode Fuzzy Hash: c5ba64cea308cfdc44d216101e8e87622044de0a45e79cb1a59f4162c5359e4a
Instruction Fuzzy Hash: BA91D7A7D0E2618AD612BB7CF4A20E53B94DF0123870855B7D8CD4E097DC18759FDAB8

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HquJT7q6xG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
HquJT7q6xG.exe

Function 00007FFB4AD5295E Relevance: 10.2, Strings: 8, Instructions: 243
COMMON

Function 00007FFB4AFEB009 Relevance: 7.2, Strings: 5, Instructions: 986
COMMON

Function 00007FFB4AFEE399 Relevance: 6.1, Strings: 4, Instructions: 1115
COMMON

Function 00007FFB4AFDFF69 Relevance: 6.8, Strings: 5, Instructions: 529
COMMON

Function 00007FFB4AFE1B28 Relevance: 6.7, Strings: 5, Instructions: 462
COMMON

Function 00007FFB4AFEF6FD Relevance: 6.0, Strings: 4, Instructions: 1007
COMMON

Function 00007FFB4B0901BA Relevance: 5.1, Strings: 4, Instructions: 130
COMMON

Function 00007FFB4AFE9FBC Relevance: 4.3, Strings: 3, Instructions: 519
COMMON

Function 00007FFB4AFEE401 Relevance: 4.2, Strings: 3, Instructions: 457
COMMON

Function 00007FFB4AFDCA76 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Function 00007FFB4AFDE521 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON