Edit tour

Windows Analysis Report
BJtvb5Vdhh.exe

Overview

General Information

Sample name:	BJtvb5Vdhh.exe renamed because original name is a hash value
Original sample name:	a06fb340d32ab66caf6d851719c4e51e77a3208b337a0bca99879cfaba35d2c7.exe
Analysis ID:	1578207
MD5:	18614ee994ac149ba306d530651d627c
SHA1:	fbb67a2e7723e9c08b9faba8a4e5b1104ffefaed
SHA256:	a06fb340d32ab66caf6d851719c4e51e77a3208b337a0bca99879cfaba35d2c7
Tags:	51-15-17-193exeuser-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

BJtvb5Vdhh.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\BJtvb5Vdhh.exe" MD5: 18614EE994AC149BA306D530651D627C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "4cdc792e-d5cc-4480-93ab-ecbd2e6b9073", "StartupKey": "Quasar Client Startup", "Tag": "Bat IS", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab842:$x4: Uninstalling... good bye :-( 0x2ad037:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadf4:$f1: FileZilla\recentservers.xml 0x2aae34:$f2: FileZilla\sitemanager.xml 0x2aae76:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0c2:$b1: Chrome\User Data\ 0x2ab118:$b1: Chrome\User Data\ 0x2ab3f0:$b2: Mozilla\Firefox\Profiles 0x2ab4ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd470:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab644:$b4: Opera Software\Opera Stable\Login Data 0x2ab6fe:$b5: YandexBrowser\User Data\ 0x2ab76c:$b5: YandexBrowser\User Data\ 0x2ab440:$s4: logins.json 0x2ab176:$a1: username_value 0x2ab194:$a2: password_value 0x2ab480:$a3: encryptedUsername 0x2fd3b4:$a3: encryptedUsername 0x2ab4a4:$a4: encryptedPassword 0x2fd3d2:$a4: encryptedPassword 0x2fd350:$a5: httpRealm
00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab92c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: BJtvb5Vdhh.exe PID: 7592	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab842:$x4: Uninstalling... good bye :-( 0x2ad037:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadf4:$f1: FileZilla\recentservers.xml 0x2aae34:$f2: FileZilla\sitemanager.xml 0x2aae76:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0c2:$b1: Chrome\User Data\ 0x2ab118:$b1: Chrome\User Data\ 0x2ab3f0:$b2: Mozilla\Firefox\Profiles 0x2ab4ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd470:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab644:$b4: Opera Software\Opera Stable\Login Data 0x2ab6fe:$b5: YandexBrowser\User Data\ 0x2ab76c:$b5: YandexBrowser\User Data\ 0x2ab440:$s4: logins.json 0x2ab176:$a1: username_value 0x2ab194:$a2: password_value 0x2ab480:$a3: encryptedUsername 0x2fd3b4:$a3: encryptedUsername 0x2ab4a4:$a4: encryptedPassword 0x2fd3d2:$a4: encryptedPassword 0x2fd350:$a5: httpRealm
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab92c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a42:$x4: Uninstalling... good bye :-( 0x2ab237:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ff4:$f1: FileZilla\recentservers.xml 0x2a9034:$f2: FileZilla\sitemanager.xml 0x2a9076:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92c2:$b1: Chrome\User Data\ 0x2a9318:$b1: Chrome\User Data\ 0x2a95f0:$b2: Mozilla\Firefox\Profiles 0x2a96ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb670:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9844:$b4: Opera Software\Opera Stable\Login Data 0x2a98fe:$b5: YandexBrowser\User Data\ 0x2a996c:$b5: YandexBrowser\User Data\ 0x2a9640:$s4: logins.json 0x2a9376:$a1: username_value 0x2a9394:$a2: password_value 0x2a9680:$a3: encryptedUsername 0x2fb5b4:$a3: encryptedUsername 0x2a96a4:$a4: encryptedPassword 0x2fb5d2:$a4: encryptedPassword 0x2fb550:$a5: httpRealm
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b2c:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276ecd:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab842:$x4: Uninstalling... good bye :-( 0x2ad037:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadf4:$f1: FileZilla\recentservers.xml 0x2aae34:$f2: FileZilla\sitemanager.xml 0x2aae76:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0c2:$b1: Chrome\User Data\ 0x2ab118:$b1: Chrome\User Data\ 0x2ab3f0:$b2: Mozilla\Firefox\Profiles 0x2ab4ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd470:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab644:$b4: Opera Software\Opera Stable\Login Data 0x2ab6fe:$b5: YandexBrowser\User Data\ 0x2ab76c:$b5: YandexBrowser\User Data\ 0x2ab440:$s4: logins.json 0x2ab176:$a1: username_value 0x2ab194:$a2: password_value 0x2ab480:$a3: encryptedUsername 0x2fd3b4:$a3: encryptedUsername 0x2ab4a4:$a4: encryptedPassword 0x2fd3d2:$a4: encryptedPassword 0x2fd350:$a5: httpRealm
0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab92c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2fea9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d112:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a9a42:$x4: Uninstalling... good bye :-( 0x2ab237:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ff4:$f1: FileZilla\recentservers.xml 0x2a9034:$f2: FileZilla\sitemanager.xml 0x2a9076:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92c2:$b1: Chrome\User Data\ 0x2a9318:$b1: Chrome\User Data\ 0x2a95f0:$b2: Mozilla\Firefox\Profiles 0x2a96ec:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb670:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9844:$b4: Opera Software\Opera Stable\Login Data 0x2a98fe:$b5: YandexBrowser\User Data\ 0x2a996c:$b5: YandexBrowser\User Data\ 0x2a9640:$s4: logins.json 0x2a9376:$a1: username_value 0x2a9394:$a2: password_value 0x2a9680:$a3: encryptedUsername 0x2fb5b4:$a3: encryptedUsername 0x2a96a4:$a4: encryptedPassword 0x2fb5d2:$a4: encryptedPassword 0x2fb550:$a5: httpRealm
0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b2c:$s3: Process already elevated. 0x28ce11:$s4: get_PotentiallyVulnerablePasswords 0x276ecd:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28ce34:$s6: set_PotentiallyVulnerablePasswords 0x2fcc9e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 13 entries

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:21.842095+0100	2035595	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.9	49725	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T12:32:21.842095+0100	2027619	1	Domain Observed Used for C2 Detected	51.15.17.193	4782	192.168.2.9	49725	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "51.15.17.193:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "4cdc792e-d5cc-4480-93ab-ecbd2e6b9073", "StartupKey": "Quasar Client Startup", "Tag": "Bat IS", "LogDirectoryName": "Logs", "ServerSignature": "VcdWXYvy8iyLGpEpemlpsJsFzopYmofL4QNr2feHUJsPL+ngY0C7JQYOq6aYbsAjgmj6IbwZJc1XmizrExnUy+PRbyzdhXn/sVtf0c5aKxd3dt4CKIH8RwhZ+1d8A1yWVaLG3EX77fUG0rpKK62u23rxy2xVXAHtbGpSKxFeRpC7f7sJTZn4Z0Y35tuiIHc4Rm0XPJsGN2gsJlMXuO03yXOGigqpHZKEtj94duYKUJkBGDRcs409u8AbVq5yFO/Z3naE7DUixrawBYsuYNTfV/JKK+8Z6Doi2G4pd/3xdzRGgvcHbvQUlJMvzwA3mfl5ftjQQEBZoznaWANAU/Ma/rkNbcz/Py1HRGprVPjyItNiGGVo8QW6x7kuMhGzKdB2rCq52h/1qHhjHwU1KvTzJy+dDY+t6YAg20GxbhxcZhrwrUECPcommE0TilwcEFKll2uVp5tNn4e75makywwAQv1QKo21YjGls2gLrh6M1FKr7l479IoJkbcZjeRZ8uh3yjyMEf5NJq0oSEuRI3ZPWuczPdKhg3+6KKWtTF5mkUd/2nycS0oUTFjgU+5XNTjvuz4MzJUikklL47VJzJ1Q9JWiNE/2Ple/eqh6VyQfE96cH433HJ2CJH+gAlQwaGWiJ7e0/NQuP5Cn3ocYaux65TLOpt3EyVjnOHH0ZKET/5w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMaTO8NkDssYwyYqpLth2zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTExMTAzMTk0NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmhEECGx9fJQPcO/tgA+f+kThLAwzf77GITj6MUf+ipJ2FxfDkt1dClWH7x3waX33aitCeYrNHoVpriW1JVNqnzcZZOEu8fmtpxlXlSdBCdVxLNRp6CiJfafCuIfizorZpkBdERawzGdVD5Fmx6p7DSeAm6WV/V6vZROp0FCVmJ5IbSNIu0PHTjRVh0rcT3pt0+tlT/KceZhk5XM2ds5MqCKGpBYXTvWrWzkk8Alby/3M0QFvctC7YytuDOywU+Qj5bAFB7IAlIeJAGlWGoWb3pLL05N2SbfRYdJcucFpq72+MgmneoTxwovJwiUxvRQGUNBjpxZcUA4d+pHtGRvNAU95RxfirGTaWujfHX9um4mNBhYbMb/NRGC737GQV48ksMSEtcR4C9U1GGh/3Czr7S/GIew19pHtdHsnN5P+rn2wbVPlUgzwgcAeHFbVlD+Lguszs0AdHGwv9ZdkHPwBzmOx9YvDEYfEZM9AJk/hWuk85FXZTKMcDSG1ytHbAyGgjLOr8B1z36u3B1kRt+92uHqd06QjFu/ipVIitmGogem5nwTVthP7zLvbjFiv6omskGBu/55ByQicH5MCkDisJKU2ahOFOypbR5hxdodGS13+pQGFqg8cTe0gsnzfrwXKiQu1aYC394MW+z29OO5KK9NSN4bJ3zn4W7Sh5TbbHsCAwEAAaMyMDAwHQYDVR0OBBYEFB73KQ9dKRRykGrTP/ro/ucILFuYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACp7CqafH2O5tj6gVDE7FAhoQrPyBNMiQXpXZihG9DIoTHJgiDPuRhdSrVyPKldZ7EsSa52sse6QzmYrRnMOQmUZWP7Cu6QLtYc4IUcGRZWDaY2uVDsnXwyXIkxUHDGeeQG+f5/iBiKTMqy+6O0cIRqebMtTqvmob5yQggXp5CVXTbq+pb0DmcLsMbZbrWNviVC7QBXpwHyH24H7iv2aEEAAQorIg35v75Oen7nvFPGcKiaEjvTKvoce2j2OceW20QAaQlSBeSaOIsAyw1q1e6uIoC6PjDb0URbXV6LAJz5RjfinSiQuo0nLzRLRiecEOiBBhtXsMXBIs/jxGqMKT14QbXMVLX9STaDho5i0LAkypnYNjFznc40Ot/Xqx5pS9B/jBppVVNKjv//AdTbKa9WNUPTQZg91IAnXAE6FTSGwUSzGhmrf4WJfHLt0uITn/fOrZfL/enju+jnX3TKRU8N4BNakHcAv2XJh0qmDnmKBAHrq5rCNsSO6Bsl411FYxb3enXQAd6SNy+G/kx1Up4+jAg67bTZDlq38opVU0k0ZAxmLWHUHI1QbcnAhah0g40fW5UY9kijuWbxVea8K+arIRk4hBLqFLNkwoa5eEKg7+ErtUJeqR1Q8YJhCzqz8zQ5Rf0EdE40W9H4zsxgQUFmqAE/klrdI06pJLB3bjvwa"}

Multi AV Scanner detection for submitted file

Source: BJtvb5Vdhh.exe	Virustotal: Detection: 26%			Perma Link
Source: BJtvb5Vdhh.exe	ReversingLabs: Detection: 44%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BJtvb5Vdhh.exe PID: 7592, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49731 version: TLS 1.2

Source: BJtvb5Vdhh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 51.15.17.193:4782 -> 192.168.2.9:49725
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 51.15.17.193:4782 -> 192.168.2.9:49725

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.15.17.193

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.9:49725 -> 51.15.17.193:4782

Source: Joe Sandbox View	IP Address: 108.181.61.49 108.181.61.49
Source: Joe Sandbox View	IP Address: 51.15.17.193 51.15.17.193

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.17.193
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: BJtvb5Vdhh.exe, 00000000.00000002.2634852155.000001FCFE133000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: BJtvb5Vdhh.exe, 00000000.00000002.2635819972.000001FCFE220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BJtvb5Vdhh.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE580A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE580A000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5ABE000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE56E1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: BJtvb5Vdhh.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49731 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BJtvb5Vdhh.exe PID: 7592, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887D7295E	0_2_00007FF887D7295E
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887FFAA90	0_2_00007FF887FFAA90
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF888007336	0_2_00007FF888007336
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF88800E4AE	0_2_00007FF88800E4AE
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF88800651D	0_2_00007FF88800651D
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887FF9621	0_2_00007FF887FF9621
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887FF4E56	0_2_00007FF887FF4E56
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF88800B009	0_2_00007FF88800B009
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF8880080E2	0_2_00007FF8880080E2
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887FF5D35	0_2_00007FF887FF5D35
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF888000DD0	0_2_00007FF888000DD0
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887FF10D1	0_2_00007FF887FF10D1
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF8880B23F1	0_2_00007FF8880B23F1

Source: BJtvb5Vdhh.exe

Static PE information: invalid certificate

Source: BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs BJtvb5Vdhh.exe
Source: BJtvb5Vdhh.exe, 00000000.00000000.1380356927.00007FF7EC2B9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs BJtvb5Vdhh.exe
Source: BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs BJtvb5Vdhh.exe
Source: BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs BJtvb5Vdhh.exe
Source: BJtvb5Vdhh.exe	Binary or memory string: OriginalFilenameRegAsm.exeT4 vs BJtvb5Vdhh.exe

Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Var_MAvjlH
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\4cdc792e-d5cc-4480-93ab-ecbd2e6b9073

Source: BJtvb5Vdhh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BJtvb5Vdhh.exe	Virustotal: Detection: 26%
Source: BJtvb5Vdhh.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: BJtvb5Vdhh.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BJtvb5Vdhh.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: BJtvb5Vdhh.exe

Static file information: File size 9057632 > 1048576

Source: BJtvb5Vdhh.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x51d000
Source: BJtvb5Vdhh.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x31e200

Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BJtvb5Vdhh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BJtvb5Vdhh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BJtvb5Vdhh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: BJtvb5Vdhh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BJtvb5Vdhh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BJtvb5Vdhh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BJtvb5Vdhh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BJtvb5Vdhh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: BJtvb5Vdhh.exe

Static PE information: real checksum: 0x8a6255 should be: 0x8a9085

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887C5D2A5 pushad ; iretd		0_2_00007FF887C5D2A6
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Code function: 0_2_00007FF887D709C7 push ecx; iretd		0_2_00007FF887D70A46

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

File opened: C:\Users\user\Desktop\BJtvb5Vdhh.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Memory allocated: 1FCE5340000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Memory allocated: 1FCFD6A0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Window / User API: threadDelayed 949	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Window / User API: threadDelayed 711	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Window / User API: threadDelayed 661	Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: BJtvb5Vdhh.exe, 00000000.00000002.2634852155.000001FCFE133000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Thread register set: target process: unknown

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Thread register set: unknown 1

Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BJtvb5Vdhh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BJtvb5Vdhh.exe PID: 7592, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcfe390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BJtvb5Vdhh.exe.1fcf56a9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BJtvb5Vdhh.exe PID: 7592, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BJtvb5Vdhh.exe	26%	Virustotal		Browse
BJtvb5Vdhh.exe	45%	ReversingLabs	Win64.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
51.15.17.193	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
51.15.17.193	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5ABE000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE56E1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354sCannot	BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE5824000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	BJtvb5Vdhh.exe, 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, BJtvb5Vdhh.exe, 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipwho.is	BJtvb5Vdhh.exe, 00000000.00000002.2627127308.000001FCE580A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
51.15.17.193	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578207
Start date and time:	2024-12-19 12:31:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BJtvb5Vdhh.exe renamed because original name is a hash value
Original Sample Name:	a06fb340d32ab66caf6d851719c4e51e77a3208b337a0bca99879cfaba35d2c7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 162 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
51.15.17.193	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse
	RegAsm.exe	Get hash	malicious	Quasar	Browse
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	https://e.trustifi.com/#/fff2a1/305619/6dc30e/bb62bb/581844/11c063/a3c1ce/c0ba4d/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/838c7e/cd63d6/82c9fe/baf706/264690/9188a6/a54400/a45112/68deb9/a1d612/148c70/62dcf5/9cb4f7/9713c0/de2350/884a31/c8623a/2f5546/ab6255/63291e/390e78/6b371c/add804/d4bbed/01f0b4/6023ca/9b7c0b/b0881b/bd8fbb/380790/942e2d/c30675/2c79c4/594b5b/fa5dac/c17e29/ec9861/3d4f90/8d1dd9/15a5f1/e3d291/035383/58ff7f/dcf654/c36a6d/ac2219/0a7478/f49f04/50db6b/1c0640/509cd9/d5eb23/7e01e4/b5bcef/2cfb1e/1cd263/f68c45/7325e0/8e5d9b/dacf2c/074706/a0f040/11bf65/f8b4f7/b49b4f/da74f6/285aa9/b249dd/d9b9c7/1a738e/07e7fa/7ea43f/a69f97/422641/436e51/504e86	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUQlZDVFpDUkpSUUhUQzVRN0Q2MFNLQU1XTy4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	contract_signed.pdf	Get hash	malicious	Unknown	Browse	13.107.246.63
	whacipher.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	s3hvuz3XS0.exe	Get hash	malicious	Cryptbot	Browse	13.107.246.63
	661fW9gxDp.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	https://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VURUlLQURGTlFGTEQ0QzdESlFMT1lGUlpRWi4u&sharetoken=rKEHIuU7H8od3T6m0C0Z	Get hash	malicious	Unknown	Browse	13.107.246.63
	S6oj0LoSiL.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	NVkyG9HAeY.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
ipwho.is	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
OnlineSASFR	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	RegAsm.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	163.172.143.199
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	LFLtlBAuf7.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	O9MV0lNEO5.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	RegAsm.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	truepepe-qt.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	FjfZ7uM8zh.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	yswmdaREME.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	0bNBLjPn56.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	t5lpvahkgypd7wy.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	108.181.61.49

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.88230836674277
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BJtvb5Vdhh.exe
File size:	9'057'632 bytes
MD5:	18614ee994ac149ba306d530651d627c
SHA1:	fbb67a2e7723e9c08b9faba8a4e5b1104ffefaed
SHA256:	a06fb340d32ab66caf6d851719c4e51e77a3208b337a0bca99879cfaba35d2c7
SHA512:	013aa8b9e32b17980906f44dd8e77deb1f81ed6520972a20bf8639cfb42d825ee6a4000cdcfc31071c1bd9c3dbee51613f53e859e771d3428747bbd646105af9
SSDEEP:	98304:sX6BNhy0K9ZrLuJipnDfuvmrdLqEWsEtzo9aBN6K+tFXLx04:cuhy0+xLuJipDmc5Pnakxq4
TLSH:	10969D200F1942E8CDE6753194661362DEB0FE4C903CA7554FF4BAA469FFB6065AE23C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J...I...J...O.V.J...N...J...I...J...N...J.......J...K...J...K.^.J...O...J...C...J...H...J.Rich..J.........PE..d..

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x14050c910
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67413512 [Sat Nov 23 01:51:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b366497cd3cff2367e10ca55cfd84f3a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/06/2016 20:00:00 24/01/2019 07:00:00
Subject Chain	CN=Realtek Semiconductor Corp., O=Realtek Semiconductor Corp., L=Hsinchu, S=Taiwan, C=TW, PostalCode=300, STREET="No. 2, Innovation Road II, Hsinchu Science Park", SERIALNUMBER=22671299, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7B0CA4029E3A73373CE0BD3DF12A08C1
Thumbprint SHA-1:	37A0BACB152A547382195095AB33601929877364
Thumbprint SHA-256:	B08CF4E204D1BA2BA8642D7709499D61CFF8CF7AA75CCD832A6BA1D7F1B82DF7
Serial:	0320BE3EB866526927F999B97B04346E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F635CF770A4h
dec eax
add esp, 28h
jmp 00007F635CF76867h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F635CF76A02h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F635CF76A05h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F635CF769FDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F635CF763D6h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57773c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89c000	0x6f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x899000	0x1b90	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x89ee00	0x4760
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x89b000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x574f80	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x574e40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51e000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x51cfa0	0x51d000	c12c3b7133c5988044e10571b2514b8d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51e000	0x5a29e	0x5a400	b3002150aa6198265b25dbc6e936b1b7	False	0.5265727796052632	data	7.140798069546158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x579000	0x31f3b0	0x31e200	3272a693c952a84b3975029d794e27eb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x899000	0x1b90	0x1c00	8e86e9c1a200c763fd755fb87cbe9c55	False	0.4828404017857143	data	5.533463190978466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x89b000	0x68c	0x800	57d1db0b045559d6fbbc0e6c0cf74ac3	False	0.505859375	data	4.944638479582789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x89c000	0x6f58	0x7000	f47adb0872a7a0f8e76f805ba7c65a0e	False	0.38584681919642855	data	6.01809104915718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x89c328	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x89c990	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x89cc78	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x89cda0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x89dc48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x89e4f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x89ea58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x8a1000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x8a20a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x8a2510	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_ICON	0x8a27f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_GROUP_ICON	0x8a2ae0	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x8a2b64	0x14	data			1.25
RT_GROUP_ICON	0x8a2b78	0x14	data			1.25
RT_VERSION	0x8a2b8c	0x3cc	data	English	United States	0.4506172839506173

Imports

DLL	Import
USER32.dll	wsprintfW, TranslateMessage, SetTimer, GetMessageW, DispatchMessageW, KillTimer
mscoree.dll	CLRCreateInstance
OLEAUT32.dll	SafeArrayCreateVector, SafeArrayUnlock, SafeArrayLock, SafeArrayCreate
KERNEL32.dll	IsDebuggerPresent, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, CreateTimerQueueTimer, GetCurrentProcess, lstrlenW, CreateJobObjectW, DeleteTimerQueueEx, CreateMutexW, GetLocaleInfoW, WaitForSingleObject, GetModuleHandleA, GetACP, CreateEventW, MultiByteToWideChar, GetLastError, LoadLibraryA, QueryPerformanceFrequency, CloseHandle, AddVectoredExceptionHandler, GetThreadContext, GetProcAddress, GlobalMemoryStatusEx, GetModuleHandleW, FreeLibrary, lstrcpyW, GetDiskFreeSpaceExA, GetSystemTime, SetThreadContext, QueryPerformanceCounter, CreateMailslotW, GetTickCount, CreateTimerQueue, LocalFree, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, FlsAlloc, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:32:21.842095+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	51.15.17.193	4782	192.168.2.9	49725	TCP
2024-12-19T12:32:21.842095+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	51.15.17.193	4782	192.168.2.9	49725	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:20.147913933 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:20.267704964 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:20.267786980 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:20.279124975 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:20.398648024 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:21.601334095 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:21.601351976 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:21.601454973 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:21.605825901 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:21.842094898 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:21.997481108 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:22.043169975 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:22.348733902 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:22.348764896 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:22.348845959 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:22.349934101 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:22.349945068 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:24.749070883 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:24.749181032 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:24.751853943 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:24.751863003 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:24.752103090 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:24.756057024 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:24.803327084 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:25.361249924 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:25.361339092 CET	443	49731	108.181.61.49	192.168.2.9
Dec 19, 2024 12:32:25.361408949 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:25.447680950 CET	49731	443	192.168.2.9	108.181.61.49
Dec 19, 2024 12:32:25.654604912 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:25.774104118 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:25.774269104 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:25.893950939 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:26.164848089 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:26.215069056 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:26.356669903 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:32:26.402538061 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:51.372636080 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:32:51.496675014 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:33:16.496459007 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:33:16.616132975 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:33:41.621608019 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:33:41.741436005 CET	4782	49725	51.15.17.193	192.168.2.9
Dec 19, 2024 12:34:06.746705055 CET	49725	4782	192.168.2.9	51.15.17.193
Dec 19, 2024 12:34:06.866471052 CET	4782	49725	51.15.17.193	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:32:22.118632078 CET	58235	53	192.168.2.9	1.1.1.1
Dec 19, 2024 12:32:22.342794895 CET	53	58235	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:22.118632078 CET	192.168.2.9	1.1.1.1	0xa756	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:32:10.963627100 CET	1.1.1.1	192.168.2.9	0xb732	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 12:32:10.963627100 CET	1.1.1.1	192.168.2.9	0xb732	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:32:22.342794895 CET	1.1.1.1	192.168.2.9	0xa756	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49731	108.181.61.49	443	7592	C:\Users\user\Desktop\BJtvb5Vdhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:32:24 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-19 11:32:25 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 11:32:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-19 11:32:25 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	06:32:14
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\BJtvb5Vdhh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\BJtvb5Vdhh.exe"
Imagebase:	0x7ff7eba20000
File size:	9'057'632 bytes
MD5 hash:	18614EE994AC149BA306D530651D627C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2627127308.000001FCE5872000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2627127308.000001FCE56A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.2637218283.000001FCFE390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2630351142.000001FCF56A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2632522514.000001FCFDD63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF88800E4AE Relevance: 8.4, Strings: 6, Instructions: 950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8$_L, xrefs: 00007FF88800EC72
>/_L, xrefs: 00007FF88800E5D2
6B, xrefs: 00007FF88800E65E
(LL, xrefs: 00007FF88800E949
0XL, xrefs: 00007FF88800E7DD
=$_L, xrefs: 00007FF88800E770

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 6B$(LL$0XL$8$_L$=$_L$>/_L
API String ID: 0-2709447611
Opcode ID: 527059954c92a6159359600307d4129c8903a9625e87e45827d0f6c1a3b1dab7
Instruction ID: 9d518677343ab0289918ed099de61a25c4e03edc5131db6b8112540389782521
Opcode Fuzzy Hash: 527059954c92a6159359600307d4129c8903a9625e87e45827d0f6c1a3b1dab7
Instruction Fuzzy Hash: CA626E70A18A4A8FEB88DF1894957B973E2FF98740F540179D44ED72D6CE38E842CB46

Function 00007FF88800B009 Relevance: 8.4, Strings: 6, Instructions: 892
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4B, xrefs: 00007FF88800B175
0WL, xrefs: 00007FF88800B6BE
0WL, xrefs: 00007FF88800B6F7
b4B, xrefs: 00007FF88800B31A
6B, xrefs: 00007FF88800B80A
0WL, xrefs: 00007FF88800B753

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 6B$0WL$0WL$0WL$b4B$b4B
API String ID: 0-580476020
Opcode ID: 66e857056af2606a88880294a7332d6ea87ed378412d3f6d928d7186dbe0e5de
Instruction ID: b21cb9d13a99a42e4b87d0f3db1c6c58dbd6ce5866d4fa3a77d14e4fc397d80f
Opcode Fuzzy Hash: 66e857056af2606a88880294a7332d6ea87ed378412d3f6d928d7186dbe0e5de
Instruction Fuzzy Hash: CF52D131A18A4A8FEB98DB288455679B3E1FF98350F54067DC44EC32D6DF38B842CB85

Function 00007FF8880B23F1 Relevance: 7.5, Strings: 1, Instructions: 6215COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8880B3759

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 97c7ea6802cac8db1feea6cf03a928590cd4341cf09607332a1aaa51e509973a
Instruction ID: e3e12c84aef5398b4d835fa899ad2b66771dcd903eaede7c29ce525c90043de9
Opcode Fuzzy Hash: 97c7ea6802cac8db1feea6cf03a928590cd4341cf09607332a1aaa51e509973a
Instruction Fuzzy Hash: 63830962F18E4B5FFBE5962C045523956D2FFD9680F6905BAD00EC32DAEE38EC028745

Function 00007FF88800651D Relevance: 7.0, Strings: 5, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>/_L, xrefs: 00007FF88800E5D2
6B, xrefs: 00007FF88800E65E
(LL, xrefs: 00007FF88800E949
0XL, xrefs: 00007FF88800E7DD
=$_L, xrefs: 00007FF88800E770

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 6B$(LL$0XL$=$_L$>/_L
API String ID: 0-2968749511
Opcode ID: 5291346fe44facd3a9e0413f521449bf07cc6f6464528552c27ff2cc2371aa56
Instruction ID: e970fcd746a96ac9398fc8ea01fbc3dc7287e215b857030d9373f4b06fc61abe
Opcode Fuzzy Hash: 5291346fe44facd3a9e0413f521449bf07cc6f6464528552c27ff2cc2371aa56
Instruction Fuzzy Hash: 9F22E171A18A494FEB58EB6C94557B973E2FF98740F1441B9D00ED72D3DE38AC028786

Function 00007FF887FF9621 Relevance: 5.0, Strings: 3, Instructions: 1212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}D, xrefs: 00007FF887FF96C6
(LL, xrefs: 00007FF887FF9991
`%L, xrefs: 00007FF887FF98F4

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: }D$(LL$`%L
API String ID: 0-4005307818
Opcode ID: 3b32581dda468b5d78567904fa5ab8eb9d1898ad18441e83ac81095a0fe9019b
Instruction ID: 071c43aaa0afbec2155dc9b835312d652d567b354d9921568d8f8bc5594740df
Opcode Fuzzy Hash: 3b32581dda468b5d78567904fa5ab8eb9d1898ad18441e83ac81095a0fe9019b
Instruction Fuzzy Hash: E372D530A1CA494FEB98EB2C9455BB977E1FF99350F0541BAD44EC72A7DE28AC02C741

Function 00007FF887FF4E56 Relevance: 4.7, Strings: 2, Instructions: 2151COMMON

Download Yara Rule

Strings

0XL, xrefs: 00007FF887FF5CDC
0#L, xrefs: 00007FF887FF5FBB

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0#L$0XL
API String ID: 0-892149821
Opcode ID: fd98c1dbca5811d0ae1f44062dba9bca6f5d35dcbf98ed72866af77d13ed0da7
Instruction ID: d7a5d13575e65f465562244433d77fd77d9214dfc96a7c86ce84c04254c1ce9c
Opcode Fuzzy Hash: fd98c1dbca5811d0ae1f44062dba9bca6f5d35dcbf98ed72866af77d13ed0da7
Instruction Fuzzy Hash: A6F2C370A18A498FEB98DF28C495BA977F1FF59340F5441A9D04ED7292DE39EC82CB40

Function 00007FF887FFAA90 Relevance: 1.0, Instructions: 952COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0a87198d283681662846b4403aba34c5b7fcbd432789d06701232822f55c26
Instruction ID: 51e5dffbe7b7bd88014ee7d1b62d09555001b0681b32f101adace8866b4b9c43
Opcode Fuzzy Hash: 6d0a87198d283681662846b4403aba34c5b7fcbd432789d06701232822f55c26
Instruction Fuzzy Hash: B0625F70608A498FEB94EB6CC4597A977E1FF99350F1444BDE44DCB2A6DE38E841CB02

Function 00007FF888007336 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9701d3c073b077cc1d74bdb1a9e994d2c4ff1fc5ba3d881d39d5e2f7df81eba
Instruction ID: c4ed8f004c04e06ceafe321e4ccc247c9042b623f1e92651a929f64425c24fe3
Opcode Fuzzy Hash: a9701d3c073b077cc1d74bdb1a9e994d2c4ff1fc5ba3d881d39d5e2f7df81eba
Instruction Fuzzy Hash: 69F1A430908A8D4FEFA8DF28D8557E937D1FF64351F04426AE84DC7292CB39A945CB82

Function 00007FF8880080E2 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6e7cd42b69a56dbf91a76658eeb770d3a6f12dc975b026f743a5e1ec09a02c
Instruction ID: 9faa277729b9d3051ac39a9e31372506c2fe70dc909e4da666a8ed1bc7ca9224
Opcode Fuzzy Hash: ef6e7cd42b69a56dbf91a76658eeb770d3a6f12dc975b026f743a5e1ec09a02c
Instruction Fuzzy Hash: EDE1D330908A4E8FEFA8DF28C8567E977D1FB54351F04426EE84DC7291CB38A945CB82

Function 00007FF887FF5D35 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658da302bd5bab175b611ad36eaf2e566e2fbdba9d78140e694fbf02e01c03cf
Instruction ID: 6f7126d882a3627cac129574fea0eec1fdd08a29b149328f44d490a785b5577c
Opcode Fuzzy Hash: 658da302bd5bab175b611ad36eaf2e566e2fbdba9d78140e694fbf02e01c03cf
Instruction Fuzzy Hash: 5EC15C30E58A198FEBA4DB59C8457A9B3F2FF99354F1045B9D04ED3292DE34B882CB41

Function 00007FF887D7295E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2643806293.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d70000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9498c1187096f26f9c877f2f81de3a635bb547f7cea39d08ffd5f4986fe56073
Instruction ID: 921e3d4db9f1a94323ba710d71b386e99fc0697bcb4e6462ce7e5fe8e813fdaa
Opcode Fuzzy Hash: 9498c1187096f26f9c877f2f81de3a635bb547f7cea39d08ffd5f4986fe56073
Instruction Fuzzy Hash: AC81716054E7C39FE342A7B8442A5AA7FF0EF4716078985EED086CF9A7DA1C1847C312

Function 00007FF88800F6F0 Relevance: 6.0, Strings: 4, Instructions: 979
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(LL, xrefs: 00007FF88800FDAF
x!L, xrefs: 00007FF88800FCF2
0#L, xrefs: 00007FF88800F9C0
@$_H, xrefs: 00007FF88800FC60

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: (LL$0#L$@$_H$x!L
API String ID: 0-1853785837
Opcode ID: 37abc8004b68b78f6bd3f10ac827ce43ac0ad3ed30f4a3a522f8cc4d0d83bea0
Instruction ID: cf89bad4e4e077d1b48a6ccb617c064ec2cfbc374d49b77d560730a7e572254b
Opcode Fuzzy Hash: 37abc8004b68b78f6bd3f10ac827ce43ac0ad3ed30f4a3a522f8cc4d0d83bea0
Instruction Fuzzy Hash: 63528071A189498FEBA8EB2CD499A7837E1FF58340F5500B9E44EC72E2DE28EC41D745

Function 00007FF88800BA79 Relevance: 5.9, Strings: 4, Instructions: 935
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0WL, xrefs: 00007FF88800BF0A
0WL, xrefs: 00007FF88801410B
(LL, xrefs: 00007FF88800BF5D
0WL, xrefs: 00007FF88800BF96

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: (LL$0WL$0WL$0WL
API String ID: 0-4081839530
Opcode ID: 9642e80b3f5d9024b8c2229e98025895c042b01b9918082f9f643c502306ae4e
Instruction ID: a89aa5738d8fa194fedd78d69ab21e564b406e63fcd5ce5c9696bd94219902b1
Opcode Fuzzy Hash: 9642e80b3f5d9024b8c2229e98025895c042b01b9918082f9f643c502306ae4e
Instruction Fuzzy Hash: C5523430A1CA4A4FEB59EB2C94956B977E1FF95350F0401B9D48EC72D6DF28AC02C786

Function 00007FF8880B01BA Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"%_L, xrefs: 00007FF8880B01D2
r6B, xrefs: 00007FF8880B0804
r6B, xrefs: 00007FF8880B07E9

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: "%_L$r6B$r6B
API String ID: 0-1576644161
Opcode ID: d1040a523c6d161c409c7111ceebdd12b3e7d6268871f948fc8467e7dedcec08
Instruction ID: de29e882fa76c70483d9e282d2b745807f73202ec8b28a7652b263ecbfeaca25
Opcode Fuzzy Hash: d1040a523c6d161c409c7111ceebdd12b3e7d6268871f948fc8467e7dedcec08
Instruction Fuzzy Hash: BD317571E2DA854FE7599B6C58262B477D0FF55220F5401BED08EC32E3EE189C42C74A

Function 00007FF887FF2440 Relevance: 3.5, Strings: 2, Instructions: 1035
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FF88800AC99
b4B, xrefs: 00007FF88800AD6A

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: b4B$d
API String ID: 0-1886680559
Opcode ID: 7c2a163c145901d757bb826f989e331dd9fd6005c52fe4cb80b7fcad05533efe
Instruction ID: 7b610e7309d944d092004b1b3ff43cd4bb7a6b9dee11303e3089200f09379504
Opcode Fuzzy Hash: 7c2a163c145901d757bb826f989e331dd9fd6005c52fe4cb80b7fcad05533efe
Instruction Fuzzy Hash: E262A030A1CA4A8FDF98EF18D485AA977E1FF98390F144179D44EC7296DE34E842CB85

Function 00007FF888001898 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)%_^, xrefs: 00007FF888001B01
+%_^, xrefs: 00007FF888001901

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: )%_^$+%_^
API String ID: 0-1456514085
Opcode ID: 2edc5d6d4ff3af2bbffeca663949f0b93b1adbdff6b6c1f6f5ab861e231e71d9
Instruction ID: 56bc9e54a9dee4e43ac20246ad765adb91e38c4eb815b854a73c1b465cd725e6
Opcode Fuzzy Hash: 2edc5d6d4ff3af2bbffeca663949f0b93b1adbdff6b6c1f6f5ab861e231e71d9
Instruction Fuzzy Hash: C2120A72C0D6D68BE71166B8E8521F87B90EF022A5B0845BAD0ADCB0D3DE2C5447C76B

Function 00007FF8880066ED Relevance: 2.8, Strings: 2, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0XL, xrefs: 00007FF88800E7DD
=$_L, xrefs: 00007FF88800E770

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0XL$=$_L
API String ID: 0-2954678228
Opcode ID: 84144b79b679bd8ddc3556ba5d5fa36cb8c1465aabe0e1c3af597a019a65c27c
Instruction ID: cb5024b6ff684e3609956ed08637a5d7fe519e61cc99bfba3c70ae98fe3f06b3
Opcode Fuzzy Hash: 84144b79b679bd8ddc3556ba5d5fa36cb8c1465aabe0e1c3af597a019a65c27c
Instruction Fuzzy Hash: D8B1D230A08A494FEB58DB68D8557ADB7E1FF99340F1042BED04DD7293DE38A846CB41

Function 00007FF888009B59 Relevance: 2.8, Strings: 2, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF888009BF9
0WL, xrefs: 00007FF888009C8F

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL$r6B
API String ID: 0-2519502798
Opcode ID: 8da42c849d1f27ccc91eb3246e23eadbeab581f1c3b0f53ad472f4d293f678dc
Instruction ID: 7cc3278fb790c97333011f21e2123ab5875d1721bb1f7e076769645d738382a2
Opcode Fuzzy Hash: 8da42c849d1f27ccc91eb3246e23eadbeab581f1c3b0f53ad472f4d293f678dc
Instruction Fuzzy Hash: 8AA13572D1DA864FE716A7B8A4456F8B7D0FF413A0B0841BAD04ECB1D3DE2C68468797

Function 00007FF8880B0718 Relevance: 2.6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF8880B0804
r6B, xrefs: 00007FF8880B07E9

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 0a621bf3d0e2951f2ff1c961cbf9cb97b606c99085a361543b05e469f73c0c46
Instruction ID: da28eb49a0d4325409f9691fa04a6bfa59041f628c79bb88d3519c796f9d1989
Opcode Fuzzy Hash: 0a621bf3d0e2951f2ff1c961cbf9cb97b606c99085a361543b05e469f73c0c46
Instruction Fuzzy Hash: E4315B61F6DB454FE698966C5816374B7C1FF25360F5402BED08EC32E2EA186C42CA86

Function 00007FF887FFFFA7 Relevance: 1.8, Strings: 1, Instructions: 553COMMON

Download Yara Rule

Strings

=%_H, xrefs: 00007FF888000170

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: =%_H
API String ID: 0-1487401810
Opcode ID: 29a80250451d093901a8a874cd55a713dd42a163151d2fc7624106e29186264f
Instruction ID: 8affd45e38bd02ffacada1b0b27851e62bb54e554ed14205116371f7a6edee6c
Opcode Fuzzy Hash: 29a80250451d093901a8a874cd55a713dd42a163151d2fc7624106e29186264f
Instruction Fuzzy Hash: A202133091DA8A8FEB95E728C4516A9B7E1FF54350F2481BAC04ECB1D6CF38E846C381

Function 00007FF88800F859 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

0#L, xrefs: 00007FF88800F9C0

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0#L
API String ID: 0-2519268996
Opcode ID: d164043a0c8550321eab112e5f12503064941105d66e96fb12b71ce1e9c26f7c
Instruction ID: d5526f2098521aac4ceb3171fb188e2a39db5727caccb3689f22732d7962bc53
Opcode Fuzzy Hash: d164043a0c8550321eab112e5f12503064941105d66e96fb12b71ce1e9c26f7c
Instruction Fuzzy Hash: D4C14A306189098FEF98EB2CC499A7977E2FF99350B5400B9E44EC72E6DE29EC41C745

Function 00007FF888012CC5 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF888012EB7

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL
API String ID: 0-2591733899
Opcode ID: 9ed34fe48a95b926dac10321a2a87aa9c3171d3c6ed53a6fa0bfbc937e5d244d
Instruction ID: 86679034fc4e62eeecedbeb973ce85febe0ec52f58ce7daad94e1bcfdb6d0ac2
Opcode Fuzzy Hash: 9ed34fe48a95b926dac10321a2a87aa9c3171d3c6ed53a6fa0bfbc937e5d244d
Instruction Fuzzy Hash: 99C12735A0CA4A8FEB59EB28D4556B937E1FF553A0F0501B9D44EC72D6EF38A802C784

Function 00007FF887FFA659 Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

D, xrefs: 00007FF887FFA8CB

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3d1df193548b845e1efe4d8690a73b0bc7c3eaa0902a63e250c770b56014b578
Instruction ID: 316f239b35d31cd9a5b8dba52aa420fa550e25789ded40b73db03fa6ade3059b
Opcode Fuzzy Hash: 3d1df193548b845e1efe4d8690a73b0bc7c3eaa0902a63e250c770b56014b578
Instruction Fuzzy Hash: DCD18131A18A098FDBA8EB28D455BBD77F1FF99340F1541B9D04EC7292DE38A842CB41

Function 00007FF887D736A9 Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF887D73787

Memory Dump Source

Source File: 00000000.00000002.2643806293.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d70000_BJtvb5Vdhh.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9d8f35b2e17e063f34bc96a05dd4cabf49827464ca86b5504674db02dd86a83c
Instruction ID: b24addf0670afe33c008aabee73ae3b43af3c45ce40a99f56b9ef558899f455d
Opcode Fuzzy Hash: 9d8f35b2e17e063f34bc96a05dd4cabf49827464ca86b5504674db02dd86a83c
Instruction Fuzzy Hash: B741F77280CA9D9FDB15DB6888496EDBBF0FF56360F04826FD04DC7592DB246846C782

Function 00007FF887FFC425 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

`%_H, xrefs: 00007FF887FFC46D

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: `%_H
API String ID: 0-1639982125
Opcode ID: f145c27fe61d98d0ce11e7ed1ccd8dbd2771f23aa4ba1f176536caff8eee7d0d
Instruction ID: 56c87f09ed5090b5885f5c0cefc19e8c2924ca4ecb47b19ca07b290d31d804f4
Opcode Fuzzy Hash: f145c27fe61d98d0ce11e7ed1ccd8dbd2771f23aa4ba1f176536caff8eee7d0d
Instruction Fuzzy Hash: 75B1E671E58E494FE7D8EA2890557B973E2FF98794B14017EC40EC729BDE28A842C741

Function 00007FF887D736ED Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF887D73787

Memory Dump Source

Source File: 00000000.00000002.2643806293.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d70000_BJtvb5Vdhh.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 071e6832c64394cc39905b3e2730c8560b8b8b93a2d445c965cd9855704976ed
Instruction ID: 98b288b042cea0c496c9903e075435944f8b6fe75cd70ed283b1ed4696266390
Opcode Fuzzy Hash: 071e6832c64394cc39905b3e2730c8560b8b8b93a2d445c965cd9855704976ed
Instruction Fuzzy Hash: 1D31C13180CA5C8FDB19DB98C8496EDBBE0FF65320F04422BD04AD3552DB34A845CB82

Function 00007FF887FF6D81 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF887FF6F96

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL
API String ID: 0-2591733899
Opcode ID: 291c9fc6c895ebd2c4a67f5e4cf60c55c25b4ce5279c46405052ff82233fab7d
Instruction ID: 6464861d345772b82ad6941ad905691b5052bd1ad2a4b1024a7ae8416953fd5d
Opcode Fuzzy Hash: 291c9fc6c895ebd2c4a67f5e4cf60c55c25b4ce5279c46405052ff82233fab7d
Instruction Fuzzy Hash: D591D161A18A4A4FE795EB3C94597B937F2FF9A780B4410BDD04EC7297DE29AC028341

Function 00007FF88800A9C1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF88800AC99

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 63fa167065695ece6f031e81b71f7de3fdffd7b60c16fa4b7357226e9c879080
Instruction ID: a7bdf75f95974cec7e7d2bbaf4d876fbaceb2cdb303e5f0ed2d7e31601749c2b
Opcode Fuzzy Hash: 63fa167065695ece6f031e81b71f7de3fdffd7b60c16fa4b7357226e9c879080
Instruction Fuzzy Hash: 4BA1BC30A1CA498FDB58DF08C485A7673E1FF99345F2485BDD84AC7286DA39E843CB85

Function 00007FF888010C6D Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF888010F01

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL
API String ID: 0-2591733899
Opcode ID: 62da13831179f21447b19d137ba0c643f8b67202bbaf79f79bd5a216538d08aa
Instruction ID: 53a2e96c07b71f920612bb8f6bd19cf45bfddf7394d2c92d6d159b8f125df37a
Opcode Fuzzy Hash: 62da13831179f21447b19d137ba0c643f8b67202bbaf79f79bd5a216538d08aa
Instruction Fuzzy Hash: D791057590D6868FEB659738541A2A87BE0FF56360F1940FAC0C9CB1E3DA2C6807C345

Function 00007FF888008E7E Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF888010F01

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL
API String ID: 0-2591733899
Opcode ID: ffd23b8e4a23022543fd026b3ce25d4d8aee36547c0048b67a2a0d17cfdbc80f
Instruction ID: e304bd8057e22bd68309d927bb246d719e5ffe98384d94007ccd86cf0a52f2b7
Opcode Fuzzy Hash: ffd23b8e4a23022543fd026b3ce25d4d8aee36547c0048b67a2a0d17cfdbc80f
Instruction Fuzzy Hash: C391E630A0DA854FD796E77C94556697BE1FF8A360B1901FEE08DC72E7CA289C42C346

Function 00007FF887FF2D79 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF887FF2FC6

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 7d958a09668ef18ea0b897d9783da30bd24a0e7a5e503a9d8c88eb29c7c3328b
Instruction ID: 583bd9442c3ffd65666b327413cc73bbd5800b957c15789f94a5abf6737ed8ef
Opcode Fuzzy Hash: 7d958a09668ef18ea0b897d9783da30bd24a0e7a5e503a9d8c88eb29c7c3328b
Instruction Fuzzy Hash: 3A916472A4DA8A8FD395EB2994556AD7BF0FF4536070441FAD04DCF2A2DE2C9C86C701

Function 00007FF887FF3FA6 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF887FF44B7

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 76f95e39e159b8a95fd58b7a4f586503e96ac370f7b10bdc22bd3f1285b4aaea
Instruction ID: bce14ab6e6962f465fe9165b736fc751d18d1f181f108278710201c4defbedba
Opcode Fuzzy Hash: 76f95e39e159b8a95fd58b7a4f586503e96ac370f7b10bdc22bd3f1285b4aaea
Instruction Fuzzy Hash: 1081E371B4D60A4FE3A4EA19944637D77E1FF85790F14027ED88ED72D6DE28A842C382

Function 00007FF8880017E5 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

+%_^, xrefs: 00007FF888001901

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: +%_^
API String ID: 0-3640741440
Opcode ID: fcfce624d3f9399bd7848c73a97aa6b65266216aef6b7e4319e7f1b37e3a6f45
Instruction ID: b31d7bff0ec6be2f1aa4b8be6dab7d4d81416fd3761dd3013f6e6d010a17fc28
Opcode Fuzzy Hash: fcfce624d3f9399bd7848c73a97aa6b65266216aef6b7e4319e7f1b37e3a6f45
Instruction Fuzzy Hash: 3B81A376C4D1D24AE30177F8E8562FDBB609F022A5B0C45B6D0EE8A0D3DD1C25878AA7

Function 00007FF888002139 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

"%_^, xrefs: 00007FF888002201

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: "%_^
API String ID: 0-2752053706
Opcode ID: 84c3e87454989c64b0b405d18c07fd231b8b4b0cbe93b3a94cf4dca0263241fb
Instruction ID: c57f2d0f7d9b4ea974a500602f0ffc546fd775e9d229ca4dd971bf70aab7fcde
Opcode Fuzzy Hash: 84c3e87454989c64b0b405d18c07fd231b8b4b0cbe93b3a94cf4dca0263241fb
Instruction Fuzzy Hash: 4871D43281C6D94FDB45BBA8E8522E97B60EF15354F0845B6D06DCB0D3CE2CA846CB97

Function 00007FF88800AE7D Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF888012EB7

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0WL
API String ID: 0-2591733899
Opcode ID: 559cf890f781cf29ebc7faff15aca20fd47cbee64f56ec681b18eb603ae7e3d3
Instruction ID: 51fe241b164486915bc3ea88f0ee9e485c731e294a97356ee38be2ca07145578
Opcode Fuzzy Hash: 559cf890f781cf29ebc7faff15aca20fd47cbee64f56ec681b18eb603ae7e3d3
Instruction Fuzzy Hash: 4F61C235A0C9498FDF95EB289854AA837E1FF59790F0901BAD44DC72D6DF38AC41C784

Function 00007FF888002150 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

"%_^, xrefs: 00007FF888002201

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: "%_^
API String ID: 0-2752053706
Opcode ID: 62f556a82002d093c7104ebd3b081b23c0976023dc1dd279503ef760a8bb8781
Instruction ID: ad1b3024b816701827c02453441e9c3f1b5010f2c6224cecab289d7966336bf6
Opcode Fuzzy Hash: 62f556a82002d093c7104ebd3b081b23c0976023dc1dd279503ef760a8bb8781
Instruction Fuzzy Hash: A251A132C5859A4BDB44FFA8E8526FDB760AF14358F084575E06ECB093CE2CA542CB97

Function 00007FF888001148 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FF88800116E

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: d86b0ec0f94829705778cc0236157a90ed6f6de8279c01f719baeddf65bd7fcb
Instruction ID: d28d8af546f838be6e043d61bd246522dd07739d93491ca645d865dc1fddb063
Opcode Fuzzy Hash: d86b0ec0f94829705778cc0236157a90ed6f6de8279c01f719baeddf65bd7fcb
Instruction Fuzzy Hash: E6511732A1C9994FEB55BBA8A8562FD7390FF45364F440176E45EC7183CF2CA8028796

Function 00007FF887FFCDE9 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

0DL, xrefs: 00007FF887FFCE0A

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: 0DL
API String ID: 0-3174716889
Opcode ID: 948a9f2f00ab30a99055ed95184b7115eabcb7be546d8693f3169513bb33b5ca
Instruction ID: 14babe6ef19e3bf7b925dda9b9b816a180d4ea8b2b257e86376d9226a52df3ed
Opcode Fuzzy Hash: 948a9f2f00ab30a99055ed95184b7115eabcb7be546d8693f3169513bb33b5ca
Instruction Fuzzy Hash: 4C413732D4CA964FD3AACB2998652F87BF1FF55750B0841BEC04DC7197DE18A849C382

Function 00007FF887FF20E2 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF887FF2101

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 031c776292cf364dbf988bdfd0400065d8e915e4870a533925d0fa7fe16d7c7a
Instruction ID: faf97aa68cbbceaa1952e7f9793e1395b3f34ff2313358744f6859c842572ba1
Opcode Fuzzy Hash: 031c776292cf364dbf988bdfd0400065d8e915e4870a533925d0fa7fe16d7c7a
Instruction Fuzzy Hash: 0C312937E485654AD300BABDF4855FCB390EF853767088277C1DCCA083DE2C65868AE6

Function 00007FF887FF20D7 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF887FF2101

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 031805555daf28828c1ab97e35f52c647c3b813a02e9d913ac0dfe5f84f03a69
Instruction ID: 13f67124668cb7cdc7c6e91fb9c1086c7a450d7894100657b2439e1bc9d42978
Opcode Fuzzy Hash: 031805555daf28828c1ab97e35f52c647c3b813a02e9d913ac0dfe5f84f03a69
Instruction Fuzzy Hash: 2D312837B485694AD300BABDF8855FCB790EF853767084277C1D8CE083DE1C65868AE6

Function 00007FF887FF20CF Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF887FF2101

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: e15146199637ae8bce55355d75f86dfa944c7bb05374e5879571b28fc64b2170
Instruction ID: 63607721fe3ec18421b0251df8a9710ad1320917287351ec303d8abc676a91d2
Opcode Fuzzy Hash: e15146199637ae8bce55355d75f86dfa944c7bb05374e5879571b28fc64b2170
Instruction Fuzzy Hash: 4F315B37E4856A4AD3007ABDF8855FCB790EF853757084277C1D8CE083DD1C61868AE6

Function 00007FF8880010F2 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

K3, xrefs: 00007FF88800116E

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: K3
API String ID: 0-411264050
Opcode ID: d055f80661d222a72874fa1650acdbd9857e9bc1a746f091cdfb623e9966bb1e
Instruction ID: bf73cbb2aa5fa2382bcbc846873b2bc69e2a8a015b60569a2c3e6c011c394e84
Opcode Fuzzy Hash: d055f80661d222a72874fa1650acdbd9857e9bc1a746f091cdfb623e9966bb1e
Instruction Fuzzy Hash: B841C832D4C5990BDB01BBA8F8522FD7760EF45364B044577E06ECB093CE2C6846CAA7

Function 00007FF887FF2EEE Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF887FF2FC6

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f882c987eef06551799b7ce2f5a811a11039fc4ddb19f73a8333b1362384d99a
Instruction ID: 728dd415e4685356b83a26ead5728ea37ac32c68dff0abf6d120f7a86f8d4171
Opcode Fuzzy Hash: f882c987eef06551799b7ce2f5a811a11039fc4ddb19f73a8333b1362384d99a
Instruction Fuzzy Hash: 8331533194EA864FD38A9B3888955697BF0EF47260B0981FEC44ACF1A7CD2D5C86C301

Function 00007FF887FFD9F4 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887FFDA7A

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 5987d78397460ab5f85a0b19844b59ac8c30c9da921e607a41f965e060e59c38
Instruction ID: e6cd3977ef35a91f8eaee02cf87290472053d1b669bb972c550f4aa20db38b5f
Opcode Fuzzy Hash: 5987d78397460ab5f85a0b19844b59ac8c30c9da921e607a41f965e060e59c38
Instruction Fuzzy Hash: 35216831E0DA080BE3189A2DA8561B4BBE1FF85760B1942BFD04EC7383DD2DAC438385

Function 00007FF887FFCA76 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Y%_H, xrefs: 00007FF887FFCB6E

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: Y%_H
API String ID: 0-3974337286
Opcode ID: b194b73f9e02b2916525b21adf51a97e9d1dcfcc32718d4d3e3314731b2ba544
Instruction ID: bcc5a2380098fbafb11c5f6b5ee13dadd99740b57f55c3956669c0a60ad791a7
Opcode Fuzzy Hash: b194b73f9e02b2916525b21adf51a97e9d1dcfcc32718d4d3e3314731b2ba544
Instruction Fuzzy Hash: 8F313671D5898A8FEB89EB78985A2BDB7F1FF94740B4444B9D05EC71D2DE2C6806C302

Function 00007FF8880015B0 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

`mL, xrefs: 00007FF888001609

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: `mL
API String ID: 0-2103775323
Opcode ID: 2c049efdf80f41be6d1a5a1d527d754aac4ecc1aab08726c938b6e169d470059
Instruction ID: 2088820ca93de80c1d2f7b67756731f17344b877a1a0f0d1cb8bc016963470ad
Opcode Fuzzy Hash: 2c049efdf80f41be6d1a5a1d527d754aac4ecc1aab08726c938b6e169d470059
Instruction Fuzzy Hash: BE110A31A18D498FDB98EB38D495A65B7E1FF58340B4805BCD44EC72D2DE2CE845C741

Function 00007FF88800159D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

`mL, xrefs: 00007FF888001609

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID: `mL
API String ID: 0-2103775323
Opcode ID: fcf6ed190f7949e04bde766a3d9e5d90b9e5f444f1f20c678f57f70e5b792655
Instruction ID: 23e8baba88f6beb030fa7534d1f842d9431bc689133aeab6a20c06e0cbe71729
Opcode Fuzzy Hash: fcf6ed190f7949e04bde766a3d9e5d90b9e5f444f1f20c678f57f70e5b792655
Instruction Fuzzy Hash: 6E11E631918A898FDB99EB388495A657BA0FF54340B0804ECD44ECB2D3DE28E804C705

Function 00007FF888012356 Relevance: .8, Instructions: 775COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f9bdbef774a5946fa89f4a1c1d09e7acc83694afa1daada0675d7b99b7db31
Instruction ID: df1a99b037fd39a784cb5e8fe5d4d3005cb90241003c39c80e37511e121bfdeb
Opcode Fuzzy Hash: 37f9bdbef774a5946fa89f4a1c1d09e7acc83694afa1daada0675d7b99b7db31
Instruction Fuzzy Hash: CD32C070A18A598FEB98EB2C98557A977E1FF98350F0041BDD04EC7296DF38AC42CB45

Function 00007FF88800D411 Relevance: .7, Instructions: 742COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe31cda9c10f633823d4ab6cd45759781987cb40dceab11006f2d488e2d5ab6
Instruction ID: 7d3f75ca0b2dc328f1f5e1d0669d79ee6397f48f9fec01da80f43150eec80063
Opcode Fuzzy Hash: dbe31cda9c10f633823d4ab6cd45759781987cb40dceab11006f2d488e2d5ab6
Instruction Fuzzy Hash: 0C323D31A1894D8FDF98EF28C495AA977E1FF59384F1402A9E84DC72D6DB34E842C784

Function 00007FF8880020BD Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4aef31d4e9b9fe2bcabac727e0ca8ec46e07db5fb4aca5eece4e16fd180d86
Instruction ID: cc16d9e48004bc6e558e1917e2cf685645dc5d81796d42ceedbaa0b355ba2367
Opcode Fuzzy Hash: 4d4aef31d4e9b9fe2bcabac727e0ca8ec46e07db5fb4aca5eece4e16fd180d86
Instruction Fuzzy Hash: 2222AE31A08A5E8FDF94EB28D455AAD77E1FF99350F0401B9E40DD7292DF38A842CB85

Function 00007FF887FF8C79 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ee824d0fc203940eea8a51300b5f74ca0f44537c791d0121334c814791e800
Instruction ID: a43e34da2eeef929fd2dfdff34af71dceb53c1e30ead2561ee2b2b032472540c
Opcode Fuzzy Hash: 16ee824d0fc203940eea8a51300b5f74ca0f44537c791d0121334c814791e800
Instruction Fuzzy Hash: D5F1F030A08A494FEB98EA2984557BDB7F1FF99350F1441BED48EC72D2DE38A842C741

Function 00007FF88800EFA0 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47d87bea96dca75c37049d03569d0e494e10e5171c162bccb0b429b6850a44e
Instruction ID: 4e6b45f45a3cbac2a449d998fcf5ae8043b9330d12be35bc31763e3de47e1d69
Opcode Fuzzy Hash: d47d87bea96dca75c37049d03569d0e494e10e5171c162bccb0b429b6850a44e
Instruction Fuzzy Hash: 61C1F761B0CA494FEBA9962C94553B837D2FF99791F1801BAD04EC73D7DE2CAC428349

Function 00007FF888014A39 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd881c9e4f0939ee1f25cdc2bf7c8afedc76ac7d62758a3153dc7fe12130062
Instruction ID: d4d31160daaaf4e24769329fcc7a85ea48d9a842ced9a7dccc40f4c2394dbd83
Opcode Fuzzy Hash: 4dd881c9e4f0939ee1f25cdc2bf7c8afedc76ac7d62758a3153dc7fe12130062
Instruction Fuzzy Hash: 12C18030B18A098FEB98EB6C9455BB977E1FF99750F104179E04EC72D2DE28AC428785

Function 00007FF888012399 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814e4db080961be85b5f856e91b1e9bd23666d931458861c6a02db8504e29aeb
Instruction ID: c9975289c8129bf8be7b2f9d7b63d2ec7db7a755902be7662ec9b1955341ae31
Opcode Fuzzy Hash: 814e4db080961be85b5f856e91b1e9bd23666d931458861c6a02db8504e29aeb
Instruction Fuzzy Hash: 60C18030A18A498FDF98EB28C455BA977E1FF59350F0041AAD44DD72D6DF34AC82CB85

Function 00007FF888007CF6 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0924cb750215bd2525209d2231062594ea6799420b7088d6e047863c694a4ec5
Instruction ID: 01275b90be0ec03a26c809869faf21222d140ff303626c2da896a82e503a9894
Opcode Fuzzy Hash: 0924cb750215bd2525209d2231062594ea6799420b7088d6e047863c694a4ec5
Instruction Fuzzy Hash: 0EC1B330608A8D4FEBA8DF28D8557F937D1FF55350F04426AE44EC7292CB39A945CB86

Function 00007FF88800C295 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf5f07024cc122bf97a7bf1cf0f06c76f24f011f602ef76fb95384730349048
Instruction ID: 22772a896cd9ecdb6c9a4cca8c1f97458d5ca55ffb1a5094da80f72beb3b8235
Opcode Fuzzy Hash: 6cf5f07024cc122bf97a7bf1cf0f06c76f24f011f602ef76fb95384730349048
Instruction Fuzzy Hash: 70B1167190DA894FEBA5D73888566A93BE1FF56360F1901FAD04DCF2E3DB285806C742

Function 00007FF887FF3180 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a524d999c4917565207da1961839d99672c93653eac81e2f49b09d96af4d9564
Instruction ID: 67bb16604f496d8547aa800a0c1015b90aa2391dafb257fef852cdbb9f20b831
Opcode Fuzzy Hash: a524d999c4917565207da1961839d99672c93653eac81e2f49b09d96af4d9564
Instruction Fuzzy Hash: D6A19D31A4CA4A8FDB98EB69D4512BD77F1FF88390F14417DE45EC7286DE28A802C741

Function 00007FF88801572C Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c557078a846808d0fd04c2450652f86c573ab46ef95c16a5442eed6d9a541915
Instruction ID: 86ba7a51e4dfc45b320f35535bbec24c5fdb5a86b01161d4e91372c41e602d2d
Opcode Fuzzy Hash: c557078a846808d0fd04c2450652f86c573ab46ef95c16a5442eed6d9a541915
Instruction Fuzzy Hash: FE918C34B09A198FEB88EB6894556BD77E2FF88360F504179D04EC72D6CF38A842C785

Function 00007FF887FF34A1 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b755170ab3af5a37c9a34b2d71830ffbdd41e77a3fde73ba22c6b34a570781
Instruction ID: 92bc144fb890d99ab4bb3ede9cc027994e71822a008c3ac332cf13c0d9136cca
Opcode Fuzzy Hash: e6b755170ab3af5a37c9a34b2d71830ffbdd41e77a3fde73ba22c6b34a570781
Instruction Fuzzy Hash: 07913531A4DB898FD7A5EB7984156B9BBF0FF95350B0941BEC04EC7293DE28A845C341

Function 00007FF88800B92D Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb21fc1d78ef62fe6b0b685931d10d67d74c6403931ea81f7b4b126a9b6cfed
Instruction ID: 5f6f22e4708a675c7a724524a64f0393cd5ed0702cf6769b5e691ee79aeec03f
Opcode Fuzzy Hash: afb21fc1d78ef62fe6b0b685931d10d67d74c6403931ea81f7b4b126a9b6cfed
Instruction Fuzzy Hash: 3191AF34A1C94A8FEF98EB6894966B977E1FF59350F0401B9D00EC72D7DF28A842C785

Function 00007FF88800D8DF Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b305cbcd5c0838aba0ca7777746514c6e147c9c98c2f3b65238faf1addb6942b
Instruction ID: 77bfd2e1790987559fc96b33d91092b28b48663d9ebca3f5a1ad3c6d6f7a63c2
Opcode Fuzzy Hash: b305cbcd5c0838aba0ca7777746514c6e147c9c98c2f3b65238faf1addb6942b
Instruction Fuzzy Hash: 2F914D31A0894D8FDF85EF28D495AA977E2FFA9344F1501A9E40DC7296CE35EC82CB40

Function 00007FF8880B2152 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b524e0e1e919f713014d118ba1f005ac2b8590d11ac76d0abcbe567353a5a1
Instruction ID: 4c351f78263ad00e979b39f9a64a8498769508762ff3aa3ee89a472565626336
Opcode Fuzzy Hash: d5b524e0e1e919f713014d118ba1f005ac2b8590d11ac76d0abcbe567353a5a1
Instruction Fuzzy Hash: 0881AF11B28E460FEB85A75D84A637966D2FFA9780F844179D10DC32CBDE2DEC02C35A

Function 00007FF8880138B4 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a43b401d969a6b861c867a715836da0937f8f0f5986fa9eab99db57cd1c7c2
Instruction ID: 55987cd72e6c952fa74e0913b53ca676786daf9c18581744c0b591939d53970e
Opcode Fuzzy Hash: 15a43b401d969a6b861c867a715836da0937f8f0f5986fa9eab99db57cd1c7c2
Instruction Fuzzy Hash: 96816E34B18A1A8FEF98EB289495AB973E1FF59350F400179D04EC72D6CF28E841C785

Function 00007FF888006C54 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b76bb0acb1ddca6269719ceab832cbaf5c71adf2e87d08146ae788836dc514
Instruction ID: 605c2007c3584cec0fad47fb26ec3a43ecb58a59f0d7b99db9b1a2c8efcbc52f
Opcode Fuzzy Hash: c4b76bb0acb1ddca6269719ceab832cbaf5c71adf2e87d08146ae788836dc514
Instruction Fuzzy Hash: 94819E30E0865D8FDB58DF68C8457BDBBE1FB99350F14416EE49AD3292CE34A846CB42

Function 00007FF888014808 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9bdd95c7724021cc2ff21a77d5db8acaa5aad18d6e68270ca723c125baed4
Instruction ID: b132921799af20d1b699a19c9e8efa80634e77ef466552bb7dbe21b872f4ab94
Opcode Fuzzy Hash: 47f9bdd95c7724021cc2ff21a77d5db8acaa5aad18d6e68270ca723c125baed4
Instruction Fuzzy Hash: F771A220B1DA458FEB89DB2C9455A6477E2FF9A350F1501BAE04ECB2E3DE289C46C741

Function 00007FF888009FC8 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9c62ac66fda885279dc5ce1797975e265256e817f5b4d72a841d5600436865
Instruction ID: a3d13a945a1f9bb349e69dc13dccee739a0dc36b93ccb73472360422599772da
Opcode Fuzzy Hash: 7a9c62ac66fda885279dc5ce1797975e265256e817f5b4d72a841d5600436865
Instruction Fuzzy Hash: 2A710522F0CE4B1FEB96966C54952B977E1FF99390B5401BAD009C72D6EF3CAC428385

Function 00007FF888001B28 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfa86db1ad2a717349d848a9d36496761a4ad84493ba19b0b189f8b6e0d4b0f
Instruction ID: 23fa7c572475419cadac8d6aeeacb45aad7afb9b36fee1fe2e78ae2a8bf7fd6b
Opcode Fuzzy Hash: bbfa86db1ad2a717349d848a9d36496761a4ad84493ba19b0b189f8b6e0d4b0f
Instruction Fuzzy Hash: 4E812663D0D6C64BE711A6B8E8522F87B90EF463A5B0841BAC09DCB1D3DE1C6847C757

Function 00007FF8880B2194 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755e865791e1601f217a9b27b958e433025a3441930bb2095b5e71711922e9ea
Instruction ID: 77caaad43a222f73e5c64d60739302e6750fb7f6ed8525441f11ac0c1043da9c
Opcode Fuzzy Hash: 755e865791e1601f217a9b27b958e433025a3441930bb2095b5e71711922e9ea
Instruction Fuzzy Hash: 17717211B28E1B4FEB85A75D8496779A2D2FFA8780F844179D10DC32CBDE2DEC018796

Function 00007FF888004BE0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8657c8e15a27d62fcd1d8042be6863d9cf2546e8105571225feffc130703dc
Instruction ID: 0cfe6a23fcbca018b21aed453eea89702d76d12c8f7a3ff57bf092a5d250b349
Opcode Fuzzy Hash: 0c8657c8e15a27d62fcd1d8042be6863d9cf2546e8105571225feffc130703dc
Instruction Fuzzy Hash: 01518F31908A5C8FDB94EB58D845BE9BBF1FF59310F0081ABD44DD3292DE34A984CB82

Function 00007FF888000007 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49322814eec0c1668d2b9450a38f311964d3e2c62f340ec7778a0028771a79b
Instruction ID: 9664da0ee4203b5b89bd8d0d1d4b4f174f048fcb0f9c5c16fc1c0d31ccfac2ea
Opcode Fuzzy Hash: f49322814eec0c1668d2b9450a38f311964d3e2c62f340ec7778a0028771a79b
Instruction Fuzzy Hash: 79714F24A1C9478FEBA9D719C4907B5A2A2FF94385F748276C00EC65DADF38E881C785

Function 00007FF887FFD5B4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e774034b0d421a71cf08763df897f48d8c0cdd0fe761d0502b739e40e0a68e
Instruction ID: 180aed75120fbac8c98ae22aed6b082cb68b2511d78c0744facaa0cc7445e0bf
Opcode Fuzzy Hash: b8e774034b0d421a71cf08763df897f48d8c0cdd0fe761d0502b739e40e0a68e
Instruction Fuzzy Hash: 17518E71A1C9498FDB88EF6CD458BA977E2FF98354B0442B9E04EC7296CE24EC41C781

Function 00007FF887FF3751 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b51263f0922d1baf474619ec911106446db91afa4db6156885074709b6cc7c
Instruction ID: 557f96f6be82290097329fdada1494811e15d4beba35340dd25dce4c3b72f9cd
Opcode Fuzzy Hash: 88b51263f0922d1baf474619ec911106446db91afa4db6156885074709b6cc7c
Instruction Fuzzy Hash: 9C51457255C68A0FE756A67898052B97BE0FF473A4F1405BED8CEC7092DE1DA802C341

Function 00007FF887FF91FD Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdf58c5c6984cab56d0e054bd3b49aed978f5aadf0ac23dd580ac2fd6cc7894
Instruction ID: aa9cd5f33f8e029827bff6d12253d29d66060c8aad2b9f83ccc4bea8700a3679
Opcode Fuzzy Hash: 2bdf58c5c6984cab56d0e054bd3b49aed978f5aadf0ac23dd580ac2fd6cc7894
Instruction Fuzzy Hash: F451E9206086464FE79CE62980593BDB7E2FFA8390F5441BDD88FCB6D7CD2CAC468255

Function 00007FF88800CE60 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f08bbe43284f8f3172360fb452121deaf3075a3b26964e5ba83adbfa65e570b
Instruction ID: c8754b243c216988b53997922ea6755aba8bd5b5632d8724a40bcaa8e1d1b57b
Opcode Fuzzy Hash: 4f08bbe43284f8f3172360fb452121deaf3075a3b26964e5ba83adbfa65e570b
Instruction Fuzzy Hash: D1415131B08D1C5FDB94EB6C94596ADB7F1FF58750F0402AAE00ED7296CE24AC41C785

Function 00007FF887FF4775 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bf54543e1f77b9491e18f0e83a17b59670d55469c8d804c08b6f3d0027f958
Instruction ID: 379d582a2addd4d7db22e8e7052d5119f34454562bc319ea59b9aa9b18503935
Opcode Fuzzy Hash: 14bf54543e1f77b9491e18f0e83a17b59670d55469c8d804c08b6f3d0027f958
Instruction Fuzzy Hash: BE41143120D94A4FEBA0FE6CA455AB977E0FF09360B0500FAD489CB2A2DE19EC42C740

Function 00007FF888008C6B Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97715a71d09d58f5f105c08d3b68865b9e8b6e1c5974b4c8c1c6ef422445a698
Instruction ID: cc59c03edb953d3475eab1ce34e0ebcdae0c8105d219f1b1ed4b0e10042c7d77
Opcode Fuzzy Hash: 97715a71d09d58f5f105c08d3b68865b9e8b6e1c5974b4c8c1c6ef422445a698
Instruction Fuzzy Hash: 9451C370919A4E9FEB91EB7898196E87BE0FF19350F4401BAD40ADB2E2DF3C5841C705

Function 00007FF887FF9142 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b73c2252dd3042a2fa776adcf28ae1584c327c0f74644a052bc4f2a32fd41a8
Instruction ID: 51786a9c866740c57fc152ea824984348ff299487c3bf97a00f518b2fb43c005
Opcode Fuzzy Hash: 8b73c2252dd3042a2fa776adcf28ae1584c327c0f74644a052bc4f2a32fd41a8
Instruction Fuzzy Hash: 4A516220A086094FF758EA2A80557BD72E2FF98384F5481BCD88FC66D7CD2CA8858650

Function 00007FF888010061 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3e34f5b4de8f00fff9e741e9e911c9d547e84680266f0431f127f66df722bc
Instruction ID: 1a70225be5607da28a5668cf0f9b6845ef949fd9079334c6888df6949da79706
Opcode Fuzzy Hash: 9d3e34f5b4de8f00fff9e741e9e911c9d547e84680266f0431f127f66df722bc
Instruction Fuzzy Hash: C251F83991DB85CFDB65DB2888065657BE0FF56350F2405B9D4CDC71E2DB38A80AC386

Function 00007FF887FFE3A9 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba50b423e46acd8650bd01d11b42ece3934933dbe8b0db46ba30ae70f59fcba3
Instruction ID: 63ff76e1c0f8980d79ac732fa22ac1627a4559f9244be1b906024d4ae1a2dd94
Opcode Fuzzy Hash: ba50b423e46acd8650bd01d11b42ece3934933dbe8b0db46ba30ae70f59fcba3
Instruction Fuzzy Hash: B74124A196DACA4FEF85EB7484461EA7BF0FF15254B0441BAE44AC719BDD2CA803C342

Function 00007FF888009441 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfcc770f8a3944f92a285b9c3b7cb541490e35e7f100359c4b860113df194f3
Instruction ID: a023c466f199eb56b9c3ddee3432fcf3cac11c861b7015633579a4950f1bf7c0
Opcode Fuzzy Hash: 8dfcc770f8a3944f92a285b9c3b7cb541490e35e7f100359c4b860113df194f3
Instruction Fuzzy Hash: CE41733294D6864FEB56877894156E57BE0FF42361F4901FAD08ACB0E3CA2DAC83C341

Function 00007FF8880120A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03929d7506628ca19558f33edb5e8cf75e19609e87263a7697ff02c07d970f78
Instruction ID: 07bc56f7635d8632821e4f69008663bb91ff45e1da50fd3b21603a200914a266
Opcode Fuzzy Hash: 03929d7506628ca19558f33edb5e8cf75e19609e87263a7697ff02c07d970f78
Instruction Fuzzy Hash: F0510830A099198FDFA4EB288851BA8B3A1FF59350F4041E8D04DD72D6DF34AD86CB45

Function 00007FF8880089CB Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591ad6a937c39a05fd0f653b7156c4aded6e4ab576b8d3cbf6e3209aac45b843
Instruction ID: 6f8d71c287bede3d5175532858c759f16554060b6b0651cd925b48ba7224bd6f
Opcode Fuzzy Hash: 591ad6a937c39a05fd0f653b7156c4aded6e4ab576b8d3cbf6e3209aac45b843
Instruction Fuzzy Hash: 4B417F70A19A4E8FEB94EBB8881A6B9B7E1FF45344F4444B9D40AD72E2DF3C9841C741

Function 00007FF888010501 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d887eec5a95b0463c2904efed00bb8f9a65da97f4dfd61e1a3ab0bc6470b27
Instruction ID: 308cf019aba7a21c5ff0e49da36aabce897791ff8ef1758872acf1892d57d800
Opcode Fuzzy Hash: 86d887eec5a95b0463c2904efed00bb8f9a65da97f4dfd61e1a3ab0bc6470b27
Instruction Fuzzy Hash: 1D413871A0DA458FDB78DB2C8846AA97BE0FF59350F1402BDD48DC71D2DB38A906C785

Function 00007FF887FF7A72 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e29318d170b181a46f625eb71a79f362a1c34d16cda11f4539699957f3fae
Instruction ID: 0c916d313469ecef731b05329fcd134ac13ccfd3c00ad1030c8597625cd23f4f
Opcode Fuzzy Hash: 0c3e29318d170b181a46f625eb71a79f362a1c34d16cda11f4539699957f3fae
Instruction Fuzzy Hash: 7441F43050CB884FEB699F2D98156B9BBF0FF56350F59006EE48AC32A2CE24E842C751

Function 00007FF88800991A Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231debcc74ff20ed10ef9af17b428250e806ab89bca0cc1cea5acbdefc9e3d7f
Instruction ID: 96c22651527df5964854fa8883fb63093b9391c5a2b108f78e06375091d1e4ed
Opcode Fuzzy Hash: 231debcc74ff20ed10ef9af17b428250e806ab89bca0cc1cea5acbdefc9e3d7f
Instruction Fuzzy Hash: 9641F431B19A498FDB85EB7CC859AA977F1FF99341B0401BAD04EC72A2CE34AC41CB40

Function 00007FF887FFD1F9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a2ce5ba0e0825ae34e7f6435ed22a953531aa27c53f5d0d24de0e35afb858f
Instruction ID: 6f080c7894c74acb94503963806c71b8a4c30f6d69b2cb6ead6d3b12c0d78056
Opcode Fuzzy Hash: d0a2ce5ba0e0825ae34e7f6435ed22a953531aa27c53f5d0d24de0e35afb858f
Instruction Fuzzy Hash: 56414A30A5DA8A8FDB99DF28C861BA937A1FF45344F4400B9E40ECB192DE29E845C741

Function 00007FF888012185 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94c993bc709497f87b1e82e7df56c980698e5c4c6989c501d8c31d389b024ae
Instruction ID: d4bd54bbd494fc4edc1b6525747bb06db0e423442db3b3b0d201f4af8677209b
Opcode Fuzzy Hash: d94c993bc709497f87b1e82e7df56c980698e5c4c6989c501d8c31d389b024ae
Instruction Fuzzy Hash: C541E534A0991D8FDF98EB28C891BA8B3A1FF99350F1441A8D04DD7292DF34AD86CB45

Function 00007FF888013670 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b7d7857c925da59130ca9eaa0599ef458ea29738100e3f8ed80701054fcf34
Instruction ID: 4ba959f3d1fbe8183e9cbb6a5a04b9235acd836050771163a8ace8538fadb9bb
Opcode Fuzzy Hash: 25b7d7857c925da59130ca9eaa0599ef458ea29738100e3f8ed80701054fcf34
Instruction Fuzzy Hash: 52310376B189068BEBA8E62C98496B573D1FF987A5F16017AD00DC76D1DF2CEC02C385

Function 00007FF888000C78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87fb94e413cd05f2f9896034e79234e291b7981b8e9c224025f3474b81643ba
Instruction ID: 48620d50b3ec27e2648ed3727a22f452e70b27ea1ddeb99afd6a8266cd2150a3
Opcode Fuzzy Hash: e87fb94e413cd05f2f9896034e79234e291b7981b8e9c224025f3474b81643ba
Instruction Fuzzy Hash: 4E31F332D0C6854FDB49EBA8E4152F9BBE0EF55354F08417FE0AEC6183CE289441875A

Function 00007FF887FF3780 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc7323d0dc791e5297db00f0c85b652d13b50dbdd3c7215ac05fbb858ca460f
Instruction ID: 4c48c97011860c6ee20cf50274499fba77236113a49f072e353491ad53f7c59d
Opcode Fuzzy Hash: dcc7323d0dc791e5297db00f0c85b652d13b50dbdd3c7215ac05fbb858ca460f
Instruction Fuzzy Hash: A931F87155CA4A1FF785E678940967977E1FF46264B0105BDD88EC7152EE2DAC02C341

Function 00007FF887FF9000 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7cb48380731e93e74483b22ab9d4c7afa7f8afcffddfeff25ddfeb4979b874
Instruction ID: da9cbe64a859f88990dc95e2182d5f31bcc279b580ddeec5bf61ef4e08ba5ff5
Opcode Fuzzy Hash: 5d7cb48380731e93e74483b22ab9d4c7afa7f8afcffddfeff25ddfeb4979b874
Instruction Fuzzy Hash: 80419D70A58B498FDB60DF2CC885A69BBF1FF69710F1401AAD489D7291CF34A845CB42

Function 00007FF887C5EA10 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2643462300.00007FF887C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c5d000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f4c5104798bcf5296ae6929c4aef02e5b17c88d31683d27cad42d284a37d98
Instruction ID: fbc205feb7df58474c223c9d258b8eef7c129b96dd8f19199d29b40ce1229cc6
Opcode Fuzzy Hash: 33f4c5104798bcf5296ae6929c4aef02e5b17c88d31683d27cad42d284a37d98
Instruction Fuzzy Hash: DA41BE7040DBC48FD75ADB38D8869563FF1FB56220B1506DFD088CB1A7D629A84AC792

Function 00007FF888008F1D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dbb4c8965eecd82e892a5743b5e3c72299309fd51e0f24b87d362eb8cdad14
Instruction ID: 118a8d8f05ef41a5f0119f191660d7aab8dc78ae463ab26242b70504dbd048bb
Opcode Fuzzy Hash: f5dbb4c8965eecd82e892a5743b5e3c72299309fd51e0f24b87d362eb8cdad14
Instruction Fuzzy Hash: DD417170A19A4A8FDB95EBB888596B977F1FF05340F4404BAD00AD72E2DB7C9841C745

Function 00007FF88801332D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6af846f83efabe822588e99a73715f6bda7e6d26b9557fabd5ada65311dd891
Instruction ID: 38e27084985433983e17386886d6042df5e27e620b6a41a4c5ab7a8a86bc8540
Opcode Fuzzy Hash: a6af846f83efabe822588e99a73715f6bda7e6d26b9557fabd5ada65311dd891
Instruction Fuzzy Hash: 0431D53070CA499FDB85EB2C9495AA57BD1FF99351F0502BEE04DC72A6CE38D882C785

Function 00007FF88800AF99 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb107694e0c7239ed491dda190f8a1a8ab204295816a726707ce86d8e8751c61
Instruction ID: 6ebc1ac10d47c641057823ad4efb2d46c1000221420dc883fa2d920b13c40cec
Opcode Fuzzy Hash: eb107694e0c7239ed491dda190f8a1a8ab204295816a726707ce86d8e8751c61
Instruction Fuzzy Hash: 1B318E30A08A49DFDF95EF68C855AA87BF1FF59394F4501A9E409CB292DB39E842C740

Function 00007FF887FF2DBA Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0aa2f3328b33704b1f83f1e3adb13294a36482a43e1593897fec87a9608ee7d
Instruction ID: 6439d7b4d426baac83069d952cd7403a8d570e10f9e7397f8a414066c749e842
Opcode Fuzzy Hash: f0aa2f3328b33704b1f83f1e3adb13294a36482a43e1593897fec87a9608ee7d
Instruction Fuzzy Hash: 613128B2B4958A8FE3A0EA2DE4556ADB7F0FF5435075541B4E088CF662DD289C87C701

Function 00007FF8880B57AE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fea9b7939255aecd50ecaa12b88d4eea8baa72e0293c8202835a17141566b1
Instruction ID: 22248a9631114b0d8d96732d160576d403b63a4d8221ae0565e7f812f7cbe32a
Opcode Fuzzy Hash: a0fea9b7939255aecd50ecaa12b88d4eea8baa72e0293c8202835a17141566b1
Instruction Fuzzy Hash: 5C210A62F19E4B0FFAE9962C145523916C2FFD9590B5901FAD04EC33DBED28DC428344

Function 00007FF8880B5098 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799ff2de8cd72ec797a0e0c476735b64679b78e64c59fe6609e8a8f45bb7fe1f
Instruction ID: c74166fb289d126769db7419f040887ba8724b8806f003a729cc402107b3d2f5
Opcode Fuzzy Hash: 799ff2de8cd72ec797a0e0c476735b64679b78e64c59fe6609e8a8f45bb7fe1f
Instruction Fuzzy Hash: 22310931F18E4B5FFBA5A63C045123966D2FF89690F5801B9D44EC32DAEE39EC428745

Function 00007FF8880B5160 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b452b13889f77e630273c8b2134d7b72a2b54250fdac0e134d8b7e1434fb06
Instruction ID: f69e3853d99d6a631494895c3527c6007b4a2c3d53aef15ad9693ba7a38c449e
Opcode Fuzzy Hash: f0b452b13889f77e630273c8b2134d7b72a2b54250fdac0e134d8b7e1434fb06
Instruction Fuzzy Hash: B621F721F0DE4B4FFAA5A62C149527956D2FFD96C0B5805FAD04EC73DAEE28DC028345

Function 00007FF8880B522F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1effc910a41197e49213ecf892488e63bd2fa0c975f8d31e5c2042b18840e775
Instruction ID: e87309ac557f0a8752ad473523e6071936ff59c460f5f7b02529d964f888f964
Opcode Fuzzy Hash: 1effc910a41197e49213ecf892488e63bd2fa0c975f8d31e5c2042b18840e775
Instruction Fuzzy Hash: A921E721F09D4A0FFAD5A62C145523966D2FF99680F5805FAD04EC32DBEE28DC428705

Function 00007FF887FF7390 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466cf3ec9c2e3ac819cd9c4c5da1c95e688bfbacc8f2c90b7c7a1b3993f83786
Instruction ID: 3a591152090827515bfecb1cb2f60a5fdeb073b6e547cda0a2787dbf86919349
Opcode Fuzzy Hash: 466cf3ec9c2e3ac819cd9c4c5da1c95e688bfbacc8f2c90b7c7a1b3993f83786
Instruction Fuzzy Hash: BA310521A5CE494FE781EB2C9494279B7E1FF98394F4806BAD84DC32E6DE2DE941C311

Function 00007FF887FFD475 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f902043826a59f53d6e6c5c629ef214a36ad111b8bd4cf629bc6ed77e7db59ec
Instruction ID: 3ea90307582b2b03209eafa156bac75825a9a914c5ff4c9b585fb381db7815bc
Opcode Fuzzy Hash: f902043826a59f53d6e6c5c629ef214a36ad111b8bd4cf629bc6ed77e7db59ec
Instruction Fuzzy Hash: 5F31FF3199C9875FE769A22A98B567877F0FF86290F1801B9C44EC75A2DD18BC81C742

Function 00007FF887FF3FB4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f143f1d33fe7bae88147ee91883a94ef0d953da73420b21148df2ffbec001c9
Instruction ID: fa8f11dea915c8d60141d7c571f09d6f487cc46a50146b75d4a7f2dc8216a302
Opcode Fuzzy Hash: 2f143f1d33fe7bae88147ee91883a94ef0d953da73420b21148df2ffbec001c9
Instruction Fuzzy Hash: 05210D61B4CB450FF398961D684A6B937E1EF962A0F08017ED48EC3297DD196C43C382

Function 00007FF8880B5958 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c3cf0de64359000145a953f5679cd6345dfa7b06eeb60d406f39c0c0224b78
Instruction ID: 8f2a87d2e97c5765c327353bfd8a45cf9dbb385f2f208201472e03f69aae8398
Opcode Fuzzy Hash: 01c3cf0de64359000145a953f5679cd6345dfa7b06eeb60d406f39c0c0224b78
Instruction Fuzzy Hash: 6921DA21F0DD4A0FFAA5A22C146523956D2FFD9690B5901BAD04FC33DBEE28DC428345

Function 00007FF8880B39C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c264d0511cbd2e5c4b090606288098cc0e95a71ef551bcf37e19a392e8d79bb6
Instruction ID: 285a2e0ce28fd745a57467b39d1595f4fa5443df10c9c012783073bbb5a2b778
Opcode Fuzzy Hash: c264d0511cbd2e5c4b090606288098cc0e95a71ef551bcf37e19a392e8d79bb6
Instruction Fuzzy Hash: 1321B321F0DD4A0FFBE9A62C145527956D2FF99690BA901BAD00EC33DBEE38DC428345

Function 00007FF8880B286A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2131f4e6cdf2939cc7cdf07b1eb1b1de914af5e24dfd8fd40e50c83337ec81
Instruction ID: 4272234601ebcdde1edb9de75664b62fdaa4f0d4035ae2119e48ec4f819e4a56
Opcode Fuzzy Hash: 9b2131f4e6cdf2939cc7cdf07b1eb1b1de914af5e24dfd8fd40e50c83337ec81
Instruction Fuzzy Hash: 67210A21F19E4A0FFB95A63C045527966D2FFD8680B9801BAD00EC33DBEE38DC428341

Function 00007FF8880B4668 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805c7b16b0f783e90e343bc258f5c348c382c5662dacca081ee555d051edf549
Instruction ID: 816280f490900deedd59c90a0ee2f64383e769bf078404493f5596a2e4a2a241
Opcode Fuzzy Hash: 805c7b16b0f783e90e343bc258f5c348c382c5662dacca081ee555d051edf549
Instruction Fuzzy Hash: 2B21D711F48D4A0FFAA9A62C146523955D2FFD9680B5805BAD44FC73EBEE28DC428345

Function 00007FF8880B5566 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5954746d947747673a335ecf89dd84833fe7786fcc03c0280cdc58d815192c0
Instruction ID: b12e40717c3a5ab2a107e767b3ecb6c921098c28b38bf0df5c59789d45ee14d9
Opcode Fuzzy Hash: a5954746d947747673a335ecf89dd84833fe7786fcc03c0280cdc58d815192c0
Instruction Fuzzy Hash: AD219521F18E4A0FFBA5A22C146523D55D2FFD9691B5801BAD04FC37DBEE28DC028345

Function 00007FF8880B369E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3af4f586f72f3fde3e410b26e0fdfab00eeff0ce0d3b093a12a32ae1db8bc8
Instruction ID: 273ac18b71894de545f2f587a8c765f4e843d82ca015237b451cf6477beb2600
Opcode Fuzzy Hash: 5b3af4f586f72f3fde3e410b26e0fdfab00eeff0ce0d3b093a12a32ae1db8bc8
Instruction Fuzzy Hash: D721D661F18E4B0FFBE5A62C045527966D2FF99680BA541B9D00EC32DBEE28DC028745

Function 00007FF888010F98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d450624557fabf4258bc5ad2888135e2d43552dbe26a7745869f6001f8f5d21
Instruction ID: ec651f4664265432ba4b81be6f73bb3d21d4e0cfce92d5d053cdc72d679eb9d5
Opcode Fuzzy Hash: 4d450624557fabf4258bc5ad2888135e2d43552dbe26a7745869f6001f8f5d21
Instruction Fuzzy Hash: 9C214C30A18A489FDB84EB2C8484A6977D1FF9C351F54057EE44EC32A6CF34E841CB46

Function 00007FF88800EEA9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04c2314b1fa299e913fb92b5e9c0693e69205b1f09ddbc0403e7f11648f6ef8
Instruction ID: 53fef6d4c4c224098cb92c4635196108692b515004b5f55a6e888aa84181ab85
Opcode Fuzzy Hash: d04c2314b1fa299e913fb92b5e9c0693e69205b1f09ddbc0403e7f11648f6ef8
Instruction Fuzzy Hash: C1217D2191DAC60FDB06A72888506BA7FE0EF56264F0842BFD08AC71D7CE5CA406C352

Function 00007FF8880B3A97 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b60109c631af2fe1856445ea452ae020285d7835e031b7143a968115771d32
Instruction ID: 135ffc60e27331047a40157c3867258c119a63a3af87c3edc816a658ada0a685
Opcode Fuzzy Hash: 19b60109c631af2fe1856445ea452ae020285d7835e031b7143a968115771d32
Instruction Fuzzy Hash: 4021F921F08E4B0FFBA9A63C045523966D2FFC9690B6901BAD00EC32DBEE38DC418305

Function 00007FF8880B48CD Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37894680ae0c41bf8a7ea609cd0754c1637563f24cc01c5474b6d6321af800c3
Instruction ID: f3dbf61d3dd6dbfb438b7cd3b39a446463abeab9cd91baabf4933a5673869058
Opcode Fuzzy Hash: 37894680ae0c41bf8a7ea609cd0754c1637563f24cc01c5474b6d6321af800c3
Instruction Fuzzy Hash: 6D21FC21F59D4A0FFAA5A63C145523956D2FF88690B6501B9D00FC73DBEE38DC428345

Function 00007FF8880B26EA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc5bd3514dc192f412cf1a540c44bdba55449854bcd92e3213e6ab538a804a5
Instruction ID: e63027fb4512a862a572b40b43e0828e6281c6dacf1580b14cdf8e563d5675fa
Opcode Fuzzy Hash: 5fc5bd3514dc192f412cf1a540c44bdba55449854bcd92e3213e6ab538a804a5
Instruction Fuzzy Hash: 1B21C622F59E4A1FF6E9A62C145523955D3FFC8690B9841BAD40EC33DBDD38DC428249

Function 00007FF8880B2566 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0564334886d2f989a2d12babc12f0ef5366e46081b860fdf774850797fdaa998
Instruction ID: 8e7f4713f776e5795e47020024d50c2434978ed8af34d0f1c777f4e5e94d8043
Opcode Fuzzy Hash: 0564334886d2f989a2d12babc12f0ef5366e46081b860fdf774850797fdaa998
Instruction Fuzzy Hash: 1B21F321F19E4A1FF6A9A62C142523921D3FFD8690B9841BAD00EC33DBEE38DC428745

Function 00007FF8880B32B5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfceebc0e408b3ed4d12c32a30439b3e99bf23f8b3aab67eb5cf13a3aeac5e24
Instruction ID: 41a5fde80f707ed3bc07e8bb380339a4420689201fd2213f71ec75c73eeffa06
Opcode Fuzzy Hash: dfceebc0e408b3ed4d12c32a30439b3e99bf23f8b3aab67eb5cf13a3aeac5e24
Instruction Fuzzy Hash: DC21A721F0CD4B1FFAA5A22C145623966D2FF89690F6901B9D04EC33DAEE39EC018745

Function 00007FF8880B3CF7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8f16deaf7f2475c2ae968b45fa9179be9cd50f6275f96d9c53e6a878b7ab8d
Instruction ID: 308165302ec1f939bb92438b7d48e0229aa55690e2686ee52ae3a88c4f965428
Opcode Fuzzy Hash: 9e8f16deaf7f2475c2ae968b45fa9179be9cd50f6275f96d9c53e6a878b7ab8d
Instruction Fuzzy Hash: 5021D721F08E8B4FFAA5A63C145523966D2FF89680B6941B9D00EC32DBEE38DC428345

Function 00007FF887FFA6D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction ID: 21ade037e42bbc166f0d08f0711499ed5cdf0b32cbce9d99b8c589e589862595
Opcode Fuzzy Hash: 74817f636da7639398b3893f35da4666ebf5d0331c290c45d87620bfc1e8dbb1
Instruction Fuzzy Hash: 4C215371908A1C4FDB68EA58DC4A9F9B7F4FBA5321F00413FD44ED3211DA31A5458B82

Function 00007FF887FFC776 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d773199640190426183bf0e55ac8c51a1132e148fce744074151387ae9257b
Instruction ID: 231fb3fea0f21c891b126bb3d936313141b128828b472858508d3c36eabdace3
Opcode Fuzzy Hash: a2d773199640190426183bf0e55ac8c51a1132e148fce744074151387ae9257b
Instruction Fuzzy Hash: 59212552E6CECA0BE799E67884553B9A7E1FF99744B0441BAC04FC71C3DD0CA805C302

Function 00007FF887FF3FD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b61e2a8bb401b8de123c2b8b414a2d2b8d4587b985e6c2beadc7d3f33508604
Instruction ID: 491a14e4ada8cc797bbfd82b09a0fe446bef15f2344e02f89e43d6c8d93b6ca4
Opcode Fuzzy Hash: 3b61e2a8bb401b8de123c2b8b414a2d2b8d4587b985e6c2beadc7d3f33508604
Instruction Fuzzy Hash: 4311CF7175CA091FE698A51D684A7B933E5EFD52A0F04017EE48ED3296DD157C42C282

Function 00007FF8880B39B2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f43e0c0c0aaa73c83af2b1d56f7aa0cf1d78e091f1e5cd4ec234be6e8f718a2
Instruction ID: c914e10c0d5ab3c8b706b88fb86de9cc49d0274316ba8517da31b7b7be61cbb8
Opcode Fuzzy Hash: 7f43e0c0c0aaa73c83af2b1d56f7aa0cf1d78e091f1e5cd4ec234be6e8f718a2
Instruction Fuzzy Hash: C221F561F0DD4B4EFBA5962C185123966D1FF85680FA901B9C00FC32DAEE39EC42C705

Function 00007FF887FF2952 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45463b32b3c4b1bcfea7496f6cc8a761e1dff5a97c446b1de8ac80e9720b205
Instruction ID: a8cd3f359a1ac6d1dbfed3ab715fb38534e4d219496cf3e844227f185819f8d2
Opcode Fuzzy Hash: f45463b32b3c4b1bcfea7496f6cc8a761e1dff5a97c446b1de8ac80e9720b205
Instruction Fuzzy Hash: 88210A51A78A8A4FEB54A76884527FD73E1FF99380F54817AC14FC75C7CC6CA8068342

Function 00007FF887FF7750 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4205f71780d20099cca19aeb22629b07ec3952ce977eaec078dc0c9adb87d9d1
Instruction ID: 7b3ed4acd5bee10274626885246faf8e1b35568b3dccbe14f03b63438c639b23
Opcode Fuzzy Hash: 4205f71780d20099cca19aeb22629b07ec3952ce977eaec078dc0c9adb87d9d1
Instruction Fuzzy Hash: 3D113623E7DD0A0BE2A8955E984697AB3E1FF847A039841B9D41EC3297DC18BC028291

Function 00007FF888009745 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623b83f1c85c0c60e073b858f8f763554c1ae5302882a631db646f12ba186a04
Instruction ID: 3acf189902d5a96b152dae1838e067b5b9137e7f9f37b0f2e19d6dfe414de110
Opcode Fuzzy Hash: 623b83f1c85c0c60e073b858f8f763554c1ae5302882a631db646f12ba186a04
Instruction Fuzzy Hash: C021B031A4CA898FDB84EF2C94516A97BA1FF99350F5501BAD10DC7297DB39AC01C781

Function 00007FF88801351E Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6ca3b62ae229ef1e92ebb9497dad682ccb4850b3b0a6340ba1b4502fe55fd8
Instruction ID: 7769077851156d96aa96da2c5a2a4011111ecf5bbf36c6c9f2ab895f19f9af29
Opcode Fuzzy Hash: 6e6ca3b62ae229ef1e92ebb9497dad682ccb4850b3b0a6340ba1b4502fe55fd8
Instruction Fuzzy Hash: DD218034618A4A8FEB94EB28809567873E1FF84364F6544BDD04EC72E2CF39E882C704

Function 00007FF88800F610 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d207aab7767e63f64c5b91a02a9d47f5f6620c1f13dd4c308f062e348afbcd55
Instruction ID: 433b6646cfed94b8d33eadd6868e6ebc9b1832621fd34f86dca114d3b3bbd452
Opcode Fuzzy Hash: d207aab7767e63f64c5b91a02a9d47f5f6620c1f13dd4c308f062e348afbcd55
Instruction Fuzzy Hash: D2218125B1DA5A4FDA45A26864221BDB7E1FF86260F5440BAD08AC75E7CE2D6C028385

Function 00007FF88800AEA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4ab434d4f8bea738c690286101210cd31f24d50e94773c96cba7587af6e86c
Instruction ID: fa45a080cf26db36c72b4acf0ba7bce9180060f7bdc2773659a5b2cac5feca3d
Opcode Fuzzy Hash: 4a4ab434d4f8bea738c690286101210cd31f24d50e94773c96cba7587af6e86c
Instruction Fuzzy Hash: D0211734A18A4E8FDF88EF28C4947AA77A1FF58344F504969E41EC7296DF39E851CB40

Function 00007FF887FF7065 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68ab9724c7d4f9cb1ed618e3ccf19eaffc8c2080c7e2448844b95d739118058
Instruction ID: 3c6fa6ca8e410d08bd78cb575b32e5e5927e62d5cbe19de4ece6a90ac3f5994d
Opcode Fuzzy Hash: f68ab9724c7d4f9cb1ed618e3ccf19eaffc8c2080c7e2448844b95d739118058
Instruction Fuzzy Hash: A8214920A1CE850FE7419B2C98486B4BFE1EFA5260F4C09BAD4CCC72B2ED59D9C6C301

Function 00007FF888002EDC Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb60d76bbfa4fe14abc5a5c1c1edd188f99a84760edc589177b0a2c03de7852
Instruction ID: 04c03519853b7357d34f0363442c7f88dc256ec225b413e2c5f93b7329a4176f
Opcode Fuzzy Hash: bdb60d76bbfa4fe14abc5a5c1c1edd188f99a84760edc589177b0a2c03de7852
Instruction Fuzzy Hash: B321A53190CA8C4FCF95DB5C9840999BBE1EB9A360F18029BE04DD3292CA25E806C791

Function 00007FF887FFCFC5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e54244fdac8983d07b4c4c6c7feefa3aec4ebc1b0581a30aee7e8cdadbde7b
Instruction ID: 562d4717ccbf965d02b41e1d09bd568cb67a9b1fbed3c19e951fa9af9947cb91
Opcode Fuzzy Hash: 81e54244fdac8983d07b4c4c6c7feefa3aec4ebc1b0581a30aee7e8cdadbde7b
Instruction Fuzzy Hash: 1D11A01158EAC61FE34657B54C396E63FE5EF8B56030D42EBE086CB4A7C84C498BC362

Function 00007FF8880B5A50 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4857ebbc3e9ff5b3419df7ae70c6157006f6285bff6670043f6d054fe2a9788f
Instruction ID: eb39d0a2fb40871b88fd2d18cd809ae62cfb32e42327d8b4f5289dcfa5e7dd65
Opcode Fuzzy Hash: 4857ebbc3e9ff5b3419df7ae70c6157006f6285bff6670043f6d054fe2a9788f
Instruction Fuzzy Hash: 1F11C461B08E4B0FFBA6A22C045123956D2FFC9290B5901BAD04ED36DBEE2DDC028305

Function 00007FF8880B4A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82315861903d0ca6e8fa641a411445ed2f718d81c795f599a3cbaf415832f10
Instruction ID: fe2daca25b0c2a96f1851ca8c3dc800f6d21f50d7796662872a7dff1d58b807f
Opcode Fuzzy Hash: f82315861903d0ca6e8fa641a411445ed2f718d81c795f599a3cbaf415832f10
Instruction Fuzzy Hash: 3D11E721F0CD4B0FFBA9A62C145127996D2FF89290BA901B9D00EC72DBEE28DC418309

Function 00007FF888010D42 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b09711098ff48d081ba03f4f03c446117713f7901557bbd26467aaba9eac9ab
Instruction ID: 4349aeae1054c6566cf29c955b68e1124354997043f8df9c4dd449b38bc92fc8
Opcode Fuzzy Hash: 7b09711098ff48d081ba03f4f03c446117713f7901557bbd26467aaba9eac9ab
Instruction Fuzzy Hash: CA11E92490DA964FDB4A533814292787FE1BF86260F1840FBC089C71E7DE2C6C46C345

Function 00007FF8880B2963 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb7d55c15f0c3eee6a71c7d4d9710faefcc132bba463957acfa21d3095d5a99
Instruction ID: c198e55027fd28b4fad0ce260b1ff3657c056dd7a59296ee79e0bd0c2ccf87b8
Opcode Fuzzy Hash: 3eb7d55c15f0c3eee6a71c7d4d9710faefcc132bba463957acfa21d3095d5a99
Instruction Fuzzy Hash: FA11B621B19D4A0FFA95922C045523996D2FF89290B9941B9D04EC32D7EE39DC418305

Function 00007FF8880B2C8B Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937e268bae9bb474ef440a0ea7f6c9892ad4d6f0d468b6a8cba475087038c1de
Instruction ID: 960cd4207365a382004de3c749df2e147d9b7fe5049d335b311a32b37a43c7fc
Opcode Fuzzy Hash: 937e268bae9bb474ef440a0ea7f6c9892ad4d6f0d468b6a8cba475087038c1de
Instruction Fuzzy Hash: 0D11AB22B1DD8A0FFBA5A23C145523966D2FFC9690F9901B9D44EC36DBEE39DC418305

Function 00007FF888003805 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9809dd540cf4196aff267a47e44460bedaa2e777469cf551d799c0389e40487
Instruction ID: 0b605d1ac669bf78868d0d5c2dc27dd6394a1c5ea928a835fc7030d18d75284a
Opcode Fuzzy Hash: d9809dd540cf4196aff267a47e44460bedaa2e777469cf551d799c0389e40487
Instruction Fuzzy Hash: 83213D30A19A1ADFEB96EB6488557BDB7A1FF05341F5500BDD40ED72D2CB38A842DB10

Function 00007FF887FFD3F5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae4d91e85ebdb3fc7a587c35419a91eb7b1eeae8954980a3bf5c3a4acc6963b
Instruction ID: 4bd61b56cbd0bba150dc41e52b5909a6d13f8af675567d24bd2efde47a8b6fe9
Opcode Fuzzy Hash: cae4d91e85ebdb3fc7a587c35419a91eb7b1eeae8954980a3bf5c3a4acc6963b
Instruction Fuzzy Hash: D6119E2158E7C61FC34797B48C25AE53FE5EE8B16030942EAD08ACB5A7C91D9847C362

Function 00007FF887FF2468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b093549ed21dd449cad43be0c5fe3db3d59c40a26b71e2acfe2f6c76c361cd9
Instruction ID: 379eecf722be2a446fd0c6937abfd5cea39026e7996f9ed848a63969b22c1b9c
Opcode Fuzzy Hash: 5b093549ed21dd449cad43be0c5fe3db3d59c40a26b71e2acfe2f6c76c361cd9
Instruction Fuzzy Hash: CA116F2285D5860BEB15673468056E977E1FF82391F5941FAE489CB1D3DE2CA882C385

Function 00007FF887FFE521 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfdf01268dbe393c1ca3452a91b54b51eeebb801393c368a90313cc4b7253e7
Instruction ID: a1eda2cf4c49e4b3607383f2a625c2f2187448869533d1ac84a027b95ace4c15
Opcode Fuzzy Hash: 4dfdf01268dbe393c1ca3452a91b54b51eeebb801393c368a90313cc4b7253e7
Instruction Fuzzy Hash: 4521907080D7C99FD7499B7898256A9BFF0FF56340F4804AFE09AC71A3DA685549C702

Function 00007FF88800A495 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dc71d8ae0e6e298924ddc3240c75331f7e7decb395ecdfb14c6a3b5fa50611
Instruction ID: 93fc8412cafe1f336773892ae27f832298031a2dcada16db91b27c3c39701b3e
Opcode Fuzzy Hash: f3dc71d8ae0e6e298924ddc3240c75331f7e7decb395ecdfb14c6a3b5fa50611
Instruction Fuzzy Hash: 0B11063285E5C20FE716532068165F57BA0FF823A1F4A01F6D088CF0D3CA2D6986C3A6

Function 00007FF8880B07AF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb036b3b4675c87352d06bbfcdef62dacbbd990d9430e49c4a535f9f158dad8
Instruction ID: b2093c10a5e5f5d1adea809e2bc40f8a80985592da46c5c7285371ad2a928879
Opcode Fuzzy Hash: 3fb036b3b4675c87352d06bbfcdef62dacbbd990d9430e49c4a535f9f158dad8
Instruction Fuzzy Hash: E8110C60F6E6464FE6A8D638545B674B7D1FF24350F5440B9C04AD71F1EA285C42CF49

Function 00007FF888014A60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b417e155c07f9392c70e034a4f6664d143d272a2347b1790bc81f1922d275984
Instruction ID: 27be9f5cf4d2a5f77eaac16f0011adcb0ffaa8df1a7a43f2b2b6ae7658ba8a6f
Opcode Fuzzy Hash: b417e155c07f9392c70e034a4f6664d143d272a2347b1790bc81f1922d275984
Instruction Fuzzy Hash: 6FF0FC7260C61C5EB71CA52DAC4B5F673D5E796675B00013FF48AC3553ED21B81382D5

Function 00007FF88800C229 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0164f020f901ec8b52ce1ca32e7c1f3967fe2199be07ef08f18e7b9023c03ed0
Instruction ID: c5bdbc76ff707e43f1e0d32af82c309b8e4d1aa13203881a5703d9d13b607405
Opcode Fuzzy Hash: 0164f020f901ec8b52ce1ca32e7c1f3967fe2199be07ef08f18e7b9023c03ed0
Instruction Fuzzy Hash: 9A01D611A2CFCA0FDB95E2B850955F677E1EFA926070442BBD04BC71DBDD2C9846C382

Function 00007FF887FF4CF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6ca20ae2e3efc7a99fd998a6ad806a169854fb8c096435116636260c693217
Instruction ID: 5d78058c618b2eafc2a2b6e96c5c66c26ec49c827f288cbf114d286c915d960c
Opcode Fuzzy Hash: 7d6ca20ae2e3efc7a99fd998a6ad806a169854fb8c096435116636260c693217
Instruction Fuzzy Hash: 8C01282180C6550FE796A62884852FD7FE1EFC52A0F08467AD08DD61B2DE5C49C6C386

Function 00007FF887FF223A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ab7429d98784e4aabbd9c166dc22dab1d1f7760934cdf0247a295b30532439
Instruction ID: ecd38a04c941d2d0fb16e67728bcea1c7b274dc77212a2f235da771325d9e819
Opcode Fuzzy Hash: 88ab7429d98784e4aabbd9c166dc22dab1d1f7760934cdf0247a295b30532439
Instruction Fuzzy Hash: 3301D16084D6C96FE7429778A8496AA7FF0EF46210F0580E7D859CB193DD281584C302

Function 00007FF888009ABB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1702d1498fdc84a7e0074b2778f7091e2e93bd3df67f370fb76489b3237700fd
Instruction ID: 7df2af38ee6f8147fb2aca728b491776eeaea518bf1339ec7cf54dd9232cb680
Opcode Fuzzy Hash: 1702d1498fdc84a7e0074b2778f7091e2e93bd3df67f370fb76489b3237700fd
Instruction Fuzzy Hash: 0AF04431B2C9184B9F48A65CA8525EC73E2FBC9760B44027AE00AC328ADE25A81283C5

Function 00007FF887FFD551 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93b0709ee6c006300432a0e0bfe0c19c9380b5da9490500ec0d2747b89094d
Instruction ID: ca67d400afa349f34731a7aa6c44d49b6f0807919ab110908b4702c32395a1bb
Opcode Fuzzy Hash: 5e93b0709ee6c006300432a0e0bfe0c19c9380b5da9490500ec0d2747b89094d
Instruction Fuzzy Hash: D0F0FF7188D68C6FD74ACF284C19AEA3BF4FF96280B0902AAE009C3282CE205804C350

Function 00007FF888009621 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0e2b0c5acaf3bd53ee900ece6be227cb59b0b4308c8ab2610cd888252eb6b3
Instruction ID: bcfec4bd4b43c634834bf7b80b47ef30d0b81cf6afca98edaac41f983f7b85d8
Opcode Fuzzy Hash: 2d0e2b0c5acaf3bd53ee900ece6be227cb59b0b4308c8ab2610cd888252eb6b3
Instruction Fuzzy Hash: 00F0B425A5E7458FDB65872868551A83791BF91291F5812FBC00DCB1D6CA3BEC42C381

Function 00007FF887FF22AD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7c1eee30766386ec61e9a7dbd584a1b51b1e92f3cbc0e9641682d899a99473
Instruction ID: 2e4a04f8825612c71b71df87179660fd163c5034aeab63df4a0a935745f7fb56
Opcode Fuzzy Hash: 0e7c1eee30766386ec61e9a7dbd584a1b51b1e92f3cbc0e9641682d899a99473
Instruction Fuzzy Hash: 58F04FB1D482895FE304DBB8981A0ED7FF0FF88210F4440EAE409C7052EE2805828302

Function 00007FF887FF6620 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5ed31f5a4416e5e246ee4fc7f5d3b9f14f10a08958868fffe641ced428cd3e
Instruction ID: 1c622de7462a62be935a214883de4f9c349ae31136a434cff04458bee2f2b72a
Opcode Fuzzy Hash: dd5ed31f5a4416e5e246ee4fc7f5d3b9f14f10a08958868fffe641ced428cd3e
Instruction Fuzzy Hash: 73F03770D04A1E8EDB94EBA8D8066EEB7F0FF09340F400A6AD01DE2191DF75A980CB81

Function 00007FF887FF21D3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f641a6f4f93c9f535311ac4021c611cbf69b8af32be0254dac9749e3fc74a6
Instruction ID: d2683dfcb5fd26f4d8f854a4f7a64930fc03105e8c95d26e9be3fdcbd8b900ed
Opcode Fuzzy Hash: 99f641a6f4f93c9f535311ac4021c611cbf69b8af32be0254dac9749e3fc74a6
Instruction Fuzzy Hash: F2F0E22668DD5E0BE344B89E7C815FD6390FB803B1B48023ACA19C2586DD89A8A68290

Function 00007FF88800DC9E Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0ddeae32ce02bfc918dbb72fe4ed5944892ccadaa29e5a4ddfc5bfc9cf05bc
Instruction ID: 761a15225ee44b33dcfc5f9c1997871316520612950c55b7b4f36b75e7344b69
Opcode Fuzzy Hash: 5a0ddeae32ce02bfc918dbb72fe4ed5944892ccadaa29e5a4ddfc5bfc9cf05bc
Instruction Fuzzy Hash: 69F01911B78D8F0B9E85E79D50916FD5291FBA42547509276D01FC318BDD2CE5468382

Function 00007FF887FF3050 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e81e43f8424709a4702df834b13c168bb93e97333fd23897ed5bdab90a54ea
Instruction ID: edc008e8b55eebd8af02172110ccaaca1eb3dfdf5892ec86e4df1f3e4162c29f
Opcode Fuzzy Hash: 56e81e43f8424709a4702df834b13c168bb93e97333fd23897ed5bdab90a54ea
Instruction Fuzzy Hash: 97F0E930E58A490BE3549E3C544527573E1FF44359F14497ED88EC7295DF25DC428241

Function 00007FF887FF345C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction ID: 6f0f1a57096c54897a970d95e0a88744866b4c67046004ef66e5e9e2b138f2f5
Opcode Fuzzy Hash: 616d6431ddb6218e7c04f87f23ef0078ad985a1db7db0bbaffc0483f62c14c1d
Instruction Fuzzy Hash: ACF0A07194D60D5FDB18EE4AEC8A9EE77B8FF85264F00023AF44E82152DA35A862C750

Function 00007FF888008912 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0eebafa535cdc3adfb03392d97051662419fa7023825f5eb9934e565e8dcaef
Instruction ID: 832b2a64aa5b79ba11d59203d9217d9b5c3e1a0245b6c47105eb2eb0569bb5ae
Opcode Fuzzy Hash: e0eebafa535cdc3adfb03392d97051662419fa7023825f5eb9934e565e8dcaef
Instruction Fuzzy Hash: EDF0EC10B5DA5B0FE694B3BC541A1AC65E0EF491E0B4406F6E44BC71D7DD1C9C418342

Function 00007FF888009A4B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2b582e1e7f3a248e0ebcb811275bc99ab10c7e91e6c97903ed94245f12b34d
Instruction ID: 6c9145c457c553ab91b814db82d1eede2bee1cd1f6590448a9eeba65a9c2c31a
Opcode Fuzzy Hash: ce2b582e1e7f3a248e0ebcb811275bc99ab10c7e91e6c97903ed94245f12b34d
Instruction Fuzzy Hash: 03F0A762D8F2860FEB2569B918A5094BF80EF432B4F4941FEC59D8B4E3E96D48528345

Function 00007FF8880097FA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cb6130af15f326149894dfd3e285e5b31e76365a92985421ed008dd6608d50
Instruction ID: d8f1f9e2a2e7fd44d223cf204dd62f2ecb68512c018a06664adde2edf28e5389
Opcode Fuzzy Hash: d2cb6130af15f326149894dfd3e285e5b31e76365a92985421ed008dd6608d50
Instruction Fuzzy Hash: 15E0CD7594C94C9BDB44AA5DA8004D57BE4FF85718F00019EE55CC7185D6225951C745

Function 00007FF887FFC749 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5e634f3504282012cbf220ad547a30404f2fc9de0a52ccebf7a2845454634e
Instruction ID: 1d3dc6b7ce85cd3d7bc8106e573c184598cb7ded7bab593d93e28c38c06fcc5b
Opcode Fuzzy Hash: 0c5e634f3504282012cbf220ad547a30404f2fc9de0a52ccebf7a2845454634e
Instruction Fuzzy Hash: AAD0A713EEDE8E46E650991878400F9B395FF915E5B504732C44FD314ADE1E9547C241

Function 00007FF887FF2D3B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02775e53c211234cec23d208cc44ec7a17ea23c227397c251b88c3fdb0603932
Instruction ID: ffb8df8dda171d53b0e2e6ca61e4adcfafb0574d08e55cde55b5667cd2cbf57e
Opcode Fuzzy Hash: 02775e53c211234cec23d208cc44ec7a17ea23c227397c251b88c3fdb0603932
Instruction Fuzzy Hash: E5E08C917299814BE280A6B8402337D66D39F88310F8540F8D00AC76C7C91C1C028253

Function 00007FF8880B0FB1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2647129402.00007FF8880B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8880b0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction ID: dd38a56308499625d1aca4d25724325e1aa6bb9545d381476e73e480b19e2cf0
Opcode Fuzzy Hash: 7436ca66e0e884e30720814de0ea0ebbd4f6fc324da8fe61c3b6b271746bb163
Instruction Fuzzy Hash: 85D0C9117694120BF658218D68823F97285EB89B94F640536E50EC23CADCDE6C9142D6

Function 00007FF8880093C6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e06c6c71e1468a845f695a88aadffc72005fa65f3956804005bb50a5c9ed27
Instruction ID: b75b13b7aea5438b705230be7d085b57f7ecb85cc1a4dc78bf03e6e8d69f2509
Opcode Fuzzy Hash: 89e06c6c71e1468a845f695a88aadffc72005fa65f3956804005bb50a5c9ed27
Instruction Fuzzy Hash: 3CC00222B9981E499E94A2A974136FDB351EF85295F811436E11DC61C2CEAA2C144686

Function 00007FF8880028A3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction ID: d44bae6f46e15825a26a63bbaf26f4ab2391ecfab4d6ae41ca2c52eedb57cdde
Opcode Fuzzy Hash: 071698123b5b2659ea59642cb8cb1d0272abbb1dfe4a355042d41a86ae84202c
Instruction Fuzzy Hash: 95A00202ACA41E419A44209D79420D8B288D7851B2FC53A72E908C418AEEAE19D64285

Non-executed Functions

Function 00007FF887FF10D1 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8704fa8dd506e4807cafcb387138ab9e63447ca2a9243cda369be17d3b0ac280
Instruction ID: 2019d40ba1917274f43633de3034f5383d687a16e4dd8fadee627bdd4d3e3028
Opcode Fuzzy Hash: 8704fa8dd506e4807cafcb387138ab9e63447ca2a9243cda369be17d3b0ac280
Instruction Fuzzy Hash: ACF1552BE4D1E24AE21176FDF4A21FDBB60DF422B970841B7D1DD4A053DD0C268B86A7

Function 00007FF888000DD0 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646683145.00007FF887FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887ff0000_BJtvb5Vdhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68a105cbb52358401bb4e17bc227b9add2eaf9e3e3f4a50320ca842004e968c
Instruction ID: f5b1f03ada02230df28e9e8782c792f3fb13738fe1df425d6fb525b220352fda
Opcode Fuzzy Hash: b68a105cbb52358401bb4e17bc227b9add2eaf9e3e3f4a50320ca842004e968c
Instruction Fuzzy Hash: 7D918177C481A64AE610B7FCF8522FDB7509F012ACB084636D0EE4E093ED1C758799AB

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BJtvb5Vdhh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
BJtvb5Vdhh.exe

Function 00007FF88800E4AE Relevance: 8.4, Strings: 6, Instructions: 950
COMMON

Function 00007FF88800B009 Relevance: 8.4, Strings: 6, Instructions: 892
COMMON

Function 00007FF88800651D Relevance: 7.0, Strings: 5, Instructions: 703
COMMON

Function 00007FF887FF9621 Relevance: 5.0, Strings: 3, Instructions: 1212
COMMON

Function 00007FF88800F6F0 Relevance: 6.0, Strings: 4, Instructions: 979
COMMON

Function 00007FF88800BA79 Relevance: 5.9, Strings: 4, Instructions: 935
COMMON

Function 00007FF8880B01BA Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Function 00007FF887FF2440 Relevance: 3.5, Strings: 2, Instructions: 1035
COMMON

Function 00007FF888001898 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Function 00007FF8880066ED Relevance: 2.8, Strings: 2, Instructions: 341
COMMON

Function 00007FF888009B59 Relevance: 2.8, Strings: 2, Instructions: 326
COMMON

Function 00007FF8880B0718 Relevance: 2.6, Strings: 2, Instructions: 121
COMMON