Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe

Overview

General Information

Sample name:SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
Analysis ID:1521525
MD5:e3a6a985899b7b14de0e539045fa8856
SHA1:1fdfc2ea75c2f52526dfa96834ec2f383d0c02f8
SHA256:30ab8dea3f9af09e931fe9c72cc52c5a1a69ab6de752f20d13e465c7a4bda6d4
Tags:exeQuasarRAT
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "117.18.7.76:3782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc", "StartupKey": "Windows Client Startup", "Tag": "newoffice", "LogDirectoryName": "Logs", "ServerSignature": "J/Kxz34WM5GUKyNgIA5ql6LgrD+Ocb5fWps/oTPRyypSRmsFgBRV+a3TC3d9wlKjkD1Ws+BaeiDV4/xS6SXSzcRdw0WyA3t3UGAM/1KZxI8IKZCV2jBAMOAdxnlvc+F70xCJWdZ5ex8tcD7+MabTbCOafs4xMNYFehFBvXMQauaU36iu13dn2zQ1P8QHdLhy0VW6YW7MKHrqHG546kxY4kdsAfI5ma1twc9lg+O/6ktuTINXaaGVr41VG7xykQ6Yk7882YqucL/w1AgX+dYVheYsv3SQL2UUHhFncvyM8H2I4LMqzUw/L8oQmzLGAo29N4oZUXMsX8ST5oJde8DJdWpEJgBrBng3hS66cwv2As7smtNPjqbgEO5Uif5g6YW3tk4XszyHvCoFdOEhzqvfWHgwiWlcwD6Yxj1Oqj8TRPG8P4McFpWRVCnksE3L74Vsb5sw+Gr8+1dLImvDceee5kFDjfu3qSaFMtZaCONmOBjyMXpc7FB2CRhFDT3wQ+v3Axw8MVYUpP3s9VSkbcxrvtkS78Vwqe8POR51TraYDhJooEfEiJEcOffcgsxI55su9rPiSYPBZrWjXIx2Y8Vokhw966vMO07KxIzjt5mgiQ/kMcDPPNofPOz5ZiKN0ST1e44lZqQ5NuUw+OlW8Xlsc4RbfVRO8PP/Xg40t9ZRl0A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQALVx+qYXgHoHDGbKYTcTVTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDYwMjE0MjU0OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn3GZGZ2jxIWfTUi6wnwv63y9rbljZYYS59QRa5OMShzHUUfSQN6os6azIwN9UQvhG1DY00pAtFtvCY8AJpGf6PxK2s6G8F07DI8dY9tWOPZdZ5d/QxOpuApD9HhEov3YCLjVxWsGKVGEcyALvO9CdZC+Bi89w69lrjjiiTetE6gdD6i9UFgH3ij/1NIGVyAe+DDGumIhk893NB+IC/rm5rjehLkVaR1kK0uUBmRhWJ1xCl85iaXL5ny9MRcTcQnPnVE1wUS7uDPo57TWY0atCksljwuuc8TQw6lerbPKbMeeO3ezQI1VI0TDFPJw6Qznvpy/jqKb8Yx3Cmi7c37V8jS1aVliY2VOrB1+mMhYFenOQoFGWtoCAYAuFCRnHPq3jEGxgeQohCTGjmavV5JCZyr7UkrlD6b5cABS4bhfPW0vtg8qRSoZzuaD113e4a1hbu3CQMjr2vkbI3gS326Nzzvgflgdy5yLzeLyIfuWEVjD/fO+YSEVewbEGNDy+XcWWkGSLnGXWuRakpz5/j0pGSANDd1vVKpvWuJU/Oq47KD0J25i/b241kS4XFBeBQmqJfp4u27l3hpY9VGZtljB0gFA1BveGwwNqTfN6IxUQhem/rq1IcpQL9QvEgL/3ap6Pfikxt/rWsTONbMryerO7L9vRiKFfa3CuQtun2J6+SkCAwEAAaMyMDAwHQYDVR0OBBYEFGMZAMiA3iPoj4mQzypgmcpbxzRVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAGhU2C47bC+lIeLM2F5y6KqmFWfgJRiiVJxnMsZ7vkIPW8hVXqqm+tN7bjWydE8DxXMnBhYOqvsFdeTWWe4Gj2tt2JQ40HCleAU5AXXKhM1ZfeKeZZdFnFuhn6CF60c0wbTfz5cEbuLX1doHs5RQZg4b6nehlF7OFvAEqIrtoy7o2/PYMrhife2C6uqEqxqsvFJRqTWYFNtgMFG5pLCPxT9ekOTTmZNmsnoYmo79xHWnMVw59Sd9KriJ7IX8W2PFDhBKA+jHY9SOD6gYmsuR5KjsH0B47PiezBK/FLfGieQ/NgGdvgv6m8sB0MfnFP4CqpNIftsyfsfE7Mo+I+aZ5JLLm152dWtfhenA+sR+r3RC/97XIXg+5grgYa7dk1ywJkv+ZXwFlzsExyB6E0GPH+rRMVefXn3z06QCNO5CYVjw/8ASsAL+92dAljZDGEwqr1axQMCxrIDxDOs0Ydx5JoiLS+c/tqUp6cXJC5hEd4FwjVe0C+7PRWRzIlJytO3Es1V1ngTsn0HyaUJfls8vqawe5H2nMDP/8V3eGw29OO2gpGAPdlMpOVDso8zGKuy+o6U1+vmgH1iBIMnNBF8+AK+wGM75ZZCaW/n377UutOzwd1TWWBCwBrl+hykgxaVsAhaOg1IQRbj7OWmO8b6hyCfoaOoBI8YrTvt72RtwGusP"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x31ede3:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmpMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
        • 0x28eee1:$x1: Quasar.Common.Messages
        • 0x29f20a:$x1: Quasar.Common.Messages
        • 0x2ab7ee:$x4: Uninstalling... good bye :-(
        • 0x2acf51:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
          0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
            • 0x28eee1:$x1: Quasar.Common.Messages
            • 0x29f20a:$x1: Quasar.Common.Messages
            • 0x2ab7ee:$x4: Uninstalling... good bye :-(
            • 0x2acf51:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
            0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
            • 0x2aada0:$f1: FileZilla\recentservers.xml
            • 0x2aade0:$f2: FileZilla\sitemanager.xml
            • 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
            • 0x2ab06e:$b1: Chrome\User Data\
            • 0x2ab0c4:$b1: Chrome\User Data\
            • 0x2ab39c:$b2: Mozilla\Firefox\Profiles
            • 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
            • 0x2fd388:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
            • 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data
            • 0x2ab6aa:$b5: YandexBrowser\User Data\
            • 0x2ab718:$b5: YandexBrowser\User Data\
            • 0x2ab3ec:$s4: logins.json
            • 0x2ab122:$a1: username_value
            • 0x2ab140:$a2: password_value
            • 0x2ab42c:$a3: encryptedUsername
            • 0x2fd2cc:$a3: encryptedUsername
            • 0x2ab450:$a4: encryptedPassword
            • 0x2fd2ea:$a4: encryptedPassword
            • 0x2fd268:$a5: httpRealm
            0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
            • 0x164ef2:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
            • 0x2ab8d8:$s3: Process already elevated.
            • 0x28ebe0:$s4: get_PotentiallyVulnerablePasswords
            • 0x278c9c:$s5: GetKeyloggerLogsDirectory
            • 0x29e969:$s5: GetKeyloggerLogsDirectory
            • 0x28ec03:$s6: set_PotentiallyVulnerablePasswords
            • 0x2fe9b6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
            Click to see the 13 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-28T21:30:00.539942+020020355951Domain Observed Used for C2 Detected117.18.7.763782192.168.2.449737TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-28T21:30:00.539942+020020276191Domain Observed Used for C2 Detected117.18.7.763782192.168.2.449737TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeAvira: detected
            Found malware configuration
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "117.18.7.76:3782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc", "StartupKey": "Windows Client Startup", "Tag": "newoffice", "LogDirectoryName": "Logs", "ServerSignature": "J/Kxz34WM5GUKyNgIA5ql6LgrD+Ocb5fWps/oTPRyypSRmsFgBRV+a3TC3d9wlKjkD1Ws+BaeiDV4/xS6SXSzcRdw0WyA3t3UGAM/1KZxI8IKZCV2jBAMOAdxnlvc+F70xCJWdZ5ex8tcD7+MabTbCOafs4xMNYFehFBvXMQauaU36iu13dn2zQ1P8QHdLhy0VW6YW7MKHrqHG546kxY4kdsAfI5ma1twc9lg+O/6ktuTINXaaGVr41VG7xykQ6Yk7882YqucL/w1AgX+dYVheYsv3SQL2UUHhFncvyM8H2I4LMqzUw/L8oQmzLGAo29N4oZUXMsX8ST5oJde8DJdWpEJgBrBng3hS66cwv2As7smtNPjqbgEO5Uif5g6YW3tk4XszyHvCoFdOEhzqvfWHgwiWlcwD6Yxj1Oqj8TRPG8P4McFpWRVCnksE3L74Vsb5sw+Gr8+1dLImvDceee5kFDjfu3qSaFMtZaCONmOBjyMXpc7FB2CRhFDT3wQ+v3Axw8MVYUpP3s9VSkbcxrvtkS78Vwqe8POR51TraYDhJooEfEiJEcOffcgsxI55su9rPiSYPBZrWjXIx2Y8Vokhw966vMO07KxIzjt5mgiQ/kMcDPPNofPOz5ZiKN0ST1e44lZqQ5NuUw+OlW8Xlsc4RbfVRO8PP/Xg40t9ZRl0A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQALVx+qYXgHoHDGbKYTcTVTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDYwMjE0MjU0OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn3GZGZ2jxIWfTUi6wnwv63y9rbljZYYS59QRa5OMShzHUUfSQN6os6azIwN9UQvhG1DY00pAtFtvCY8AJpGf6PxK2s6G8F07DI8dY9tWOPZdZ5d/QxOpuApD9HhEov3YCLjVxWsGKVGEcyALvO9CdZC+Bi89w69lrjjiiTetE6gdD6i9UFgH3ij/1NIGVyAe+DDGumIhk893NB+IC/rm5rjehLkVaR1kK0uUBmRhWJ1xCl85iaXL5ny9MRcTcQnPnVE1wUS7uDPo57TWY0atCksljwuuc8TQw6lerbPKbMeeO3ezQI1VI0TDFPJw6Qznvpy/jqKb8Yx3Cmi7c37V8jS1aVliY2VOrB1+mMhYFenOQoFGWtoCAYAuFCRnHPq3jEGxgeQohCTGjmavV5JCZyr7UkrlD6b5cABS4bhfPW0vtg8qRSoZzuaD113e4a1hbu3CQMjr2vkbI3gS326Nzzvgflgdy5yLzeLyIfuWEVjD/fO+YSEVewbEGNDy+XcWWkGSLnGXWuRakpz5/j0pGSANDd1vVKpvWuJU/Oq47KD0J25i/b241kS4XFBeBQmqJfp4u27l3hpY9VGZtljB0gFA1BveGwwNqTfN6IxUQhem/rq1IcpQL9QvEgL/3ap6Pfikxt/rWsTONbMryerO7L9vRiKFfa3CuQtun2J6+SkCAwEAAaMyMDAwHQYDVR0OBBYEFGMZAMiA3iPoj4mQzypgmcpbxzRVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAGhU2C47bC+lIeLM2F5y6KqmFWfgJRiiVJxnMsZ7vkIPW8hVXqqm+tN7bjWydE8DxXMnBhYOqvsFdeTWWe4Gj2tt2JQ40HCleAU5AXXKhM1ZfeKeZZdFnFuhn6CF60c0wbTfz5cEbuLX1doHs5RQZg4b6nehlF7OFvAEqIrtoy7o2/PYMrhife2C6uqEqxqsvFJRqTWYFNtgMFG5pLCPxT9ekOTTmZNmsnoYmo79xHWnMVw59Sd9KriJ7IX8W2PFDhBKA+jHY9SOD6gYmsuR5KjsH0B47PiezBK/FLfGieQ/NgGdvgv6m8sB0MfnFP4CqpNIftsyfsfE7Mo+I+aZ5JLLm152dWtfhenA+sR+r3RC/97XIXg+5grgYa7dk1ywJkv+ZXwFlzsExyB6E0GPH+rRMVefXn3z06QCNO5CYVjw/8ASsAL+92dAljZDGEwqr1axQMCxrIDxDOs0Ydx5JoiLS+c/tqUp6cXJC5hEd4FwjVe0C+7PRWRzIlJytO3Es1V1ngTsn0HyaUJfls8vqawe5H2nMDP/8V3eGw29OO2gpGAPdlMpOVDso8zGKuy+o6U1+vmgH1iBIMnNBF8+AK+wGM75ZZCaW/n377UutOzwd1TWWBCwBrl+hykgxaVsAhaOg1IQRbj7OWmO8b6hyCfoaOoBI8YrTvt72RtwGusP"}
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeReversingLabs: Detection: 63%
            Yara detected Quasar RAT
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe PID: 6976, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
            Machine Learning detection for sample
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\ccode\623\Release\623.pdb source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A83059 FindFirstFileExW,0_2_00A83059
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A8310A FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,0_2_00A8310A

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 117.18.7.76:3782 -> 192.168.2.4:49737
            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 117.18.7.76:3782 -> 192.168.2.4:49737
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 117.18.7.76
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 117.18.7.76:3782
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewASN Name: SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: ipwho.is
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownTCP traffic detected without corresponding DNS query: 117.18.7.76
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ipwho.is
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4106853255.000000000138B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4106853255.000000000138B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://ocsps.ssl.com0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://ocsps.ssl.com0?
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://ocsps.ssl.com0_
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://sslcom.crl.certum.pl/ctnca.crl0s
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://sslcom.ocsp-certum.com08
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://sslcom.repository.certum.pl/ctnca.cer0:
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003B45000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.00000000038C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: https://www.certum.pl/CPS0
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeString found in binary or memory: https://www.ssl.com/repository0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49739 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe PID: 6976, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
            Source: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar infostealer Author: ditekshen
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A492F00_2_00A492F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A897720_2_00A89772
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_018305F90_2_018305F9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_05E4E82C0_2_05E4E82C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_06108B680_2_06108B68
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_061000070_2_06100007
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_061000400_2_06100040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_06109A010_2_06109A01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E4A8A80_2_08E4A8A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E46D880_2_08E46D88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: String function: 00A7D750 appears 31 times
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: invalid certificate
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
            Source: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/2@1/2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMutant created: NULL
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMutant created: \Sessions\1\BaseNamedObjects\Local\d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic file information: File size 3958016 > 1048576
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x322400
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\ccode\623\Release\623.pdb source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: real checksum: 0x3ca38e should be: 0x3c8d45
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: section name: .00cfg
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A83AC9 push ecx; ret 0_2_00A83ADC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_0151000A push es; ret 0_2_0151004B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_05E4D372 pushfd ; ret 0_2_05E4D379
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E410E4 pushad ; ret 0_2_08E410EA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E420A0 push 67C008C3h; ret 0_2_08E420A6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E40006 push ebp; ret 0_2_08E40026
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E41FE0 push eax; ret 0_2_08E41FE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_08E41FD8 pushad ; ret 0_2_08E41FD9
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeStatic PE information: section name: .text entropy: 7.006278611145333

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMemory allocated: 3690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMemory allocated: 3890000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMemory allocated: 5890000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWindow / User API: threadDelayed 2770Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWindow / User API: threadDelayed 6973Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe TID: 6196Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe TID: 6332Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A83059 FindFirstFileExW,0_2_00A83059
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A8310A FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,0_2_00A8310A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4111310178.00000000066D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`:l
            Source: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.1718393063.00000000066C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.1717789909.00000000066C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.1718136470.0000000006723000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.2318462269.00000000066BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.1728444906.00000000066C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4111365435.0000000006717000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4111238792.00000000066BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000003.1728379875.0000000006774000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7D585 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A7D585
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A8013D GetProcessHeap,0_2_00A8013D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7D585 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A7D585
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7D579 SetUnhandledExceptionFilter,0_2_00A7D579
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A81369 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A81369
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7CF46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A7CF46
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7D795 cpuid 0_2_00A7D795
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeCode function: 0_2_00A7D45B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A7D45B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe PID: 6976, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.61b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe.4898888.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe PID: 6976, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		11
            Input Capture            		1
            System Time Discovery            		Remote Services11
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts41
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Query Registry            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager31
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Hidden Files and Directories            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging113
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe63%ReversingLabsWin32.Trojan.QuasarRat
            SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe100%AviraTR/AD.Nekark.sbdrl
            SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.ipify.org/0%URL Reputationsafe
            https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
            https://www.certum.pl/CPS00%URL Reputationsafe
            https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipwho.is
            		195.201.57.90
            		truefalse
              		unknown
              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
              		217.20.57.18
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                117.18.7.76true
                  		unknown
                  https://ipwho.is/false
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://stackoverflow.com/q/14436606/23354SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.00000000038C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://ocsps.ssl.com0?SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                        		unknown
                        http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                          		unknown
                          http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                            		unknown
                            http://ocsps.ssl.com0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                              		unknown
                              http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                		unknown
                                http://sslcom.crl.certum.pl/ctnca.crl0sSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                  		unknown
                                  http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                    		unknown
                                    https://www.certum.pl/CPS0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://sslcom.repository.certum.pl/ctnca.cer0:SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                      		unknown
                                      http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                        		unknown
                                        http://crls.ssl.com/ssl.com-rsa-RootCA.crl0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                          		unknown
                                          http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                            		unknown
                                            https://stackoverflow.com/q/11564914/23354;SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ipwho.isSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003B45000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://www.ssl.com/repository0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                                		unknown
                                                http://ocsps.ssl.com0_SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                                  		unknown
                                                  http://sslcom.ocsp-certum.com08SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                                    		unknown
                                                    https://stackoverflow.com/q/2152978/23354sCannotSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exefalse
                                                        		unknown
                                                        http://ipwho.isSecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, 00000000.00000002.4109420847.0000000003B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          117.18.7.76
                                                          		unknownHong Kong
                                                          		38197SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongtrue
                                                          195.201.57.90
                                                          		ipwho.isGermany
                                                          		24940HETZNER-ASDEfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1521525
                                                          Start date and time:2024-09-28 21:29:06 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 16s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:5
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@1/2@1/2
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 105
                                                          • Number of non-executed functions: 32
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 217.20.57.18
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          15:29:59API Interceptor12041369x Sleep call for process: SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          117.18.7.76B2kZ0dgxNn.exeGet hashmaliciousQuasarBrowse
                                                            0Z0CbhhLet.exeGet hashmaliciousQuasarBrowse
                                                              195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                              • /?output=json
                                                              765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                              • /?output=json
                                                              765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                              • /?output=json
                                                              WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                              • /?output=json
                                                              ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                              • ipwhois.app/xml/
                                                              cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                              • /?output=json
                                                              Clipper.exeGet hashmaliciousUnknownBrowse
                                                              • /?output=json
                                                              cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                              • /?output=json
                                                              Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                              • /?output=json
                                                              Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                              • /?output=json

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comhttps://att-109355.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.18
                                                              http://home-hub-trezur.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.18
                                                              https://meettamask-logiinii.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.18
                                                              https://mmmetamsk-logg.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.34
                                                              http://facturationrecepti.wixsite.com/my-site-4/Get hashmaliciousUnknownBrowse
                                                              • 217.20.57.34
                                                              https://cbltool.com/Get hashmaliciousUnknownBrowse
                                                              • 217.20.57.18
                                                              http://serviceappinfms12.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 217.20.57.34
                                                              https://claim.eventsmidasbuys.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.34
                                                              https://rbhionhodlogxcn.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                              • 217.20.57.34
                                                              http://ssmdnrudjenn.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 217.20.57.34
                                                              ipwho.ishttp://ufvskbzrquea.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              http://serviceappinfms12.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              http://1d807473.flca.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              https://f0mlxe0jneh1.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              https://bmrnyehuivryuaq.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              https://jltnm7ux9ko.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              http://irxpolrqchi.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              http://v1bwdoexd1lj9stgmwip.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              http://yzkgxjyz0y4417anol.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 108.181.98.179

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              HETZNER-ASDESecuriteInfo.com.Win64.Evo-gen.19321.5552.exeGet hashmaliciousUnknownBrowse
                                                              • 138.201.163.183
                                                              http://ufvskbzrquea.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              http://glamorous-productive-baboon.glitch.me/Get hashmaliciousUnknownBrowse
                                                              • 195.201.168.243
                                                              http://serviceappinfms12.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              https://teams-autobahn.de/?rid=OnGvwHuGet hashmaliciousUnknownBrowse
                                                              • 94.130.149.138
                                                              https://aquaanalytics.uz/wp-includes/vbkdj.phpGet hashmaliciousUnknownBrowse
                                                              • 88.198.26.190
                                                              http://en-alldappfix.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                              • 168.119.72.236
                                                              https://claim.eventsmidasbuys.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 135.181.63.70
                                                              http://activa1dina.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                              • 116.202.167.133
                                                              bind.aspx.exeGet hashmaliciousVidarBrowse
                                                              • 135.181.31.18
                                                              SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKonghttps://tkshang.xyz/Get hashmaliciousUnknownBrowse
                                                              • 45.64.52.53
                                                              https://83153.cc/Get hashmaliciousUnknownBrowse
                                                              • 43.243.73.240
                                                              https://tiktok8.biz/Get hashmaliciousUnknownBrowse
                                                              • 112.213.117.168
                                                              http://bet938r.com/Get hashmaliciousUnknownBrowse
                                                              • 43.243.73.202
                                                              http://qian.12315hp.cn/Get hashmaliciousUnknownBrowse
                                                              • 43.226.127.141
                                                              https://bet958v.com/Get hashmaliciousUnknownBrowse
                                                              • 223.26.57.26
                                                              http://tiktoksc.xyz/Get hashmaliciousUnknownBrowse
                                                              • 202.146.220.117
                                                              http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                              • 121.127.233.161
                                                              http://www.telegrramm.help/Get hashmaliciousUnknownBrowse
                                                              • 210.56.49.133
                                                              http://telegrracm.help/Get hashmaliciousUnknownBrowse
                                                              • 210.56.49.133

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 195.201.57.90
                                                              Potential Phish.msgGet hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              update.ps1Get hashmaliciousHTMLPhisherBrowse
                                                              • 195.201.57.90
                                                              http://telesexprivatexx.vercel.app/Get hashmaliciousPorn ScamBrowse
                                                              • 195.201.57.90
                                                              http://btservice231.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 195.201.57.90
                                                              Balance payment.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 195.201.57.90
                                                              https://31g323452vg34v5g5ufg6tfgfgg45hj4jjh4j5h4jh545hh4jh65.weebly.com/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              http://asdfggg.bonkcat.vip/Get hashmaliciousHTMLPhisherBrowse
                                                              • 195.201.57.90
                                                              https://metamisk-login-1.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                              • 195.201.57.90
                                                              https://conebaesignin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                              • 195.201.57.90

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                              Download File
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                              Category:dropped
                                                              Size (bytes):71954
                                                              Entropy (8bit):7.996617769952133
                                                              Encrypted:true
                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                              Download File
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):328
                                                              Entropy (8bit):3.1356875516282012
                                                              Encrypted:false
                                                              SSDEEP:6:kKnTkNtL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:fwiDnLNkPlE99SNxAhUe/3
                                                              MD5:D0368086331353994DD015F61BDE0145
                                                              SHA1:00277DD244498DEE98C9DB0F3DAC3AB116F715E6
                                                              SHA-256:808398C984E480CF24A77EA1A5A8F71AB3DED50FCEAF199FF9424BBC05B73BEF
                                                              SHA-512:ADA1688664083A708E1D24DF3800512DB1DA7CC25D1DA539879B9AC97AC3B3A52F3101FAEAEA77C28BBFBE0D70776E180350B026C8396075420512E9BF56DD2E
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:p...... ..........h-....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.953660677295274
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                              File size:3'958'016 bytes
                                                              MD5:e3a6a985899b7b14de0e539045fa8856
                                                              SHA1:1fdfc2ea75c2f52526dfa96834ec2f383d0c02f8
                                                              SHA256:30ab8dea3f9af09e931fe9c72cc52c5a1a69ab6de752f20d13e465c7a4bda6d4
                                                              SHA512:7e5f43999a1c4e46134446a259604fe9ea8d3c5688751baa83c33fa3d104e8ef2a35e2ac3c437d6ab98bf8f74696508ab643ac6030ba63c9aec7c219441ce451
                                                              SSDEEP:98304:DSK7ExFF5Be4Q9EsPsEmj8+FFy9c6W7gv2/VQz:DSKQqJPsxHFEc6W7Ez
                                                              TLSH:E10623AAFCB300A3FAE35D74E53AD3B1C4167DB5BE2C389F00104298D5BA6ED9664117
                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...]..f......................2...................@..........................p<.......<...@.................................4...(..

                                                              File Icon

                                                              Icon Hash:c988224b43cb6200

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x48d1b5
                                                              Entrypoint Section:.text
                                                              Digitally signed:true
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x66A3055D [Fri Jul 26 02:09:33 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:6
                                                              OS Version Minor:0
                                                              File Version Major:6
                                                              File Version Minor:0
                                                              Subsystem Version Major:6
                                                              Subsystem Version Minor:0
                                                              Import Hash:a315d669637908703a5fcff864ade1ea

                                                              Authenticode Signature

                                                              Signature Valid:false
                                                              Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                              Signature Validation Error:The digital signature of the object did not verify
                                                              Error Number:-2146869232
                                                              Not Before, Not After
                                                              • 19/08/2021 20:03:08 18/08/2024 20:03:08
                                                              Subject Chain
                                                              • OID.1.3.6.1.4.1.311.60.2.1.3=CZ, OID.1.3.6.1.4.1.311.60.2.1.2=Prague, OID.2.5.4.15=Private Organization, CN=JetBrains s.r.o., SERIALNUMBER=C 86211, O=JetBrains s.r.o., L=Prague, C=CZ
                                                              Version:3
                                                              Thumbprint MD5:F2793E9F216BAD3BF79D10957FA8E34A
                                                              Thumbprint SHA-1:24CD3C779BF9A0E4BB01C5173F5DDB119751E5B6
                                                              Thumbprint SHA-256:0C4E13120DC1FF2BB73BFF1E1502D628E069B0D457D60C4FC5833FCA38510C2C
                                                              Serial:78559D9A1E2FC1A479D627684D113A59

                                                              Entrypoint Preview

                                                              Instruction
                                                              call 00007F0164DE836Bh
                                                              jmp 00007F0164DE7F89h
                                                              push ebp
                                                              mov ebp, esp
                                                              push dword ptr [ebp+08h]
                                                              call 00007F0164DE811Fh
                                                              neg eax
                                                              pop ecx
                                                              sbb eax, eax
                                                              neg eax
                                                              dec eax
                                                              pop ebp
                                                              ret
                                                              push ebp
                                                              mov ebp, esp
                                                              cmp dword ptr [007C2670h], FFFFFFFFh
                                                              push dword ptr [ebp+08h]
                                                              jne 00007F0164DE8119h
                                                              call 00007F0164DE9D8Dh
                                                              jmp 00007F0164DE811Dh
                                                              push 007C2670h
                                                              call 00007F0164DE9D10h
                                                              pop ecx
                                                              neg eax
                                                              pop ecx
                                                              sbb eax, eax
                                                              not eax
                                                              and eax, dword ptr [ebp+08h]
                                                              pop ebp
                                                              ret
                                                              push 00000008h
                                                              push 0049F580h
                                                              call 00007F0164DE8658h
                                                              and dword ptr [ebp-04h], 00000000h
                                                              mov eax, 00005A4Dh
                                                              cmp word ptr [00400000h], ax
                                                              jne 00007F0164DE816Fh
                                                              mov eax, dword ptr [0040003Ch]
                                                              cmp dword ptr [eax+00400000h], 00004550h
                                                              jne 00007F0164DE815Eh
                                                              mov ecx, 0000010Bh
                                                              cmp word ptr [eax+00400018h], cx
                                                              jne 00007F0164DE8150h
                                                              mov eax, dword ptr [ebp+08h]
                                                              mov ecx, 00400000h
                                                              sub eax, ecx
                                                              push eax
                                                              push ecx
                                                              call 00007F0164DE8292h
                                                              pop ecx
                                                              pop ecx
                                                              test eax, eax
                                                              je 00007F0164DE8139h
                                                              cmp dword ptr [eax+24h], 00000000h
                                                              jl 00007F0164DE8133h
                                                              mov dword ptr [ebp-04h], FFFFFFFEh
                                                              mov al, 01h
                                                              jmp 00007F0164DE8131h
                                                              mov eax, dword ptr [ebp-14h]
                                                              mov eax, dword ptr [eax]
                                                              xor ecx, ecx
                                                              cmp dword ptr [eax], C0000005h
                                                              sete cl
                                                              mov eax, ecx
                                                              ret
                                                              mov esp, dword ptr [ebp-18h]

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9ee340x28.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c40000xce4.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x3c38000x2d00
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c50000x14f4.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9ed700x1c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9a0480xc0.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9ef680x10c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x98d9c0x98e00fede7adc7a945fbfa2c9751e872f4c51False0.6874744480784954data7.006278611145333IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x9a0000x5afc0x5c00d1a702d1b174fd2156a52d1dedc1f7d4False0.413765285326087data4.785684090567534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xa00000x322d840x322400b57c20d619195e154d9d9cdd1035ebf7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .00cfg0x3c30000x80x200803b7fc6494dbf564ccaa7a3db18b394False0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .rsrc0x3c40000xce40xe00f13ef9d04e287a3b6e0bac4b04a1291dFalse0.7424665178571429data6.779970979357804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x3c50000x14f40x160039a0370dded832dabc988f5cee9de78fFalse0.728515625GLS_BINARY_LSB_FIRST6.078421813674174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x3c41740x46PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced0.9428571428571428
                                                              RT_ICON0x3c41bc0x74dPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0058855002675227
                                                              RT_GROUP_ICON0x3c490c0x22data0.9705882352941176
                                                              RT_VERSION0x3c49300x270dataEnglishUnited States0.4807692307692308
                                                              RT_MANIFEST0x3c4ba00x143XML 1.0 document, ASCII textEnglishUnited States0.628482972136223

                                                              Imports

                                                              DLLImport
                                                              KERNEL32.dllCloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-09-28T21:30:00.539942+02002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1117.18.7.763782192.168.2.449737TCP
                                                              2024-09-28T21:30:00.539942+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1117.18.7.763782192.168.2.449737TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 28, 2024 21:29:59.613176107 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:29:59.618443012 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:29:59.618544102 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:29:59.630131960 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:29:59.635284901 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:00.528548002 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:00.528568983 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:00.528654099 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:00.535007954 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:00.539942026 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:00.840895891 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:00.892282009 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:02.120951891 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:02.120984077 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:02.121047020 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:02.122071981 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:02.122087002 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.002929926 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.003016949 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.007673025 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.007693052 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.007946968 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.048496008 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.064564943 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.111403942 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.256226063 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.256292105 CEST44349739195.201.57.90192.168.2.4
                                                              Sep 28, 2024 21:30:03.256335020 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.324791908 CEST49739443192.168.2.4195.201.57.90
                                                              Sep 28, 2024 21:30:03.597027063 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:03.602415085 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:03.602509022 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:03.607362032 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:04.167566061 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:04.220395088 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:04.428736925 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:04.470413923 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:29.439205885 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:29.444369078 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:30:54.454863071 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:30:54.460489988 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:31:19.470477104 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:31:19.489253044 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:31:44.548639059 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:31:44.691724062 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:32:09.821619034 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:32:10.026746988 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:32:35.142436981 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:32:35.147706985 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:33:00.236188889 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:33:00.257474899 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:33:25.348948002 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:33:25.354074001 CEST378249737117.18.7.76192.168.2.4
                                                              Sep 28, 2024 21:33:50.548717976 CEST497373782192.168.2.4117.18.7.76
                                                              Sep 28, 2024 21:33:50.553666115 CEST378249737117.18.7.76192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 28, 2024 21:30:02.108798981 CEST5737853192.168.2.41.1.1.1
                                                              Sep 28, 2024 21:30:02.117058992 CEST53573781.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Sep 28, 2024 21:30:02.108798981 CEST192.168.2.41.1.1.10xdedaStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Sep 28, 2024 21:30:01.051382065 CEST1.1.1.1192.168.2.40x2b67No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                              Sep 28, 2024 21:30:01.051382065 CEST1.1.1.1192.168.2.40x2b67No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                                                              Sep 28, 2024 21:30:01.051382065 CEST1.1.1.1192.168.2.40x2b67No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                                                              Sep 28, 2024 21:30:02.117058992 CEST1.1.1.1192.168.2.40xdedaNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • ipwho.is

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449739195.201.57.904436976C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-09-28 19:30:03 UTC150OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                              Host: ipwho.is
                                                              Connection: Keep-Alive
                                                              2024-09-28 19:30:03 UTC223INHTTP/1.1 200 OK
                                                              Date: Sat, 28 Sep 2024 19:30:03 GMT
                                                              Content-Type: application/json; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: ipwhois
                                                              Access-Control-Allow-Headers: *
                                                              X-Robots-Tag: noindex
                                                              2024-09-28 19:30:03 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                                              Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:15:29:55
                                                              Start date:28/09/2024
                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe"
                                                              Imagebase:0x9f0000
                                                              File size:3'958'016 bytes
                                                              MD5 hash:E3A6A985899B7B14DE0E539045FA8856
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4109420847.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000000.00000002.4110939314.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen
                                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4110026356.0000000004895000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:6.7%
                                                                Dynamic/Decrypted Code Coverage:79.5%
                                                                Signature Coverage:0.8%
                                                                Total number of Nodes:902
                                                                Total number of Limit Nodes:58
                                                                execution_graph 59730 61a17f8 59731 61a183e DeleteFileW 59730->59731 59733 61a1877 59731->59733 59039 61059d3 59040 61059dc 59039->59040 59042 61059fa 59039->59042 59040->59042 59045 6104150 59040->59045 59043 6104150 10 API calls 59042->59043 59044 6105b33 59042->59044 59043->59044 59046 6104160 59045->59046 59047 610419d 59046->59047 59050 61077d0 59046->59050 59079 61077e0 59046->59079 59047->59042 59051 6107819 59050->59051 59056 61078b7 59051->59056 59108 5e4f7a0 59051->59108 59114 5e4f788 59051->59114 59053 6107923 59125 6106b30 59053->59125 59055 610792d 59139 6106b90 59055->59139 59119 6106b80 59056->59119 59060 610795c 59061 6104150 10 API calls 59060->59061 59072 6107a3f 59060->59072 59062 61079e5 59061->59062 59150 610741c 59062->59150 59063 6107aa0 59170 610cab0 59063->59170 59174 610caa0 59063->59174 59065 6107ab4 59066 61079f4 59067 610741c 2 API calls 59066->59067 59066->59072 59068 6107a1f 59067->59068 59069 610741c 2 API calls 59068->59069 59068->59072 59070 6107a30 59069->59070 59155 610556c 59070->59155 59162 5e4e80c 59072->59162 59166 5e4f050 59072->59166 59081 6107819 59079->59081 59080 6106b80 10 API calls 59082 6107923 59080->59082 59083 61078b7 59081->59083 59106 5e4f7a0 2 API calls 59081->59106 59107 5e4f788 2 API calls 59081->59107 59084 6106b30 10 API calls 59082->59084 59083->59080 59085 610792d 59084->59085 59086 6106b90 10 API calls 59085->59086 59087 6107935 59086->59087 59088 61073cc 10 API calls 59087->59088 59089 610795c 59087->59089 59088->59089 59090 6104150 10 API calls 59089->59090 59091 6107a3f 59089->59091 59092 61079e5 59090->59092 59104 5e4f050 10 API calls 59091->59104 59105 5e4e80c 10 API calls 59091->59105 59094 610741c 2 API calls 59092->59094 59093 6107aa0 59102 610cab0 10 API calls 59093->59102 59103 610caa0 10 API calls 59093->59103 59096 61079f4 59094->59096 59095 6107ab4 59096->59091 59097 610741c 2 API calls 59096->59097 59098 6107a1f 59097->59098 59098->59091 59099 610741c 2 API calls 59098->59099 59100 6107a30 59099->59100 59101 610556c 10 API calls 59100->59101 59101->59091 59102->59095 59103->59095 59104->59093 59105->59093 59106->59083 59107->59083 59110 5e4f7d1 59108->59110 59111 5e4f8d1 59108->59111 59109 5e4f7dd 59109->59056 59110->59109 59178 61009c0 59110->59178 59183 61009af 59110->59183 59111->59056 59116 5e4f7a0 59114->59116 59115 5e4f7dd 59115->59056 59116->59115 59117 61009c0 2 API calls 59116->59117 59118 61009af 2 API calls 59116->59118 59117->59115 59118->59115 59122 6106b8b 59119->59122 59120 61091d8 59120->59053 59121 61091a8 59123 6104150 10 API calls 59121->59123 59122->59120 59122->59121 59124 610741c 2 API calls 59122->59124 59123->59120 59124->59121 59132 6106b3b 59125->59132 59126 6109388 59126->59055 59127 6109301 59128 610933a 59127->59128 59129 610556c 10 API calls 59127->59129 59131 610556c 10 API calls 59128->59131 59133 610932c 59129->59133 59130 6109354 59130->59126 59135 6104150 10 API calls 59130->59135 59134 6109346 59131->59134 59132->59126 59132->59127 59132->59130 59210 6108ae4 10 API calls 59132->59210 59204 6108af4 59133->59204 59137 6108af4 10 API calls 59134->59137 59135->59126 59137->59130 59141 6106b9b 59139->59141 59140 6107935 59140->59060 59145 61073cc 59140->59145 59141->59140 59142 6104150 10 API calls 59141->59142 59143 610b10c 59142->59143 59214 61098e8 59143->59214 59147 61073d7 59145->59147 59146 610b7d6 59146->59060 59147->59146 59148 6104150 10 API calls 59147->59148 59149 610b8a6 59148->59149 59149->59060 59151 6107427 59150->59151 59152 610ffa3 59151->59152 59153 61009c0 2 API calls 59151->59153 59154 61009af 2 API calls 59151->59154 59152->59066 59153->59152 59154->59152 59157 6105577 59155->59157 59156 610afce 59156->59072 59157->59156 59158 610b028 59157->59158 59159 6104150 10 API calls 59157->59159 59160 61098c0 SendMessageW 59158->59160 59159->59158 59161 610b039 59160->59161 59161->59072 59163 5e4e817 59162->59163 59165 5e4f0f5 59163->59165 59224 5e4bca8 59163->59224 59165->59063 59168 5e4f060 59166->59168 59167 5e4f0f5 59167->59063 59168->59167 59169 5e4bca8 10 API calls 59168->59169 59169->59167 59171 610cabd 59170->59171 59172 6106b90 10 API calls 59171->59172 59173 610cac4 59172->59173 59173->59065 59175 610cabd 59174->59175 59176 6106b90 10 API calls 59175->59176 59177 610cac4 59176->59177 59177->59065 59179 61009eb 59178->59179 59180 6100a9a 59179->59180 59188 6101870 59179->59188 59196 61018a0 59179->59196 59184 61009c0 59183->59184 59185 6100a9a 59184->59185 59186 6101870 2 API calls 59184->59186 59187 61018a0 2 API calls 59184->59187 59186->59185 59187->59185 59189 61018a6 59188->59189 59190 61018de CreateWindowExW 59188->59190 59194 6101870 CreateWindowExW 59189->59194 59200 61018f0 59189->59200 59193 6101a14 59190->59193 59191 61018d5 59191->59180 59194->59191 59197 61018d5 59196->59197 59198 6101870 2 API calls 59196->59198 59199 61018f0 CreateWindowExW 59196->59199 59197->59180 59198->59197 59199->59197 59201 6101958 CreateWindowExW 59200->59201 59203 6101a14 59201->59203 59205 6108aff 59204->59205 59206 6104150 10 API calls 59205->59206 59207 610b028 59206->59207 59211 61098c0 59207->59211 59210->59127 59212 610b050 SendMessageW 59211->59212 59213 610b039 59212->59213 59213->59128 59215 61098f3 59214->59215 59218 61075e8 59215->59218 59217 610b1f4 59217->59140 59220 61075f3 59218->59220 59219 610b5d7 59219->59217 59220->59219 59221 6104150 10 API calls 59220->59221 59222 610b3f4 59221->59222 59222->59219 59223 6106b90 10 API calls 59222->59223 59223->59219 59225 5e4bcb3 59224->59225 59228 5e4e8f4 59225->59228 59227 5e4f5cf 59227->59165 59231 5e4e8ff 59228->59231 59229 5e4f778 59229->59227 59230 5e4f741 59235 610cd70 59230->59235 59240 610cd80 59230->59240 59231->59229 59231->59230 59232 5e4e8f4 10 API calls 59231->59232 59232->59231 59237 610cd73 59235->59237 59236 610cdcf 59236->59229 59237->59236 59245 610d0d8 59237->59245 59251 610d0c8 59237->59251 59242 610cd84 59240->59242 59241 610cdcf 59241->59229 59242->59241 59243 610d0d8 10 API calls 59242->59243 59244 610d0c8 10 API calls 59242->59244 59243->59241 59244->59241 59257 6107027 59245->59257 59271 6107038 59245->59271 59246 610d0f0 59285 610c234 59246->59285 59248 610d0f9 59248->59236 59252 610d0f0 59251->59252 59255 6107027 10 API calls 59251->59255 59256 6107038 10 API calls 59251->59256 59253 610c234 10 API calls 59252->59253 59254 610d0f9 59253->59254 59254->59236 59255->59252 59256->59252 59260 6107038 59257->59260 59258 6107072 59258->59246 59259 610714f 59290 5e4dcc4 59259->59290 59295 5e4dac0 59259->59295 59307 5e4dab0 59259->59307 59260->59258 59260->59259 59264 61071b2 59260->59264 59263 6107185 59263->59246 59264->59263 59265 6104150 10 API calls 59264->59265 59266 6107257 59265->59266 59266->59263 59267 6106b30 10 API calls 59266->59267 59267->59263 59273 610705e 59271->59273 59272 6107072 59272->59246 59273->59272 59274 610714f 59273->59274 59278 61071b2 59273->59278 59282 5e4dcc4 10 API calls 59274->59282 59283 5e4dac0 10 API calls 59274->59283 59284 5e4dab0 10 API calls 59274->59284 59275 610715d 59276 6104150 10 API calls 59275->59276 59277 6107185 59275->59277 59276->59277 59277->59246 59278->59277 59279 6104150 10 API calls 59278->59279 59280 6107257 59279->59280 59280->59277 59281 6106b30 10 API calls 59280->59281 59281->59277 59282->59275 59283->59275 59284->59275 59286 610c23f 59285->59286 59287 610d594 59286->59287 59333 610d618 59286->59333 59351 610d608 59286->59351 59287->59248 59292 5e4dce1 59290->59292 59291 5e4ddca 59292->59291 59319 610d1b0 59292->59319 59323 610d1a2 59292->59323 59296 5e4daee 59295->59296 59297 5e4dbbf 59296->59297 59298 5e4dc2b 59296->59298 59301 5e4ddca 59296->59301 59305 6104150 9 API calls 59296->59305 59328 6104140 59296->59328 59297->59298 59299 5e4bca8 9 API calls 59297->59299 59298->59301 59303 610d1b0 9 API calls 59298->59303 59304 610d1a2 9 API calls 59298->59304 59299->59298 59300 5e4db66 59302 5e4dbba KiUserCallbackDispatcher 59300->59302 59302->59297 59303->59301 59304->59301 59305->59300 59308 5e4dac0 59307->59308 59309 5e4dbbf 59308->59309 59311 5e4ddca 59308->59311 59314 5e4dc2b 59308->59314 59317 6104150 9 API calls 59308->59317 59318 6104140 9 API calls 59308->59318 59310 5e4bca8 9 API calls 59309->59310 59309->59314 59310->59314 59312 5e4db66 59313 5e4dbba KiUserCallbackDispatcher 59312->59313 59313->59309 59314->59311 59315 610d1b0 9 API calls 59314->59315 59316 610d1a2 9 API calls 59314->59316 59315->59311 59316->59311 59317->59312 59318->59312 59320 610d1da 59319->59320 59321 6104150 10 API calls 59320->59321 59322 610d2c0 59320->59322 59321->59322 59322->59291 59324 610d1a6 59323->59324 59325 610d128 59323->59325 59326 6104150 10 API calls 59324->59326 59327 610d2c0 59324->59327 59325->59291 59326->59327 59327->59291 59329 6104160 59328->59329 59330 610419d 59329->59330 59331 61077d0 10 API calls 59329->59331 59332 61077e0 10 API calls 59329->59332 59330->59300 59331->59330 59332->59330 59335 610d673 59333->59335 59334 610d6ad 59338 610d6dc 59334->59338 59383 610c4c4 EnumThreadWindows 59334->59383 59335->59334 59339 6104150 10 API calls 59335->59339 59346 6104150 10 API calls 59338->59346 59349 610d7a9 59338->59349 59339->59334 59347 610d798 59346->59347 59369 610c4d4 59347->59369 59373 610dfa2 59349->59373 59354 610d618 59351->59354 59352 610d6ad 59356 610d6dc 59352->59356 59384 610c4c4 EnumThreadWindows 59352->59384 59354->59352 59357 6104150 10 API calls 59354->59357 59355 610d7bb 59358 610d7c9 59355->59358 59359 6104150 10 API calls 59355->59359 59364 6104150 10 API calls 59356->59364 59367 610d7a9 59356->59367 59357->59352 59360 610d7e7 59358->59360 59385 610c4c4 EnumThreadWindows 59358->59385 59359->59358 59362 610d7f5 59360->59362 59363 6104150 10 API calls 59360->59363 59362->59287 59363->59362 59365 610d798 59364->59365 59366 610c4d4 EnumThreadWindows 59365->59366 59366->59367 59368 610dfa2 10 API calls 59367->59368 59368->59355 59371 610d900 EnumThreadWindows 59369->59371 59372 610d980 59371->59372 59372->59349 59376 610dfdd 59373->59376 59374 610e156 59375 6104150 10 API calls 59377 610e051 59375->59377 59376->59374 59376->59375 59377->59374 59380 610e290 10 API calls 59377->59380 59381 610e27b 10 API calls 59377->59381 59382 610e14b 59377->59382 59378 61077d0 10 API calls 59378->59374 59379 61077e0 10 API calls 59379->59374 59380->59382 59381->59382 59382->59378 59382->59379 59383->59338 59384->59356 59385->59360 59734 5e45d40 59735 5e45d86 59734->59735 59739 5e45f20 59735->59739 59742 5e45f10 59735->59742 59736 5e45e73 59747 5e45a94 59739->59747 59743 5e45f00 59742->59743 59744 5e45f13 59742->59744 59743->59736 59745 5e45a94 DuplicateHandle 59744->59745 59746 5e45f4e 59745->59746 59746->59736 59748 5e45f88 DuplicateHandle 59747->59748 59749 5e45f4e 59748->59749 59749->59736 59386 6103fd8 59387 6103fe8 59386->59387 59391 6108928 59387->59391 59397 6108919 59387->59397 59388 6104011 59392 610895d 59391->59392 59403 6105728 59392->59403 59394 61089b2 59415 6107750 59394->59415 59396 61089b9 59396->59388 59398 6108929 59397->59398 59399 6105728 10 API calls 59398->59399 59400 61089b2 59399->59400 59401 6107750 10 API calls 59400->59401 59402 61089b9 59401->59402 59402->59388 59407 6105754 59403->59407 59405 6104150 10 API calls 59406 6105b33 59405->59406 59406->59394 59414 610598c 59407->59414 59425 6105354 59407->59425 59408 610580d 59409 6104150 10 API calls 59408->59409 59413 61058b5 59408->59413 59410 610587f 59409->59410 59411 6104150 10 API calls 59410->59411 59411->59413 59412 6104150 10 API calls 59412->59414 59413->59412 59414->59405 59414->59406 59416 610775b 59415->59416 59417 6108f55 59416->59417 59418 6108f1d 59416->59418 59424 6108f24 59416->59424 59420 6108fa6 59417->59420 59421 6108f7a 59417->59421 59419 6104150 10 API calls 59418->59419 59419->59424 59423 6104150 10 API calls 59420->59423 59422 6104150 10 API calls 59421->59422 59422->59424 59423->59424 59424->59396 59427 610535f 59425->59427 59426 6104150 10 API calls 59429 6105c89 59426->59429 59428 6104150 10 API calls 59427->59428 59427->59429 59430 6105cc7 59427->59430 59428->59429 59429->59426 59429->59430 59430->59408 59750 6101b38 SetWindowLongW 59751 6101ba4 59750->59751 59431 5e4f76d 59432 5e4f778 59431->59432 59433 610cd70 10 API calls 59431->59433 59434 610cd80 10 API calls 59431->59434 59433->59432 59434->59432 59435 61a00d0 SendMessageW 59436 61a013c 59435->59436 59437 61a1bd0 59438 61a1be1 59437->59438 59442 61055d8 59438->59442 59446 6106729 59438->59446 59444 61055e3 59442->59444 59450 6105614 59444->59450 59445 6106774 59445->59445 59447 6106760 59446->59447 59448 6105614 13 API calls 59447->59448 59449 6106774 59448->59449 59453 610561f 59450->59453 59451 6106dc8 59454 6106900 10 API calls 59451->59454 59455 6106de9 59451->59455 59452 6106c8e 59452->59451 59464 5e4d766 59452->59464 59469 5e4d770 59452->59469 59453->59452 59453->59455 59459 6106900 59453->59459 59454->59455 59455->59445 59460 610690b 59459->59460 59462 6107027 10 API calls 59460->59462 59463 6107038 10 API calls 59460->59463 59461 6107024 59461->59452 59462->59461 59463->59461 59465 5e4d791 59464->59465 59466 5e4d7b5 59465->59466 59474 5e4d920 59465->59474 59478 5e4d912 59465->59478 59466->59451 59470 5e4d791 59469->59470 59471 5e4d7b5 59470->59471 59472 5e4d920 13 API calls 59470->59472 59473 5e4d912 13 API calls 59470->59473 59471->59451 59472->59471 59473->59471 59475 5e4d92d 59474->59475 59477 5e4d966 59475->59477 59482 5e4bc54 59475->59482 59477->59466 59479 5e4d920 59478->59479 59480 5e4d966 59479->59480 59481 5e4bc54 13 API calls 59479->59481 59480->59466 59481->59480 59483 5e4bc5f 59482->59483 59485 5e4d9d8 59483->59485 59486 5e4bc88 59483->59486 59485->59485 59487 5e4bc93 59486->59487 59500 5e47de0 59487->59500 59490 5e4da56 59509 5e4bc98 59490->59509 59492 5e4da70 59493 5e4bca8 10 API calls 59492->59493 59494 5e4da77 59493->59494 59498 5e4f7a0 2 API calls 59494->59498 59499 5e4f788 2 API calls 59494->59499 59495 5e4da81 59495->59485 59496 5e4dac0 10 API calls 59496->59490 59497 5e4dab0 10 API calls 59497->59490 59498->59495 59499->59495 59501 5e47deb 59500->59501 59514 5e48f94 59501->59514 59503 5e494a0 59505 5e4968b 59503->59505 59519 5e4b6d0 59503->59519 59504 5e496c9 59504->59496 59504->59497 59505->59504 59506 5e4d766 13 API calls 59505->59506 59507 5e4d770 13 API calls 59505->59507 59506->59504 59507->59504 59512 5e4bca3 59509->59512 59510 5e4e80c 10 API calls 59511 5e4efc4 59510->59511 59511->59492 59512->59510 59513 5e4efc9 59512->59513 59513->59492 59515 5e48f9f 59514->59515 59516 5e4a2aa 59515->59516 59523 5e4a308 59515->59523 59527 5e4a2f9 59515->59527 59516->59503 59531 5e4b708 59519->59531 59534 5e4b6f8 59519->59534 59520 5e4b6e6 59520->59505 59524 5e4a34b 59523->59524 59525 5e4a356 KiUserCallbackDispatcher 59524->59525 59526 5e4a380 59524->59526 59525->59526 59526->59516 59528 5e4a34b 59527->59528 59529 5e4a356 KiUserCallbackDispatcher 59528->59529 59530 5e4a380 59528->59530 59529->59530 59530->59516 59538 5e4b800 59531->59538 59532 5e4b717 59532->59520 59535 5e4b708 59534->59535 59537 5e4b800 GetModuleHandleW 59535->59537 59536 5e4b717 59536->59520 59537->59536 59539 5e4b834 59538->59539 59540 5e4b811 59538->59540 59539->59532 59540->59539 59541 5e4ba38 GetModuleHandleW 59540->59541 59542 5e4ba65 59541->59542 59542->59532 59752 377d01c 59753 377d034 59752->59753 59754 377d08e 59753->59754 59759 6102a38 59753->59759 59768 6101aa8 59753->59768 59773 6101a98 59753->59773 59778 6102a48 59753->59778 59760 6102a48 59759->59760 59761 6102aa9 59760->59761 59763 6102a99 59760->59763 59764 6102aa7 59761->59764 59803 61026cc 59761->59803 59787 6102bd0 59763->59787 59792 6102c9c 59763->59792 59798 6102bc0 59763->59798 59769 6101ace 59768->59769 59771 6102a38 11 API calls 59769->59771 59772 6102a48 11 API calls 59769->59772 59770 6101aef 59770->59754 59771->59770 59772->59770 59774 6101aa8 59773->59774 59776 6102a38 11 API calls 59774->59776 59777 6102a48 11 API calls 59774->59777 59775 6101aef 59775->59754 59776->59775 59777->59775 59781 6102a75 59778->59781 59779 6102aa9 59780 61026cc CallWindowProcW 59779->59780 59783 6102aa7 59779->59783 59780->59783 59781->59779 59782 6102a99 59781->59782 59784 6102bd0 11 API calls 59782->59784 59785 6102bc0 11 API calls 59782->59785 59786 6102c9c 11 API calls 59782->59786 59784->59783 59785->59783 59786->59783 59789 6102be4 59787->59789 59788 6102c70 59788->59764 59807 6102c88 59789->59807 59812 6102c79 59789->59812 59793 6102caa 59792->59793 59794 6102c5a 59792->59794 59796 6102c88 11 API calls 59794->59796 59797 6102c79 11 API calls 59794->59797 59795 6102c70 59795->59764 59796->59795 59797->59795 59800 6102bd0 59798->59800 59799 6102c70 59799->59764 59801 6102c88 11 API calls 59800->59801 59802 6102c79 11 API calls 59800->59802 59801->59799 59802->59799 59804 61026d7 59803->59804 59805 6103f0a CallWindowProcW 59804->59805 59806 6103eb9 59804->59806 59805->59806 59806->59764 59808 6102c99 59807->59808 59818 6107d90 59807->59818 59838 6103e40 59807->59838 59841 6107d80 59807->59841 59808->59788 59813 6102c88 59812->59813 59814 6102c99 59813->59814 59815 6107d90 11 API calls 59813->59815 59816 6107d80 11 API calls 59813->59816 59817 6103e40 CallWindowProcW 59813->59817 59814->59788 59815->59814 59816->59814 59817->59814 59819 6107da9 59818->59819 59825 6107dbc 59818->59825 59820 6107df0 59819->59820 59821 6107dae 59819->59821 59820->59825 59826 6107e01 59820->59826 59827 610807c 59820->59827 59822 6107db3 59821->59822 59823 6107dca 59821->59823 59824 6107fda 59822->59824 59822->59825 59823->59825 59830 6108044 59823->59830 59831 6107fe8 59823->59831 59832 6108028 59823->59832 59836 6107ef6 59823->59836 59861 61075d8 59824->59861 59825->59836 59875 6108520 59825->59875 59826->59825 59826->59832 59826->59836 59869 6107688 59827->59869 59865 6107648 59830->59865 59833 61075e8 10 API calls 59831->59833 59880 6107628 11 API calls 59832->59880 59833->59836 59836->59808 59839 61026cc CallWindowProcW 59838->59839 59840 6103e5a 59839->59840 59840->59808 59842 6107da9 59841->59842 59848 6107dbc 59841->59848 59843 6107df0 59842->59843 59844 6107dae 59842->59844 59843->59848 59849 6107e01 59843->59849 59850 610807c 59843->59850 59845 6107db3 59844->59845 59846 6107dca 59844->59846 59847 6107fda 59845->59847 59845->59848 59846->59848 59853 6108044 59846->59853 59854 6107fe8 59846->59854 59855 6108028 59846->59855 59859 6107ef6 59846->59859 59851 61075d8 11 API calls 59847->59851 59848->59859 59860 6108520 11 API calls 59848->59860 59849->59848 59849->59855 59849->59859 59852 6107688 11 API calls 59850->59852 59851->59859 59852->59859 59858 6107648 11 API calls 59853->59858 59856 61075e8 10 API calls 59854->59856 59914 6107628 11 API calls 59855->59914 59856->59859 59858->59859 59859->59808 59860->59859 59862 61075e3 59861->59862 59863 6108520 11 API calls 59862->59863 59864 6108736 59862->59864 59863->59864 59864->59836 59866 6107653 59865->59866 59867 6108520 11 API calls 59866->59867 59868 610cc1c 59867->59868 59868->59836 59870 6107693 59869->59870 59871 610c0a0 59870->59871 59872 61075e8 10 API calls 59870->59872 59873 6108520 11 API calls 59871->59873 59872->59871 59874 610c0a9 59873->59874 59874->59836 59876 6108532 59875->59876 59877 610852b 59875->59877 59881 6108540 59876->59881 59877->59836 59878 6108538 59878->59836 59880->59836 59882 6108580 59881->59882 59883 610855e 59881->59883 59884 6103240 11 API calls 59882->59884 59886 610856c 59883->59886 59889 6103240 59883->59889 59888 6108587 59884->59888 59886->59878 59887 61085a8 59887->59878 59888->59878 59890 610328c 59889->59890 59891 61032d0 59890->59891 59892 61039fc 59890->59892 59894 610352c 59891->59894 59902 61085c0 59891->59902 59906 61085b0 59891->59906 59897 610302c 59892->59897 59894->59887 59898 6103037 59897->59898 59899 610ccb8 59898->59899 59901 5e4bca8 10 API calls 59898->59901 59910 5e4f597 59898->59910 59899->59894 59901->59899 59903 6108606 59902->59903 59904 61026cc CallWindowProcW 59903->59904 59905 6108629 59903->59905 59904->59905 59905->59894 59908 61085ba 59906->59908 59907 6108629 59907->59894 59908->59907 59909 61026cc CallWindowProcW 59908->59909 59909->59907 59911 5e4f5a8 59910->59911 59912 5e4e8f4 10 API calls 59911->59912 59913 5e4f5cf 59912->59913 59913->59899 59914->59859 59543 5e44268 59544 5e44276 59543->59544 59552 5e465e2 59544->59552 59547 5e44304 59561 6106630 59547->59561 59565 6106621 59547->59565 59548 5e4430c 59553 5e46605 59552->59553 59569 5e466f0 59553->59569 59573 5e466df 59553->59573 59554 5e442e9 59557 5e43e1c 59554->59557 59558 5e43e27 59557->59558 59581 5e47d60 59558->59581 59560 5e48006 59560->59547 59562 6106642 59561->59562 59563 61055d8 13 API calls 59562->59563 59564 6106662 59563->59564 59564->59548 59566 6106630 59565->59566 59567 61055d8 13 API calls 59566->59567 59568 6106662 59567->59568 59568->59548 59571 5e46717 59569->59571 59570 5e467f4 59570->59570 59571->59570 59577 5e45c1c 59571->59577 59574 5e46717 59573->59574 59575 5e45c1c CreateActCtxA 59574->59575 59576 5e467f4 59574->59576 59575->59576 59578 5e46b70 CreateActCtxA 59577->59578 59580 5e46c33 59578->59580 59582 5e47d6b 59581->59582 59585 5e47d80 59582->59585 59584 5e480dd 59584->59560 59586 5e47d8b 59585->59586 59588 5e481ba 59586->59588 59589 5e47db0 59586->59589 59588->59584 59590 5e47dbb 59589->59590 59591 5e47de0 13 API calls 59590->59591 59592 5e482ad 59591->59592 59592->59588 59915 a80a07 59916 a80a10 59915->59916 59920 a80a42 59915->59920 59921 a80259 59916->59921 59922 a8026a 59921->59922 59923 a80264 59921->59923 59927 a80270 59922->59927 59972 a7fd8a 6 API calls _unexpected 59922->59972 59971 a7fd4b 6 API calls _unexpected 59923->59971 59926 a80284 59926->59927 59928 a80288 59926->59928 59930 a80275 59927->59930 59980 a7f6b7 39 API calls CallUnexpected 59927->59980 59973 a82517 14 API calls 2 library calls 59928->59973 59949 a80e4a 59930->59949 59933 a80294 59934 a8029c 59933->59934 59935 a802b1 59933->59935 59974 a7fd8a 6 API calls _unexpected 59934->59974 59976 a7fd8a 6 API calls _unexpected 59935->59976 59938 a802a8 59975 a81252 14 API calls 2 library calls 59938->59975 59939 a802bd 59940 a802d0 59939->59940 59941 a802c1 59939->59941 59978 a804af 14 API calls _unexpected 59940->59978 59977 a7fd8a 6 API calls _unexpected 59941->59977 59945 a802ae 59945->59927 59946 a802db 59979 a81252 14 API calls 2 library calls 59946->59979 59948 a802e2 59948->59930 59950 a80e74 59949->59950 59981 a80cd6 59950->59981 59953 a80e8d 59953->59920 59956 a80eb4 59997 a80ad1 59956->59997 59957 a80ea6 60008 a81252 14 API calls 2 library calls 59957->60008 59961 a80eec 60009 a81dfc 14 API calls __dosmaperr 59961->60009 59963 a80ef1 60010 a81252 14 API calls 2 library calls 59963->60010 59964 a80f33 59965 a80f7c 59964->59965 60012 a81205 39 API calls 2 library calls 59964->60012 60013 a81252 14 API calls 2 library calls 59965->60013 59967 a80f07 59967->59964 60011 a81252 14 API calls 2 library calls 59967->60011 59971->59922 59972->59926 59973->59933 59974->59938 59975->59945 59976->59939 59977->59938 59978->59946 59979->59948 60014 a80a4f 59981->60014 59984 a80d09 59986 a80d20 59984->59986 59987 a80d0e GetACP 59984->59987 59985 a80cf7 GetOEMCP 59985->59986 59986->59953 59988 a82574 59986->59988 59987->59986 59989 a825b2 59988->59989 59990 a82582 59988->59990 60026 a81dfc 14 API calls __dosmaperr 59989->60026 59992 a8259d HeapAlloc 59990->59992 59996 a82586 _unexpected 59990->59996 59993 a825b0 59992->59993 59992->59996 59994 a80e9e 59993->59994 59994->59956 59994->59957 59996->59989 59996->59992 60025 a81675 EnterCriticalSection LeaveCriticalSection _unexpected 59996->60025 59998 a80cd6 41 API calls 59997->59998 59999 a80af1 59998->59999 60000 a80bf6 59999->60000 60002 a80b2e IsValidCodePage 59999->60002 60007 a80b49 CallUnexpected 59999->60007 60038 a7ce3e 60000->60038 60002->60000 60004 a80b40 60002->60004 60003 a80cd4 60003->59961 60003->59967 60005 a80b69 GetCPInfo 60004->60005 60004->60007 60005->60000 60005->60007 60027 a81060 60007->60027 60008->59953 60009->59963 60010->59953 60011->59964 60012->59965 60013->59953 60015 a80a6d 60014->60015 60021 a80a66 60014->60021 60015->60021 60022 a8019e 39 API calls 3 library calls 60015->60022 60017 a80a8e 60023 a848e7 39 API calls __strnicoll 60017->60023 60019 a80aa4 60024 a84914 39 API calls __strnicoll 60019->60024 60021->59984 60021->59985 60022->60017 60023->60019 60024->60021 60025->59996 60026->59994 60028 a81088 GetCPInfo 60027->60028 60037 a81151 60027->60037 60033 a810a0 60028->60033 60028->60037 60029 a7ce3e _ValidateLocalCookies 5 API calls 60031 a81203 60029->60031 60031->60000 60045 a8261c 60033->60045 60036 a846af 44 API calls 60036->60037 60037->60029 60039 a7ce47 IsProcessorFeaturePresent 60038->60039 60040 a7ce46 60038->60040 60042 a7ce61 60039->60042 60040->60003 60124 a7cf46 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 60042->60124 60044 a7cf44 60044->60003 60046 a80a4f __strnicoll 39 API calls 60045->60046 60047 a8263c 60046->60047 60065 a8271d 60047->60065 60049 a826f8 60052 a7ce3e _ValidateLocalCookies 5 API calls 60049->60052 60050 a826f0 60068 a825fc 14 API calls ___free_lconv_mon 60050->60068 60051 a82669 60051->60049 60051->60050 60054 a82574 15 API calls 60051->60054 60056 a8268e CallUnexpected __alloca_probe_16 60051->60056 60055 a81108 60052->60055 60054->60056 60060 a846af 60055->60060 60056->60050 60057 a8271d ___scrt_uninitialize_crt MultiByteToWideChar 60056->60057 60058 a826d7 60057->60058 60058->60050 60059 a826de GetStringTypeW 60058->60059 60059->60050 60061 a80a4f __strnicoll 39 API calls 60060->60061 60062 a846c2 60061->60062 60071 a846f8 60062->60071 60069 a82747 60065->60069 60068->60049 60070 a82739 MultiByteToWideChar 60069->60070 60070->60051 60072 a84713 60071->60072 60073 a8271d ___scrt_uninitialize_crt MultiByteToWideChar 60072->60073 60075 a84757 60073->60075 60074 a7ce3e _ValidateLocalCookies 5 API calls 60076 a81129 60074->60076 60077 a82574 15 API calls 60075->60077 60079 a848d2 60075->60079 60080 a8477d __alloca_probe_16 60075->60080 60091 a84825 60075->60091 60076->60036 60077->60080 60079->60074 60081 a8271d ___scrt_uninitialize_crt MultiByteToWideChar 60080->60081 60080->60091 60082 a847c6 60081->60082 60082->60091 60099 a7fe17 60082->60099 60085 a847fc 60090 a7fe17 7 API calls 60085->60090 60085->60091 60086 a84834 60087 a848bd 60086->60087 60088 a82574 15 API calls 60086->60088 60092 a84846 __alloca_probe_16 60086->60092 60110 a825fc 14 API calls ___free_lconv_mon 60087->60110 60088->60092 60090->60091 60111 a825fc 14 API calls ___free_lconv_mon 60091->60111 60092->60087 60093 a7fe17 7 API calls 60092->60093 60094 a84889 60093->60094 60094->60087 60108 a83add WideCharToMultiByte ___scrt_uninitialize_crt 60094->60108 60096 a848a3 60096->60087 60097 a848ac 60096->60097 60109 a825fc 14 API calls ___free_lconv_mon 60097->60109 60112 a80069 60099->60112 60102 a7fe4f 60115 a7fe74 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 60102->60115 60103 a7fe28 LCMapStringEx 60107 a7fe6f 60103->60107 60105 a7fe68 LCMapStringW 60105->60107 60107->60085 60107->60086 60107->60091 60108->60096 60109->60091 60110->60091 60111->60079 60116 a7ffb0 60112->60116 60115->60105 60117 a7ffe0 60116->60117 60121 a7fe22 60116->60121 60117->60121 60123 a7fee5 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 60117->60123 60119 a7fff4 60120 a7fffa GetProcAddress 60119->60120 60119->60121 60120->60121 60122 a8000a _unexpected 60120->60122 60121->60102 60121->60103 60122->60121 60123->60119 60124->60044 59593 1510000 59594 1510005 59593->59594 59596 151000a 59594->59596 59597 1510012 59596->59597 59597->59597 59600 182ebee 59597->59600 59601 182ec13 59600->59601 59602 182ecfd 59600->59602 59636 1831470 59601->59636 59612 182fec9 59602->59612 59605 182ec2b 59606 1831470 LoadLibraryA 59605->59606 59611 151002e 59605->59611 59607 182ec6d 59606->59607 59608 1831470 LoadLibraryA 59607->59608 59609 182ec89 59608->59609 59610 1831470 LoadLibraryA 59609->59610 59610->59611 59611->59594 59613 1831470 LoadLibraryA 59612->59613 59614 182feec 59613->59614 59615 1831470 LoadLibraryA 59614->59615 59616 182ff04 59615->59616 59617 1831470 LoadLibraryA 59616->59617 59618 182ff22 59617->59618 59619 182ff37 VirtualAlloc 59618->59619 59628 182ff4b 59618->59628 59621 182ff65 59619->59621 59619->59628 59620 1831470 LoadLibraryA 59622 182ffe3 59620->59622 59621->59620 59621->59628 59626 1830039 59622->59626 59622->59628 59640 1831277 59622->59640 59623 1831470 LoadLibraryA 59623->59626 59625 183009b 59625->59628 59635 18300fd 59625->59635 59644 182f059 59625->59644 59626->59623 59626->59625 59626->59628 59628->59611 59630 1830209 59675 18305f9 LoadLibraryA 59630->59675 59632 18301be 59632->59628 59667 182fcba 59632->59667 59635->59628 59635->59630 59635->59632 59638 1831487 59636->59638 59637 18314ae 59637->59605 59638->59637 59681 182f575 LoadLibraryA 59638->59681 59642 183128c 59640->59642 59641 1831302 LoadLibraryA 59643 183130c 59641->59643 59642->59641 59642->59643 59643->59622 59645 1831277 LoadLibraryA 59644->59645 59646 182f06d 59645->59646 59647 182f075 59646->59647 59676 1831315 59646->59676 59647->59628 59658 182f154 59647->59658 59650 182f0ab VirtualProtect 59650->59647 59651 182f0bf 59650->59651 59652 182f0d9 VirtualProtect 59651->59652 59653 1831315 LoadLibraryA 59652->59653 59654 182f0fa 59653->59654 59654->59647 59655 182f111 VirtualProtect 59654->59655 59655->59647 59656 182f121 59655->59656 59657 182f136 VirtualProtect 59656->59657 59657->59647 59659 1831277 LoadLibraryA 59658->59659 59660 182f16a 59659->59660 59661 1831315 LoadLibraryA 59660->59661 59662 182f17a 59661->59662 59663 182f183 VirtualProtect 59662->59663 59664 182f1b7 59662->59664 59663->59664 59665 182f193 59663->59665 59664->59635 59666 182f1a2 VirtualProtect 59665->59666 59666->59664 59669 182fced 59667->59669 59668 182fd98 59668->59628 59669->59668 59670 182fddf SysAllocString 59669->59670 59671 182fdc7 59669->59671 59670->59671 59671->59668 59672 182fe33 SafeArrayCreate 59671->59672 59672->59668 59674 182fe57 59672->59674 59673 182feb3 SafeArrayDestroy 59673->59668 59674->59673 59675->59628 59678 1831330 59676->59678 59679 182f08d 59676->59679 59678->59679 59680 182f71a LoadLibraryA 59678->59680 59679->59647 59679->59650 59680->59679 59681->59638 59682 a7d033 59683 a7d03f ___scrt_is_nonwritable_in_current_image 59682->59683 59707 a7d2e4 59683->59707 59685 a7d046 59686 a7d19f 59685->59686 59692 a7d070 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 59685->59692 59723 a7d585 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter CallUnexpected 59686->59723 59688 a7d1a6 59724 a7e628 21 API calls CallUnexpected 59688->59724 59690 a7d1ac 59725 a7e63e 21 API calls CallUnexpected 59690->59725 59694 a7d08f 59692->59694 59695 a7d110 59692->59695 59719 a7e672 39 API calls 3 library calls 59692->59719 59693 a7d1b4 59715 a7f10d 59695->59715 59698 a7d116 59699 a7d12d 59698->59699 59720 a7d532 GetModuleHandleW 59699->59720 59701 a7d137 59701->59688 59702 a7d13b 59701->59702 59703 a7d144 59702->59703 59721 a7e654 21 API calls CallUnexpected 59702->59721 59722 a7d31d 75 API calls ___scrt_uninitialize_crt 59703->59722 59706 a7d14d 59706->59694 59708 a7d2ed 59707->59708 59726 a7d795 IsProcessorFeaturePresent 59708->59726 59710 a7d2f9 59727 a7db6f 10 API calls 2 library calls 59710->59727 59712 a7d2fe 59713 a7d302 59712->59713 59728 a7db8e 7 API calls 2 library calls 59712->59728 59713->59685 59716 a7f116 59715->59716 59717 a7f11b 59715->59717 59729 a7f236 58 API calls 59716->59729 59717->59698 59719->59695 59720->59701 59721->59703 59722->59706 59723->59688 59724->59690 59725->59693 59726->59710 59727->59712 59728->59713 59729->59717 60125 5e44310 60126 5e442ce 60125->60126 60127 5e4431e 60125->60127 60132 5e465e2 CreateActCtxA 60126->60132 60128 5e442e9 60129 5e43e1c 13 API calls 60128->60129 60130 5e44304 60129->60130 60133 6106630 13 API calls 60130->60133 60134 6106621 13 API calls 60130->60134 60131 5e4430c 60132->60128 60133->60131 60134->60131 60135 610bea8 60136 6104150 10 API calls 60135->60136 60137 610beb8 60136->60137 60138 61094e8 60139 61094f9 60138->60139 60142 6109563 60139->60142 60143 6108b68 60139->60143 60144 6108b73 60143->60144 60145 610955c 60144->60145 60148 610ac88 60144->60148 60154 610ac7a 60144->60154 60150 610ac9a 60148->60150 60151 610acaf 60150->60151 60152 610acd6 CreateIconFromResourceEx 60150->60152 60160 610987c 60150->60160 60151->60145 60153 610ad56 60152->60153 60153->60145 60156 610ac83 60154->60156 60155 610987c CreateIconFromResourceEx 60155->60156 60156->60155 60157 610acaf 60156->60157 60158 610acd6 CreateIconFromResourceEx 60156->60158 60157->60145 60159 610ad56 60158->60159 60159->60145 60161 610acd8 CreateIconFromResourceEx 60160->60161 60162 610ad56 60161->60162 60162->60150

                                                                Executed Functions

                                                                Function 06108B68 Relevance: 6.9, Strings: 5, Instructions: 644COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 721 6108b68-6109a38 724 6109efe-6109f64 721->724 725 6109a3e-6109a43 721->725 732 6109f6b-6109ff3 724->732 725->724 726 6109a49-6109a66 725->726 726->732 733 6109a6c-6109a70 726->733 777 6109ffe-610a080 732->777 734 6109a72-6109a7c call 610976c 733->734 735 6109a7f-6109a83 733->735 734->735 739 6109a92-6109a99 735->739 740 6109a85-6109a8f call 610976c 735->740 741 6109b91-6109b96 739->741 742 6109a9f-6109ab9 739->742 740->739 747 6109b98-6109b9c 741->747 748 6109b9e-6109ba3 741->748 759 6109ac1-6109b85 call 6109778 * 2 742->759 747->748 751 6109ba5-6109ba9 747->751 752 6109bb5-6109be5 call 6109784 * 3 748->752 753 610a291-610a30a 751->753 754 6109baf-6109bb2 751->754 776 6109beb-6109bee 752->776 752->777 774 610a313-610a330 753->774 775 610a30c-610a312 753->775 754->752 759->741 785 6109b87 759->785 775->774 776->777 779 6109bf4-6109bf6 776->779 794 610a088-610a10a 777->794 779->777 784 6109bfc-6109c31 779->784 793 6109c37-6109c40 784->793 784->794 785->741 795 6109da3-6109da7 793->795 796 6109c46-6109ca0 call 6109784 * 2 call 6109794 * 2 793->796 800 610a112-610a194 794->800 795->800 801 6109dad-6109db1 795->801 842 6109cb2 796->842 843 6109ca2-6109cab 796->843 805 610a19c-610a1c9 800->805 804 6109db7-6109dbd 801->804 801->805 806 6109dc1-6109df6 804->806 807 6109dbf 804->807 817 610a1d0-610a252 805->817 812 6109dfd-6109e03 806->812 807->812 812->817 818 6109e09-6109e11 812->818 876 610a25a-610a289 817->876 824 6109e13-6109e17 818->824 825 6109e18-6109e1a 818->825 824->825 831 6109e7c-6109e82 825->831 832 6109e1c-6109e40 825->832 836 6109ea1-6109ed6 831->836 837 6109e84-6109e9f 831->837 859 6109e42-6109e47 832->859 860 6109e49-6109e4d 832->860 857 6109edd-6109ee9 836->857 837->857 847 6109cb6-6109cb8 842->847 843->847 848 6109cad-6109cb0 843->848 855 6109cba 847->855 856 6109cbf-6109cc3 847->856 848->847 855->856 861 6109cd1-6109cd7 856->861 862 6109cc5-6109ccc 856->862 857->876 877 6109eef-6109efb 857->877 867 6109e59-6109e6a 859->867 860->753 868 6109e53-6109e56 860->868 864 6109ce1-6109ce6 861->864 865 6109cd9-6109cdf 861->865 863 6109d6e-6109d72 862->863 874 6109d91-6109d9d 863->874 875 6109d74-6109d8e 863->875 872 6109cec-6109cf2 864->872 865->872 912 6109e6c call 610ac88 867->912 913 6109e6c call 610ac7a 867->913 868->867 880 6109cf4-6109cf6 872->880 881 6109cf8-6109cfd 872->881 874->795 874->796 875->874 876->753 886 6109cff-6109d11 880->886 881->886 884 6109e72-6109e7a 884->857 892 6109d13-6109d19 886->892 893 6109d1b-6109d20 886->893 894 6109d26-6109d2d 892->894 893->894 896 6109d33 894->896 897 6109d2f-6109d31 894->897 902 6109d38-6109d43 896->902 897->902 903 6109d45-6109d48 902->903 904 6109d67 902->904 903->863 907 6109d4a-6109d50 903->907 904->863 908 6109d52-6109d55 907->908 909 6109d57-6109d60 907->909 908->904 908->909 909->863 911 6109d62-6109d65 909->911 911->863 911->904 912->884 913->884
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                • API String ID: 0-1677660839
                                                                • Opcode ID: 466f7979ba6d77f6c09fbd0080807c963174d10ad9bb2e40dd0b487aeab86e27
                                                                • Instruction ID: 07ad38c9c97ecca7d26828d37f02dd764837e5e7665793436466555169f18db3
                                                                • Opcode Fuzzy Hash: 466f7979ba6d77f6c09fbd0080807c963174d10ad9bb2e40dd0b487aeab86e27
                                                                • Instruction Fuzzy Hash: 80427E74E002188FEB54DF69C89179EBBF2AF88300F1484A9D449AB396DF749D41CF95
                                                                Function 06109A01 Relevance: .3, Instructions: 274COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d443041436bcf0aff56e898a089a510a2faa3abe5539f960e43a2cffbe42c1e7
                                                                • Instruction ID: f0a5a55163ce82adfe9e4829cb4256ed73b011b7edb2ee0bf0f820b74bba6f98
                                                                • Opcode Fuzzy Hash: d443041436bcf0aff56e898a089a510a2faa3abe5539f960e43a2cffbe42c1e7
                                                                • Instruction Fuzzy Hash: 4FB17D31E002198FEF54CF65C990B9EBBF2BF88310F149969D449AB296DBB4D944CF90
                                                                Function 08E00048 Relevance: 20.4, Strings: 16, Instructions: 391COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 536 8e00048-8e0005e 538 8e00060-8e00066 536->538 539 8e00076-8e000a3 536->539 540 8e00068 538->540 541 8e0006a-8e0006c 538->541 546 8e000a6-8e000aa 539->546 540->539 541->539 547 8e000b3-8e000b8 546->547 548 8e000ac-8e000b1 546->548 549 8e000be-8e000c1 547->549 548->549 550 8e000c7-8e000db 549->550 551 8e005ce-8e005d8 549->551 550->546 553 8e000dd 550->553 554 8e00331-8e00340 553->554 555 8e00413-8e00422 553->555 556 8e000e4-8e000f1 553->556 557 8e0016d-8e0017c 553->557 558 8e0024f-8e0025e 553->558 560 8e0057c-8e005a0 554->560 561 8e00346-8e0036c 554->561 559 8e00428-8e0044e 555->559 555->560 556->560 564 8e000f7-8e00118 556->564 557->560 563 8e00182-8e001a8 557->563 558->560 562 8e00264-8e0028a 558->562 596 8e00450-8e00455 559->596 597 8e00457-8e0045e 559->597 579 8e005a2-8e005ba 560->579 580 8e005db-8e005ee 560->580 587 8e00375-8e0037c 561->587 588 8e0036e-8e00373 561->588 590 8e00293-8e0029a 562->590 591 8e0028c-8e00291 562->591 592 8e001b1-8e001b8 563->592 593 8e001aa-8e001af 563->593 573 8e0011e-8e00120 564->573 577 8e00122-8e00128 573->577 578 8e00138-8e00168 573->578 584 8e0012a 577->584 585 8e0012c-8e0012e 577->585 578->546 579->580 610 8e005bc-8e005c5 579->610 584->578 585->578 602 8e003a2-8e003c6 587->602 603 8e0037e-8e003a0 587->603 601 8e003e1-8e0040e 588->601 605 8e002c0-8e002e4 590->605 606 8e0029c-8e002be 590->606 604 8e002ff-8e0032c 591->604 608 8e001ba-8e001dc 592->608 609 8e001de-8e00202 592->609 607 8e0021d-8e0024a 593->607 598 8e004c3-8e004f0 596->598 599 8e00460-8e00482 597->599 600 8e00484-8e004a8 597->600 598->546 599->598 638 8e004c0 600->638 639 8e004aa-8e004b0 600->639 601->546 640 8e003c8-8e003ce 602->640 641 8e003de 602->641 603->601 604->546 642 8e002e6-8e002ec 605->642 643 8e002fc 605->643 606->604 607->546 608->607 636 8e00204-8e0020a 609->636 637 8e0021a 609->637 610->551 646 8e0020c 636->646 647 8e0020e-8e00210 636->647 637->607 638->598 648 8e004b2 639->648 649 8e004b4-8e004b6 639->649 650 8e003d0 640->650 651 8e003d2-8e003d4 640->651 641->601 644 8e002f0-8e002f2 642->644 645 8e002ee 642->645 643->604 644->643 645->643 646->637 647->637 648->638 649->638 650->641 651->641
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                • API String ID: 0-2449488485
                                                                • Opcode ID: 38a7e1b009999a79f89882181534530058a46cb12a266cf54af14f50f169fed9
                                                                • Instruction ID: a69bc29748ab29a8c6e150ea69d0f4bf894922d5a795db8d72351a0f620d62e6
                                                                • Opcode Fuzzy Hash: 38a7e1b009999a79f89882181534530058a46cb12a266cf54af14f50f169fed9
                                                                • Instruction Fuzzy Hash: 67E1B071B406099FDB18DB69C844BAE7BF2BF89306F148859E5069B3A1CB35DC818F61
                                                                Function 00A846F8 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 652 a846f8-a84711 653 a84713-a84723 call a871f0 652->653 654 a84727-a8472c 652->654 653->654 661 a84725 653->661 655 a84739-a8475f call a8271d 654->655 656 a8472e-a84736 654->656 662 a848d5-a848e6 call a7ce3e 655->662 663 a84765-a84770 655->663 656->655 661->654 664 a848c8 663->664 665 a84776-a8477b 663->665 669 a848ca 664->669 667 a8477d-a84786 call a86520 665->667 668 a84794-a8479f call a82574 665->668 667->669 677 a8478c-a84792 667->677 668->669 679 a847a5 668->679 672 a848cc-a848d3 call a825fc 669->672 672->662 680 a847ab-a847b0 677->680 679->680 680->669 681 a847b6-a847cb call a8271d 680->681 681->669 684 a847d1-a847e3 call a7fe17 681->684 686 a847e8-a847ec 684->686 686->669 687 a847f2-a847fa 686->687 688 a847fc-a84801 687->688 689 a84834-a84840 687->689 688->672 690 a84807-a84809 688->690 691 a848bd 689->691 692 a84842-a84844 689->692 690->669 694 a8480f-a84829 call a7fe17 690->694 693 a848bf-a848c6 call a825fc 691->693 695 a84859-a84864 call a82574 692->695 696 a84846-a8484f call a86520 692->696 693->669 694->672 707 a8482f 694->707 695->693 706 a84866 695->706 696->693 705 a84851-a84857 696->705 708 a8486c-a84871 705->708 706->708 707->669 708->693 709 a84873-a8488b call a7fe17 708->709 709->693 712 a8488d-a84894 709->712 713 a848b5-a848bb 712->713 714 a84896-a84897 712->714 715 a84898-a848aa call a83add 713->715 714->715 715->693 718 a848ac-a848b3 call a825fc 715->718 718->672
                                                                APIs
                                                                • __alloca_probe_16.LIBCMT ref: 00A8477D
                                                                • __alloca_probe_16.LIBCMT ref: 00A84846
                                                                • __freea.LIBCMT ref: 00A848AD
                                                                  • Part of subcall function 00A82574: HeapAlloc.KERNEL32(00000000,00000000,00A7EE20,?,00A86DA0,?,00000000,?,00A83A3C,00000000,00A7EE20,00000000,?,?,?,00A7EEFA), ref: 00A825A6
                                                                • __freea.LIBCMT ref: 00A848C0
                                                                • __freea.LIBCMT ref: 00A848CD
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                • String ID:
                                                                • API String ID: 1096550386-0
                                                                • Opcode ID: 28222d7566fccf335cd45a6b01d8f5a50953bc56ad71a94c3a4b0417d56e22aa
                                                                • Instruction ID: bdaf2f814e62fc40a1d707021657177e3aecf7365296b4bc46c7780fd2ab7fba
                                                                • Opcode Fuzzy Hash: 28222d7566fccf335cd45a6b01d8f5a50953bc56ad71a94c3a4b0417d56e22aa
                                                                • Instruction Fuzzy Hash: 7F51AE72600287AFEB24BFA5CD81EBB7BA9EF48750B254129FD04D6251EB34DD10DB60
                                                                Function 08E00908 Relevance: 6.3, Strings: 4, Instructions: 1277COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q$$^q$$^q
                                                                • API String ID: 0-2125118731
                                                                • Opcode ID: 45a1f7ba0374c1edbfda3edad44b83192da1247342ec8ba7621b082ce1a783f9
                                                                • Instruction ID: 9b89819f168b596e53388d4907f5b7c41f316fd806c34a1d9b53ae2dfeb6fdd1
                                                                • Opcode Fuzzy Hash: 45a1f7ba0374c1edbfda3edad44b83192da1247342ec8ba7621b082ce1a783f9
                                                                • Instruction Fuzzy Hash: 83A26D71A00205DBD718DBADC8587AAB7BBEFC5306F10486D9606DB695DF708D808FB2
                                                                Function 0182F059 Relevance: 6.1, APIs: 4, Instructions: 99memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1319 182f059-182f073 call 1831277 1322 182f075-182f076 1319->1322 1323 182f07b-182f094 call 1831315 1319->1323 1324 182f150-182f153 1322->1324 1327 182f09a-182f0a5 1323->1327 1328 182f14c 1323->1328 1327->1328 1329 182f0ab-182f0b9 VirtualProtect 1327->1329 1330 182f14e-182f14f 1328->1330 1329->1328 1331 182f0bf-182f101 call 183126d call 18318e5 VirtualProtect call 1831315 1329->1331 1330->1324 1331->1328 1338 182f103-182f10f 1331->1338 1338->1328 1339 182f111-182f11f VirtualProtect 1338->1339 1339->1328 1340 182f121-182f14a call 183126d call 18318e5 VirtualProtect 1339->1340 1340->1330
                                                                APIs
                                                                  • Part of subcall function 01831277: LoadLibraryA.KERNEL32(00000000,?,?), ref: 01831309
                                                                • VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 0182F0B4
                                                                • VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 0182F0E7
                                                                • VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 0182F11A
                                                                • VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 0182F144
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProtectVirtual$LibraryLoad
                                                                • String ID:
                                                                • API String ID: 895956442-0
                                                                • Opcode ID: 2e97600cb857c96b3e27a7ca78dc6b50189988e4741ea1636e9ebab3cfc04358
                                                                • Instruction ID: 87436551c87bbf1012498d5e161384ff366a0303b8d8ffe8ec9e4ad78dc6f264
                                                                • Opcode Fuzzy Hash: 2e97600cb857c96b3e27a7ca78dc6b50189988e4741ea1636e9ebab3cfc04358
                                                                • Instruction Fuzzy Hash: 2821D8B220461A7FE311AAA5CC48F777BACDBD6700F44083EFB46D1151EB69AB4483B5
                                                                Function 08E01D80 Relevance: 5.7, Strings: 2, Instructions: 3213COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q
                                                                • API String ID: 0-2697143702
                                                                • Opcode ID: 4d3e421ee909cad5339b198b15f2c853f7164def7ab72c972f7d306a7fd1c185
                                                                • Instruction ID: 617c569f7a2c8d37de454ea7aae2b9a194a103ee250990a0630044c4f3a5b1af
                                                                • Opcode Fuzzy Hash: 4d3e421ee909cad5339b198b15f2c853f7164def7ab72c972f7d306a7fd1c185
                                                                • Instruction Fuzzy Hash: DC33A8B2F002259BCB65966CC51426F65E79FC8746F105D6ECA4ADB3C4DE308CC28FA6
                                                                Function 08E00003 Relevance: 5.3, Strings: 4, Instructions: 256COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2628 8e00003-8e0000c 2629 8e00082-8e0009c 2628->2629 2630 8e0000e 2628->2630 2640 8e000a3 2629->2640 2631 8e00010-8e00012 2630->2631 2632 8e00016 2630->2632 2634 8e00014 2631->2634 2635 8e0001c-8e0001f 2631->2635 2636 8e00020-8e00029 2632->2636 2637 8e00018-8e0001a 2632->2637 2634->2632 2635->2636 2636->2640 2641 8e0002a 2636->2641 2637->2635 2642 8e000a6-8e000aa 2640->2642 2643 8e00032-8e00036 2641->2643 2644 8e0002b-8e0002c 2641->2644 2645 8e000b3-8e000b8 2642->2645 2646 8e000ac-8e000b1 2642->2646 2647 8e00040-8e00047 2643->2647 2648 8e00038-8e0003e 2643->2648 2644->2643 2649 8e000be-8e000c1 2645->2649 2646->2649 2650 8e00048-8e00055 2647->2650 2648->2647 2651 8e000c7-8e000db 2649->2651 2652 8e005ce-8e005d8 2649->2652 2653 8e0005c-8e0005e 2650->2653 2651->2642 2659 8e000dd 2651->2659 2654 8e00060-8e00066 2653->2654 2655 8e00076-8e0007f 2653->2655 2657 8e00068 2654->2657 2658 8e0006a-8e0006c 2654->2658 2655->2629 2657->2655 2658->2655 2660 8e00331-8e00340 2659->2660 2661 8e00413-8e00422 2659->2661 2662 8e000e4-8e000f1 2659->2662 2663 8e0016d-8e0017c 2659->2663 2664 8e0024f-8e0025e 2659->2664 2666 8e0057c-8e005a0 2660->2666 2667 8e00346-8e0036c 2660->2667 2665 8e00428-8e0044e 2661->2665 2661->2666 2662->2666 2670 8e000f7 2662->2670 2663->2666 2669 8e00182-8e001a8 2663->2669 2664->2666 2668 8e00264-8e0028a 2664->2668 2702 8e00450-8e00455 2665->2702 2703 8e00457-8e0045e 2665->2703 2685 8e005a2-8e005ba 2666->2685 2686 8e005db-8e005ee 2666->2686 2693 8e00375-8e0037c 2667->2693 2694 8e0036e-8e00373 2667->2694 2696 8e00293-8e0029a 2668->2696 2697 8e0028c-8e00291 2668->2697 2698 8e001b1-8e001b8 2669->2698 2699 8e001aa-8e001af 2669->2699 2672 8e00101-8e00118 2670->2672 2679 8e0011e-8e00120 2672->2679 2683 8e00122-8e00128 2679->2683 2684 8e00138-8e00168 2679->2684 2690 8e0012a 2683->2690 2691 8e0012c-8e0012e 2683->2691 2684->2642 2685->2686 2716 8e005bc-8e005c5 2685->2716 2690->2684 2691->2684 2708 8e003a2-8e003c6 2693->2708 2709 8e0037e-8e003a0 2693->2709 2707 8e003e1-8e0040e 2694->2707 2711 8e002c0-8e002e4 2696->2711 2712 8e0029c-8e002be 2696->2712 2710 8e002ff-8e0032c 2697->2710 2714 8e001ba-8e001dc 2698->2714 2715 8e001de-8e00202 2698->2715 2713 8e0021d-8e0024a 2699->2713 2704 8e004c3-8e004f0 2702->2704 2705 8e00460-8e00482 2703->2705 2706 8e00484-8e004a8 2703->2706 2704->2642 2705->2704 2744 8e004c0 2706->2744 2745 8e004aa-8e004b0 2706->2745 2707->2642 2746 8e003c8-8e003ce 2708->2746 2747 8e003de 2708->2747 2709->2707 2710->2642 2748 8e002e6-8e002ec 2711->2748 2749 8e002fc 2711->2749 2712->2710 2713->2642 2714->2713 2742 8e00204-8e0020a 2715->2742 2743 8e0021a 2715->2743 2716->2652 2752 8e0020c 2742->2752 2753 8e0020e-8e00210 2742->2753 2743->2713 2744->2704 2754 8e004b2 2745->2754 2755 8e004b4-8e004b6 2745->2755 2756 8e003d0 2746->2756 2757 8e003d2-8e003d4 2746->2757 2747->2707 2750 8e002f0-8e002f2 2748->2750 2751 8e002ee 2748->2751 2749->2710 2750->2749 2751->2749 2752->2743 2753->2743 2754->2744 2755->2744 2756->2747 2757->2747
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q$$^q$$^q
                                                                • API String ID: 0-2125118731
                                                                • Opcode ID: 0d72d3957a628764d859eddebc3582a8582f5ed539991b6d28ddedd702d4be3d
                                                                • Instruction ID: 1841b146ecca435301dcee2c8b4a207ab819cdb0f307aa6d89c2e00e18691d7e
                                                                • Opcode Fuzzy Hash: 0d72d3957a628764d859eddebc3582a8582f5ed539991b6d28ddedd702d4be3d
                                                                • Instruction Fuzzy Hash: 72910671B40B059FDB158B2DC840BAE7BB6EF86305F248D5AD101DB2E2CB75DC858BA1
                                                                Function 0182FCBA Relevance: 4.7, APIs: 3, Instructions: 183memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2813 182fcba-182fce7 2814 182fd6f-182fd76 2813->2814 2815 182fced-182fd00 2813->2815 2816 182fd94-182fd96 2814->2816 2817 182fd78-182fd8c 2814->2817 2821 182fda3-182fda6 2815->2821 2822 182fd06-182fd32 call 1831252 2815->2822 2819 182fda8-182fdb3 2816->2819 2820 182fd98-182fd9e 2816->2820 2817->2816 2827 182feba 2819->2827 2828 182fdb9-182fdc5 2819->2828 2823 182febe-182fec8 2820->2823 2821->2817 2834 182fd34-182fd43 2822->2834 2835 182fd68 2822->2835 2827->2823 2829 182fdd3-182fdfb call 1831252 SysAllocString 2828->2829 2830 182fdc7-182fdd1 2828->2830 2839 182fdff-182fe0e 2829->2839 2837 182fe11-182fe13 2830->2837 2834->2817 2842 182fd45-182fd4a 2834->2842 2838 182fd6b-182fd6d 2835->2838 2837->2827 2840 182fe19-182fe2d 2837->2840 2838->2814 2838->2817 2839->2837 2840->2827 2846 182fe33-182fe55 SafeArrayCreate 2840->2846 2842->2838 2845 182fd4c-182fd62 2842->2845 2847 182fd66 2845->2847 2846->2827 2848 182fe57-182fe62 2846->2848 2847->2838 2849 182fe77-182fe80 2848->2849 2850 182fe64-182fe75 2848->2850 2854 182fe82 call 362d006 2849->2854 2855 182fe82 call 362d01d 2849->2855 2850->2849 2850->2850 2851 182fe88-182fe9e 2852 182feb3-182feb4 SafeArrayDestroy 2851->2852 2853 182fea0-182feb1 2851->2853 2852->2827 2853->2852 2853->2853 2854->2851 2855->2851
                                                                APIs
                                                                • SysAllocString.OLEAUT32(?), ref: 0182FDE7
                                                                • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 0182FE4B
                                                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 0182FEB4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ArraySafe$AllocCreateDestroyString
                                                                • String ID:
                                                                • API String ID: 2997030761-0
                                                                • Opcode ID: 3a71c02433a8139c968cc3f30c4dd14e73a6b67554079fc4c70d085402dfb9e4
                                                                • Instruction ID: 38b17fc07cc8f156b2c3b4fef0f52bd596c61aa8e36d3a5d96160b439bfe6e4d
                                                                • Opcode Fuzzy Hash: 3a71c02433a8139c968cc3f30c4dd14e73a6b67554079fc4c70d085402dfb9e4
                                                                • Instruction Fuzzy Hash: 41616A71200216AFD726DF64C884FA7B7F8BF49705F048669EA59CB106DB30EA45CFA1
                                                                Function 08E417E0 Relevance: 4.1, Strings: 3, Instructions: 326COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2856 8e417e0-8e417f0 2857 8e417f6-8e417fa 2856->2857 2858 8e41909-8e4192e 2856->2858 2859 8e41935-8e4195a 2857->2859 2860 8e41800-8e41809 2857->2860 2858->2859 2861 8e41961-8e41997 2859->2861 2860->2861 2862 8e4180f-8e41836 2860->2862 2879 8e4199e-8e419a8 2861->2879 2873 8e4183c-8e4183e 2862->2873 2874 8e418fe-8e41908 2862->2874 2876 8e41840-8e41843 2873->2876 2877 8e4185f-8e41861 2873->2877 2876->2879 2880 8e41849-8e41853 2876->2880 2878 8e41864-8e41868 2877->2878 2881 8e418c9-8e418d5 2878->2881 2882 8e4186a-8e41879 2878->2882 2888 8e41a0e 2879->2888 2889 8e419aa 2879->2889 2880->2879 2884 8e41859-8e4185d 2880->2884 2881->2879 2885 8e418db-8e418f8 2881->2885 2882->2879 2891 8e4187f-8e418c6 2882->2891 2884->2877 2884->2878 2885->2873 2885->2874 2892 8e41a10-8e41a13 2888->2892 2893 8e41a2c-8e41a38 2888->2893 2891->2881 2894 8e41a1c 2892->2894 2951 8e41a16 call 8e41fe3 2892->2951 2952 8e41a16 call 8e41fe8 2892->2952 2899 8e41a3e-8e41b23 call 8e40910 2893->2899 2900 8e41b28-8e41b38 2893->2900 2897 8e41c4a-8e41c55 2894->2897 2907 8e41c84-8e41ca5 2897->2907 2908 8e41c57-8e41c67 2897->2908 2899->2900 2905 8e41c25-8e41c41 2900->2905 2906 8e41b3e-8e41c17 call 8e40910 2900->2906 2905->2897 2948 8e41c22 2906->2948 2949 8e41c19 2906->2949 2918 8e41c77-8e41c7d 2908->2918 2919 8e41c69-8e41c6f 2908->2919 2918->2907 2919->2918 2948->2897 2949->2948 2951->2894 2952->2894
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq$(bq$Hbq
                                                                • API String ID: 0-2835675688
                                                                • Opcode ID: 72809be551cf0c0747b368e8b899901ae485c48cbdc8098446157bb90bc7aafc
                                                                • Instruction ID: 5337945b3f44d0950ed89d824be8778a94fa55df5676cb2fa87d8675018d7815
                                                                • Opcode Fuzzy Hash: 72809be551cf0c0747b368e8b899901ae485c48cbdc8098446157bb90bc7aafc
                                                                • Instruction Fuzzy Hash: 31D16474B00209DFDB14EF64E4949ADBBB2FF88301F519569E5096B364DB34EC82CB91
                                                                Function 01831277 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 3029 1831277-183128a 3030 18312a2-18312ac 3029->3030 3031 183128c-183128f 3029->3031 3033 18312bb-18312c7 3030->3033 3034 18312ae-18312b6 3030->3034 3032 1831291-1831294 3031->3032 3032->3030 3035 1831296-18312a0 3032->3035 3036 18312ca-18312cf 3033->3036 3034->3033 3035->3030 3035->3032 3037 1831302-1831309 LoadLibraryA 3036->3037 3038 18312d1-18312dc 3036->3038 3039 183130c-1831310 3037->3039 3040 18312f8-18312fc 3038->3040 3041 18312de-18312f6 call 1831945 3038->3041 3040->3036 3042 18312fe-1831300 3040->3042 3041->3040 3045 1831311-1831313 3041->3045 3042->3037 3042->3039 3045->3039
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(00000000,?,?), ref: 01831309
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID: .dll
                                                                • API String ID: 1029625771-2738580789
                                                                • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                • Instruction ID: af3aa31074615858cc2ce59467fefab65bc229d727088c89f9a05bf2271afcb6
                                                                • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                • Instruction Fuzzy Hash: 0521B4756042859FE722DFADC888A6DBBE4AF85B20F1C41ADD942DBA41DB30E94587C0
                                                                Function 00A80AD1 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 3046 a80ad1-a80af9 call a80cd6 3049 a80cbe-a80cbf call a80d47 3046->3049 3050 a80aff-a80b05 3046->3050 3055 a80cc4-a80cc6 3049->3055 3051 a80b08-a80b0e 3050->3051 3053 a80c0a-a80c29 call a7e2d0 3051->3053 3054 a80b14-a80b20 3051->3054 3065 a80c2c-a80c31 3053->3065 3054->3051 3056 a80b22-a80b28 3054->3056 3058 a80cc7-a80cd5 call a7ce3e 3055->3058 3060 a80b2e-a80b3a IsValidCodePage 3056->3060 3061 a80c02-a80c05 3056->3061 3060->3061 3064 a80b40-a80b47 3060->3064 3061->3058 3066 a80b69-a80b76 GetCPInfo 3064->3066 3067 a80b49-a80b55 3064->3067 3068 a80c6e-a80c78 3065->3068 3069 a80c33-a80c38 3065->3069 3072 a80b78-a80b97 call a7e2d0 3066->3072 3073 a80bf6-a80bfc 3066->3073 3071 a80b59-a80b64 3067->3071 3068->3065 3070 a80c7a-a80ca4 call a81022 3068->3070 3074 a80c3a-a80c42 3069->3074 3075 a80c6b 3069->3075 3086 a80ca5-a80cb4 3070->3086 3077 a80cb6-a80cb7 call a81060 3071->3077 3072->3071 3088 a80b99-a80ba0 3072->3088 3073->3049 3073->3061 3079 a80c63-a80c69 3074->3079 3080 a80c44-a80c47 3074->3080 3075->3068 3087 a80cbc 3077->3087 3079->3069 3079->3075 3081 a80c49-a80c4f 3080->3081 3081->3079 3085 a80c51-a80c61 3081->3085 3085->3079 3085->3081 3086->3077 3086->3086 3087->3055 3089 a80bcc-a80bcf 3088->3089 3090 a80ba2-a80ba7 3088->3090 3091 a80bd4-a80bdb 3089->3091 3090->3089 3092 a80ba9-a80bb1 3090->3092 3091->3091 3093 a80bdd-a80bf1 call a81022 3091->3093 3094 a80bb3-a80bba 3092->3094 3095 a80bc4-a80bca 3092->3095 3093->3071 3096 a80bbb-a80bc2 3094->3096 3095->3089 3095->3090 3096->3095 3096->3096
                                                                APIs
                                                                  • Part of subcall function 00A80CD6: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00A80D01
                                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00A80EE1,?,00000000,?,00000000,?), ref: 00A80B32
                                                                • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A80EE1,?,00000000,?,00000000,?), ref: 00A80B6E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CodeInfoPageValid
                                                                • String ID:
                                                                • API String ID: 546120528-0
                                                                • Opcode ID: 9be94e39a5f7c2b1a3d4ba28a52671c040c9894a487de99d540c5bf47c312ba8
                                                                • Instruction ID: af81c45581feb49a1541ae937d608c002e3ff3625f8f4d6d0dfe08fb45be7a0a
                                                                • Opcode Fuzzy Hash: 9be94e39a5f7c2b1a3d4ba28a52671c040c9894a487de99d540c5bf47c312ba8
                                                                • Instruction Fuzzy Hash: F95156B0E003459EDB60EF75C895EABBBF4EF41304F18866ED096CB252D774994ACB50
                                                                Function 0182F154 Relevance: 3.0, APIs: 2, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 01831277: LoadLibraryA.KERNEL32(00000000,?,?), ref: 01831309
                                                                • VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 0182F18C
                                                                • VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 0182F1AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProtectVirtual$LibraryLoad
                                                                • String ID:
                                                                • API String ID: 895956442-0
                                                                • Opcode ID: 31a2c6fb5a155253d75781cd9ceba9c7cc267d2f06376007566f6440306b8afe
                                                                • Instruction ID: f06a60099da3df4b8481acff6c11eed9dbb0e192973fdf6391040f723196f933
                                                                • Opcode Fuzzy Hash: 31a2c6fb5a155253d75781cd9ceba9c7cc267d2f06376007566f6440306b8afe
                                                                • Instruction Fuzzy Hash: 2EF086B6100614BAE612A6A4CC45FFB77ACDF85A50F440418FB45D6080E765A74186A5
                                                                Function 00A7FE17 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LCMapStringEx.KERNEL32(?,00A847E8,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00A7FE4B
                                                                • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00A847E8,?,?,-00000008,?,00000000), ref: 00A7FE69
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: String
                                                                • String ID:
                                                                • API String ID: 2568140703-0
                                                                • Opcode ID: 3e81a2bc42aed2e71a6d58d4fe57d6c831f3315033b8646b44246d4dddb00f0c
                                                                • Instruction ID: a0ee4a7ea85ae855dcba793dd0b7bf5a34f03303057c79681e297562268c2be1
                                                                • Opcode Fuzzy Hash: 3e81a2bc42aed2e71a6d58d4fe57d6c831f3315033b8646b44246d4dddb00f0c
                                                                • Instruction Fuzzy Hash: 8DF0683200025AFFCF126F90DC05DDE3F26AF48760F058124BA2865131C732C972ABA0
                                                                Function 08E46860 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q
                                                                • API String ID: 0-2697143702
                                                                • Opcode ID: c2e6b46a1637d20c86c3bee9d3942ca47c147e2dcbc5b73f8ca0d241203161e7
                                                                • Instruction ID: 7879ee6ccdebfb2af79ff74dd4df75ac1fd25990d4c93bd338e45627f69d58d6
                                                                • Opcode Fuzzy Hash: c2e6b46a1637d20c86c3bee9d3942ca47c147e2dcbc5b73f8ca0d241203161e7
                                                                • Instruction Fuzzy Hash: FFC1C974B00218DFDB14EFA8C994A9DB7B6FF89300F114169E50AAB3A5DB31EC42CB51
                                                                Function 08E46855 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q
                                                                • API String ID: 0-2697143702
                                                                • Opcode ID: d002afeca864584e38ab9fe20cb7d6d0c8e3c5ed3ba2162ee765963ebeda49b4
                                                                • Instruction ID: 87a7e171cba888d0c3ea6a5b142522995f3e9ab6a60a4867845cccee46f741fa
                                                                • Opcode Fuzzy Hash: d002afeca864584e38ab9fe20cb7d6d0c8e3c5ed3ba2162ee765963ebeda49b4
                                                                • Instruction Fuzzy Hash: 29C1D974B00219DFDB14EFA8C994A9DB7B6FF89301F104168E50AAB3A5DB30EC02CB51
                                                                Function 08E049A8 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q
                                                                • API String ID: 0-2697143702
                                                                • Opcode ID: 7e2c85bf8d402020f6975859e33da367b0bb1958687681e76f88881e5cb2d767
                                                                • Instruction ID: dbd085d41e4d6df55eb9e37de6d60460a9b45450ae104aec09d5de306aed8ba0
                                                                • Opcode Fuzzy Hash: 7e2c85bf8d402020f6975859e33da367b0bb1958687681e76f88881e5cb2d767
                                                                • Instruction Fuzzy Hash: F811BF7A7446119B4B19926DD21412A65E79FC912E3345C2CCA4EDB3C8EE24CC824F7E
                                                                Function 05E4B800 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 05E4BA56
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: dafac270854082f759dcd812ba4af81156a011908987a2ee358519c4cd501025
                                                                • Instruction ID: 312ec4c5ce06235c019c226cc7fbdb04149c7ff02cd6a0ef9cd2fe8c10b9c374
                                                                • Opcode Fuzzy Hash: dafac270854082f759dcd812ba4af81156a011908987a2ee358519c4cd501025
                                                                • Instruction Fuzzy Hash: 297136B0A00B058FEB24DF69D44575ABBF6FF88204F00992ED58AD7A40DB74E945CF91
                                                                Function 06101870 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06101A02
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: 551bd55a2b1a42087dddf65f4fb9fe7e11138008c5e68e6ce45e6f7e2c65fd46
                                                                • Instruction ID: 48016c0ccdffe01e636b9902b126b0748f826d8f82c196d1fec36ca385e3c99d
                                                                • Opcode Fuzzy Hash: 551bd55a2b1a42087dddf65f4fb9fe7e11138008c5e68e6ce45e6f7e2c65fd46
                                                                • Instruction Fuzzy Hash: 3551F0B1C04289EFDF05CFA9C980ADDBFB2BF49300F24816AE818AB261D7759955CF51
                                                                Function 00A81060 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCPInfo.KERNEL32(00000083,?,00000005,00A80EE1,?), ref: 00A81092
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Info
                                                                • String ID:
                                                                • API String ID: 1807457897-0
                                                                • Opcode ID: 6056d84f6b0e79a9d48bfde0ae79c8e5bb1c8c3500fb833dbd47c51738e29390
                                                                • Instruction ID: 3ea4e1697d3f884ed7e6f8b448408f45d16f6f3dda3d93dd82267adf4e80c01e
                                                                • Opcode Fuzzy Hash: 6056d84f6b0e79a9d48bfde0ae79c8e5bb1c8c3500fb833dbd47c51738e29390
                                                                • Instruction Fuzzy Hash: B85169B0904198AADB11AF69CD88BE9BBBDEF15304F1442EDE599C7142D3319D86CB60
                                                                Function 0610C4C4 Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 0610D971
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: EnumThreadWindows
                                                                • String ID:
                                                                • API String ID: 2941952884-0
                                                                • Opcode ID: 5f391ddf125930def8fe56145109f0af694a8c1b0aff013eb2888c26d108392c
                                                                • Instruction ID: 91efdbaf14b56168c69b2002c9d3da053f40e6103cb680bd4e0d7cfac406cc4e
                                                                • Opcode Fuzzy Hash: 5f391ddf125930def8fe56145109f0af694a8c1b0aff013eb2888c26d108392c
                                                                • Instruction Fuzzy Hash: B341E271E002188FDB04CF9DD8457AEBBF5EF88310F14842AE419E7380DB789941CBA5
                                                                Function 061018F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06101A02
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: 666037c054c0cf0772abaa94bc98befac5fa6d7a64b67b0fdb45ab68d31ee35b
                                                                • Instruction ID: 91c69516c10ddf0c926dcee4420ae090a72bb8c2b0e0a9f3925f34aebe6b9b32
                                                                • Opcode Fuzzy Hash: 666037c054c0cf0772abaa94bc98befac5fa6d7a64b67b0fdb45ab68d31ee35b
                                                                • Instruction Fuzzy Hash: 0941B0B1D10349EFDF14CF99C984ADEBBB5BF88310F24852AE819AB250D7749985CF90
                                                                Function 061026CC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06103F31
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: 7e6d449af5c182c037d9807c0a71bab3e7f4b70edb6ffd8b8960a01b0fe1b5b5
                                                                • Instruction ID: 31663d1a73ce583fde7a52394ccf81f6f7890be356fe30c441358a9b8093b3d6
                                                                • Opcode Fuzzy Hash: 7e6d449af5c182c037d9807c0a71bab3e7f4b70edb6ffd8b8960a01b0fe1b5b5
                                                                • Instruction Fuzzy Hash: ED4158B4910306CFDB54CF99C888AAAFBF5FF88314F24C459E519AB361D770A941CBA1
                                                                Function 05E45C1C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 05E46C21
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 61433de40ddc6a7918bc2bb57c123ace47cd4ae4c2bd01fcea7aeb4eee055dfb
                                                                • Instruction ID: cb4da5a677975cc88c235f97b36790e766f057b2d9564a87cfc0c0c097bac4ad
                                                                • Opcode Fuzzy Hash: 61433de40ddc6a7918bc2bb57c123ace47cd4ae4c2bd01fcea7aeb4eee055dfb
                                                                • Instruction Fuzzy Hash: 2E41DEB0C00719CBDB24DFA9D884B9EBBB5FF49304F20806AD449AB251DBB56945CF90
                                                                Function 05E46B65 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 05E46C21
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 7f5e69eda6ea090ef795d2508d4cca44c1b18c19740ef8666abdba108bfa571f
                                                                • Instruction ID: 72256f6161c550a7831243f329044f62b1bb0411a5d224d0720274942ce5c51c
                                                                • Opcode Fuzzy Hash: 7f5e69eda6ea090ef795d2508d4cca44c1b18c19740ef8666abdba108bfa571f
                                                                • Instruction Fuzzy Hash: C2410EB0C00719CBDB24CFA9D984BDDBBB5FF49304F24806AD409AB255DB75698ACF90
                                                                Function 0610AC88 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CreateFromIconResource
                                                                • String ID:
                                                                • API String ID: 3668623891-0
                                                                • Opcode ID: 9705c1a3a9cbdae20808e5db8d4632e4a74aae4786dc88add5367240d55f4860
                                                                • Instruction ID: b6e02d601f2460439ca6e601d8b7f6689b6ae75ca75eac1fcfad53240e2eee2a
                                                                • Opcode Fuzzy Hash: 9705c1a3a9cbdae20808e5db8d4632e4a74aae4786dc88add5367240d55f4860
                                                                • Instruction Fuzzy Hash: FF317A719003489FDB02CFA9C944ADEBFF4EF09310F14845AEA54AB262C3759954DBA0
                                                                Function 0182FEC9 Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0182FF43
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                • Instruction ID: 1d95d8ea5e8ffa8c61a6be9739c1486517f03277b56c7c3eeafe2f51dc15f9c0
                                                                • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                • Instruction Fuzzy Hash: F1B1F731500B0AEBDB269E68CC80BABFBE8FF85701F180519F699D2151E731E650DBD2
                                                                Function 05E45A94 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05E45F4E,?,?,?,?,?), ref: 05E4600F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 0ce2cbebf2810b3b8ec4e91278b25d0d8f83a36f169a5302a3647fa4f093d7e5
                                                                • Instruction ID: d248ae8d81763bde915d4f46d552107504c224f13c7b82b0c8a27c2dc3afa224
                                                                • Opcode Fuzzy Hash: 0ce2cbebf2810b3b8ec4e91278b25d0d8f83a36f169a5302a3647fa4f093d7e5
                                                                • Instruction Fuzzy Hash: DC2114B59002089FDB10CF9AD984AEEFFF4EB48310F14841AE958A7350D374A950CFA0
                                                                Function 05E45F82 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05E45F4E,?,?,?,?,?), ref: 05E4600F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: b8a06152c2a761b39e87ae88d91e5acdc8b8cf880cbff10a388c4e6777d994f0
                                                                • Instruction ID: fc2250a0d596897cf3d5c8c997946e52d2c09deb0276dfffbb89099f96a338c4
                                                                • Opcode Fuzzy Hash: b8a06152c2a761b39e87ae88d91e5acdc8b8cf880cbff10a388c4e6777d994f0
                                                                • Instruction Fuzzy Hash: 2221E4B59002089FDB10CF9AD985ADEFFF4EB48320F14801AE958A3351D378A954DF64
                                                                Function 0610C4D4 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 0610D971
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: EnumThreadWindows
                                                                • String ID:
                                                                • API String ID: 2941952884-0
                                                                • Opcode ID: 9ca522443baed64bce50e5e6285f591de7942bec9c0eab3288c4b024fff52091
                                                                • Instruction ID: f391ca57b87e08d7eb806cc6a4d852ae018c1c11bccefcc74b1f34b9a79596da
                                                                • Opcode Fuzzy Hash: 9ca522443baed64bce50e5e6285f591de7942bec9c0eab3288c4b024fff52091
                                                                • Instruction Fuzzy Hash: EC2129B1D002098FDB54CF9AD845BEEFBF4EF88320F14842AD459A7290D7B4A945CFA5
                                                                Function 08E455C0 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Pl^q
                                                                • API String ID: 0-2831078282
                                                                • Opcode ID: a1c96ecddf1a5b97c10d1ba86f482770425a378be9a60a8b28dcb69374b62934
                                                                • Instruction ID: 275af59f1cdaf1bbd69b214d35f5f042573917dc2f04566992b4040121d476c7
                                                                • Opcode Fuzzy Hash: a1c96ecddf1a5b97c10d1ba86f482770425a378be9a60a8b28dcb69374b62934
                                                                • Instruction Fuzzy Hash: 74D1EC74B11218DFDB14EFA8D894E9EBBB2FF88700F115159E509AB3A5CB74AC02CB51
                                                                Function 061A17F0 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNEL32(00000000), ref: 061A1868
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110920381.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_61a0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: 618c5fa29f8149a148578c2662f76528acef8ee4dd4e02cdc176084dfe064119
                                                                • Instruction ID: 924423f15290dad815ab545e0bc7273c512008f1d83781a63d042255373eb57f
                                                                • Opcode Fuzzy Hash: 618c5fa29f8149a148578c2662f76528acef8ee4dd4e02cdc176084dfe064119
                                                                • Instruction Fuzzy Hash: 6C2156B5C0061A9FCB10CFAAC545AAEFBF4EF48720F15812AD859B7240D738A945CFA1
                                                                Function 0610987C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0610ACA2,?,?,?,?,?), ref: 0610AD47
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CreateFromIconResource
                                                                • String ID:
                                                                • API String ID: 3668623891-0
                                                                • Opcode ID: 4795458409ec34a2c8f9f87fe469c9286a0672805ca51c4d633cfd07e66cadb3
                                                                • Instruction ID: 4e295d1fbc8c79921d03590067fa527630fb0c5f23a98787f3262af527a72d7a
                                                                • Opcode Fuzzy Hash: 4795458409ec34a2c8f9f87fe469c9286a0672805ca51c4d633cfd07e66cadb3
                                                                • Instruction Fuzzy Hash: DF1156B5800349DFDB10CFAAC944ADEBFF8EF48320F14841AE955A7250C374A950DFA4
                                                                Function 061A17F8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNEL32(00000000), ref: 061A1868
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110920381.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_61a0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: 35c5ce6c6905e87b7e0d6cca4a83f3575acdde0ebd0b0b57d1e5bc782925a816
                                                                • Instruction ID: 753b880451ae99d7f166b9ab0ecbca64daafb69c4f533822855feee75a858874
                                                                • Opcode Fuzzy Hash: 35c5ce6c6905e87b7e0d6cca4a83f3575acdde0ebd0b0b57d1e5bc782925a816
                                                                • Instruction Fuzzy Hash: B41144B5C0061A9BCB14CF9AC545B9EFBF4EF48320F15812AD818B7240D738A944CFA1
                                                                Function 05E4A2F9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 05E4A36D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CallbackDispatcherUser
                                                                • String ID:
                                                                • API String ID: 2492992576-0
                                                                • Opcode ID: c76443f6e3110fa169f8a6ff641228d01786a8f9c7c6a1b4e06181e325a12ace
                                                                • Instruction ID: 256eab1876d760f5a4dc113dfc65c7d9d779841210e8d25f66ccddcf9513c74e
                                                                • Opcode Fuzzy Hash: c76443f6e3110fa169f8a6ff641228d01786a8f9c7c6a1b4e06181e325a12ace
                                                                • Instruction Fuzzy Hash: 1211DCB5800399CEDB10CF9AD5463EEBFF0AB15358F5480AAD4C8B7682D3389604CF61
                                                                Function 05E4A308 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 05E4A36D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CallbackDispatcherUser
                                                                • String ID:
                                                                • API String ID: 2492992576-0
                                                                • Opcode ID: 7fa8e1f1aecc20856ea29228a99c00445e5229cdddb3e9a24a3add962c11bc71
                                                                • Instruction ID: 60467f43a6c4b606fa3ce7d6f2d4e421252f21da7a0b8f224365d28bca701146
                                                                • Opcode Fuzzy Hash: 7fa8e1f1aecc20856ea29228a99c00445e5229cdddb3e9a24a3add962c11bc71
                                                                • Instruction Fuzzy Hash: BB11EFB090039ACEDB10CF9AD1057EEBFF4EB05358F10809AE489B7282C7389604CFA5
                                                                Function 06101B30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,?,?), ref: 06101B95
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: LongWindow
                                                                • String ID:
                                                                • API String ID: 1378638983-0
                                                                • Opcode ID: ffa6da193caf5bdf2de29d2c18530cdcde5f44c7f51de5d1d9832a5231be5f13
                                                                • Instruction ID: a35c5ae66b53abe0dc417f150c9d47e13b406c1c409d97eb99c03251bc9076f6
                                                                • Opcode Fuzzy Hash: ffa6da193caf5bdf2de29d2c18530cdcde5f44c7f51de5d1d9832a5231be5f13
                                                                • Instruction Fuzzy Hash: AE11F5B58002499FDB10CF99D985B9EFBF8EB48320F10841AD919B7740D378A944CFA5
                                                                Function 061098C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,?,?,?), ref: 0610B0AD
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 7943ea8fa893eb14f822b7a2a60f89731ca702db893656c483b1612787a0bf5d
                                                                • Instruction ID: 0e76b7866db9ca049fe45f43de12a1b66def8f190f61767b58995c0c6ccfb55f
                                                                • Opcode Fuzzy Hash: 7943ea8fa893eb14f822b7a2a60f89731ca702db893656c483b1612787a0bf5d
                                                                • Instruction Fuzzy Hash: 221125B580430C9FDB10DF89C985BDEBBF4EB48310F108419E518B7240C3B5A944CFA0
                                                                Function 05E4B9F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 05E4BA56
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 89d65937be2eb6dcb0ed48db0c3e422a116245e821e236ea5ef4a77cf0ed386e
                                                                • Instruction ID: 7b520a93cbb6ff506c67950adf03513dbe8c5bd93084a6cbcb82dbb72c75dc94
                                                                • Opcode Fuzzy Hash: 89d65937be2eb6dcb0ed48db0c3e422a116245e821e236ea5ef4a77cf0ed386e
                                                                • Instruction Fuzzy Hash: B51110B5C003498FDB10CF9AD444ADEFBF8EB88324F10841AD869B7210D374A645CFA1
                                                                Function 061A00CA Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,?,?,?), ref: 061A012D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110920381.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_61a0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 3541a42c2d7e148e876c2a20b0ac0417b703728e2cf6629c11246f9cd1bd2c55
                                                                • Instruction ID: 505159c9035c77d8ba10e69da26b7f8d3d97cd25679303adec24e69b3e55eb01
                                                                • Opcode Fuzzy Hash: 3541a42c2d7e148e876c2a20b0ac0417b703728e2cf6629c11246f9cd1bd2c55
                                                                • Instruction Fuzzy Hash: 961106B5800349DFDB10DF99D985BDEFBF8EB48314F208419D958A7210D375A644CFA1
                                                                Function 0610B04A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,?,?,?), ref: 0610B0AD
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 28dcedcf3208dc6928a08393587da4edb0275c19763ba8fb05346be452f5c827
                                                                • Instruction ID: 1627ce98e7c25317cdd10f939cbb2df8bdb1eadf4aaf4995c2dea004c0ad1331
                                                                • Opcode Fuzzy Hash: 28dcedcf3208dc6928a08393587da4edb0275c19763ba8fb05346be452f5c827
                                                                • Instruction Fuzzy Hash: 8C11FEB5810309CFDB10CF99CA89BDEBBF4EB48320F20881AD558B7640C375A684CFA0
                                                                Function 06101B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,?,?), ref: 06101B95
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: LongWindow
                                                                • String ID:
                                                                • API String ID: 1378638983-0
                                                                • Opcode ID: e399be65edbe43c1ecb74b284a6338063cfa2be5e08a1d645e07c0252a8b264b
                                                                • Instruction ID: 775bd4081881bba1af3d87b0b3a05e63d0ec1cb04d322b5f0f29a8e11ad5b8de
                                                                • Opcode Fuzzy Hash: e399be65edbe43c1ecb74b284a6338063cfa2be5e08a1d645e07c0252a8b264b
                                                                • Instruction Fuzzy Hash: 3211D3B58002499FDB10DF9AD585BDEFBF8EB48320F20841AD919B7340D374A944CFA5
                                                                Function 061A00D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,?,?,?), ref: 061A012D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110920381.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_61a0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 166639b3fdecb9880ba882a0bf620ac7fbf2e69a09c7ca51be3c43601c9124e7
                                                                • Instruction ID: 70db7dfefac09a52212ac315583ea6ab76f1b387c85ea8bf7ad9a232aea45df2
                                                                • Opcode Fuzzy Hash: 166639b3fdecb9880ba882a0bf620ac7fbf2e69a09c7ca51be3c43601c9124e7
                                                                • Instruction Fuzzy Hash: 891103B58003489FCB10DF9AD985BDEFBF8EB48324F10841AD518A7200C375A544CFA1
                                                                Function 08E455B3 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Pl^q
                                                                • API String ID: 0-2831078282
                                                                • Opcode ID: dc32c1569cc5d9d8f0c8122a90e95b0dc3a22df174ffa3aa60507d26dd1e3cc5
                                                                • Instruction ID: 3f69f876bd95483cda9543df7929437b05ba2e6683da8d0ad0b76b3f390072f2
                                                                • Opcode Fuzzy Hash: dc32c1569cc5d9d8f0c8122a90e95b0dc3a22df174ffa3aa60507d26dd1e3cc5
                                                                • Instruction Fuzzy Hash: 5EA11E74B11218DFDB14DFA8D894E9EBBB2FF88700F105159E509AB3A5CB74AC42CB91
                                                                Function 08E4A620 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: bf6186de8216ecd8af746eefac363d49c2edeb4e92d12bf0f522aac8503d230d
                                                                • Instruction ID: f47a4854155987f7566c2e5fb2ceb552ea9b030ac2f0ec40435bb53528cda210
                                                                • Opcode Fuzzy Hash: bf6186de8216ecd8af746eefac363d49c2edeb4e92d12bf0f522aac8503d230d
                                                                • Instruction Fuzzy Hash: 2A51CD39B406159FCB24DF78D8046AEBBF2EF88711F10856DE51ADB780DB34A906CB91
                                                                Function 08E40EB0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: 3af5a375f149f611e907f8506e2e1c160b224a0c392d0c0f9be2b1079ee3fdf3
                                                                • Instruction ID: 2c06912a487bb1f6332d1c6ccf45e7f733ec027c84a126e2b0abce6eecc68a67
                                                                • Opcode Fuzzy Hash: 3af5a375f149f611e907f8506e2e1c160b224a0c392d0c0f9be2b1079ee3fdf3
                                                                • Instruction Fuzzy Hash: A041C974B10614CFEB24EB64C4549AEBBB7EFC9700F50542ED50A9B794CF749C0687A1
                                                                Function 08E42C28 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: b9b5aa3fd3238d9ebbf26a411a9d9139960ec64a7e266eccdf877e16f608bcc0
                                                                • Instruction ID: ae282efa9359a4149d1d7b403b68e4c71ca6792e653a6b91942a4ab5c0aebc6f
                                                                • Opcode Fuzzy Hash: b9b5aa3fd3238d9ebbf26a411a9d9139960ec64a7e266eccdf877e16f608bcc0
                                                                • Instruction Fuzzy Hash: FB315C757406109FE318EB28D855F2A77EAAFCC705F114568E60A8F3A1CF75EC4287A1
                                                                Function 08E42C25 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: 2ab1167e1246debc70662646bbd67d74f63fc6240c873cf0695f81ba5c0d28e4
                                                                • Instruction ID: a48205dc6e20267e208ccb4ef803d39d5b952b117f9d847dac63959831a99172
                                                                • Opcode Fuzzy Hash: 2ab1167e1246debc70662646bbd67d74f63fc6240c873cf0695f81ba5c0d28e4
                                                                • Instruction Fuzzy Hash: EE318A717406109FE318EB28C854B2B77EAAFC8705F214568E20E8F7A1CF75EC428B91
                                                                Function 08E40EAC Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: e7f3d3d75a66ea64248073d3ce3694702f012710088b8ca193b47542438a132e
                                                                • Instruction ID: ec1dc5370dace062e284f824bed818918b7960b709f088fad576ff0100574dea
                                                                • Opcode Fuzzy Hash: e7f3d3d75a66ea64248073d3ce3694702f012710088b8ca193b47542438a132e
                                                                • Instruction Fuzzy Hash: 7721B770B10255CBDB14AB69D4586BEBBABAFC9700F10502EE50AEB395CF745C028795
                                                                Function 08E481E8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: 8c4e5cbed4f88847e30abdf250fca5095de80f93b088eebfbde2874558ab1803
                                                                • Instruction ID: b25967c366e59185ff0b5f3ff8e606cf4cca99419822950add6e18089dd79432
                                                                • Opcode Fuzzy Hash: 8c4e5cbed4f88847e30abdf250fca5095de80f93b088eebfbde2874558ab1803
                                                                • Instruction Fuzzy Hash: 5F11DF35B005289FDB58DB69D414A6F7BA6EFC8701F20812CD609AB380DF359D02CBE5
                                                                Function 08E01D63 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: e514b3f0bf7fc33021bb5414b611cb1ff90b06a964f4a726054d67afe9fc842f
                                                                • Instruction ID: 20df5d65316cdd82fbf4fd09d8d49d578b360fe17fbed87fb1f031dd511f9616
                                                                • Opcode Fuzzy Hash: e514b3f0bf7fc33021bb5414b611cb1ff90b06a964f4a726054d67afe9fc842f
                                                                • Instruction Fuzzy Hash: 6C11A832F052518FCB214B6C851416D7BF69F4560AB0519AFC546DB2D1D7308D82CFA2
                                                                Function 08E41FE8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: 7bb2c570e2f6b3ace8c9ef192ca5736e47f323595bd76a1d02267d9493680877
                                                                • Instruction ID: f8a4c05fd40b474cd9cc659c5e31bcb4fe7d6b2948d81822dcc2c291219d2888
                                                                • Opcode Fuzzy Hash: 7bb2c570e2f6b3ace8c9ef192ca5736e47f323595bd76a1d02267d9493680877
                                                                • Instruction Fuzzy Hash: 6D219336604254AFD7068F69D814C597FB6FF8A22031AC0EAE509CB372CB35DC16DB51
                                                                Function 08E01D7B Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: 516b4fe3eeadb388cd2b8a46645b089f9fa750a7459812ff4f892f7002faa083
                                                                • Instruction ID: 990883cfdaacf91ec4ea075936a631afb6d195de481b243992b116a6de2e74e2
                                                                • Opcode Fuzzy Hash: 516b4fe3eeadb388cd2b8a46645b089f9fa750a7459812ff4f892f7002faa083
                                                                • Instruction Fuzzy Hash: A401A733B0012597CB2916AC95040BBB7E9EBC475AB41497EDA47B73C0DB3149824BD4
                                                                Function 08E49491 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: xbq
                                                                • API String ID: 0-73991425
                                                                • Opcode ID: 7f0b1e692a2d65969942b352799ca190b12190193f1c9dc27f91717eadd6edcd
                                                                • Instruction ID: 95f0c0e4a87d1525ef39a855da7bc21cf6c978b93fc8fca10f6773aebe76a352
                                                                • Opcode Fuzzy Hash: 7f0b1e692a2d65969942b352799ca190b12190193f1c9dc27f91717eadd6edcd
                                                                • Instruction Fuzzy Hash: C2F065797001149FDB04DB58D941A6ABBE5FF88315F158599E50DAF362C771FC028FA0
                                                                Function 08E410F0 Relevance: .4, Instructions: 437COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af02655cbddcb2e0ebcf1ed98dfd111928625d6acbe98e157e32c3941acae492
                                                                • Instruction ID: 384f6e164357fbc4901d22ae7277fc322488f989eff3c04ac3213f406c2ddf5c
                                                                • Opcode Fuzzy Hash: af02655cbddcb2e0ebcf1ed98dfd111928625d6acbe98e157e32c3941acae492
                                                                • Instruction Fuzzy Hash: 5D123975A00219CFDB24EF64C894A9DBBB2BF89301F5195A8D50EAB351DF30ED86CB50
                                                                Function 08E45A88 Relevance: .3, Instructions: 256COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68938d621c9e07110edfd7c9fa1bc62126581d7e6a7ab19671892a7497b59d8f
                                                                • Instruction ID: 1eb4e17c9aa97dd9ee3edc0ac444fc048fd7060fd5707b228420b2d2099d106f
                                                                • Opcode Fuzzy Hash: 68938d621c9e07110edfd7c9fa1bc62126581d7e6a7ab19671892a7497b59d8f
                                                                • Instruction Fuzzy Hash: D5A18074B00619CFDB14EF68C4549AE77F2AF88700F105568D50A9B3A4DF74EC42CB92
                                                                Function 08E45A78 Relevance: .3, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa11c9cab890830a73985752585f982b4084a392fc44bf9272a903c2fcea4055
                                                                • Instruction ID: 896f2723acc389c7974bdceb1e49b6c6eb41b95ae6241d6ffb8f12988ee0fa3b
                                                                • Opcode Fuzzy Hash: aa11c9cab890830a73985752585f982b4084a392fc44bf9272a903c2fcea4055
                                                                • Instruction Fuzzy Hash: 8DA16E74B00619CFEB14EF68C454AAE7BB2AF89700F105568D50A9B7A4DF74EC42CB92
                                                                Function 08E419B8 Relevance: .2, Instructions: 215COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a82e77ed7c45fc078201b3af1578dddc59b61fab118bbe009acda5269efba01
                                                                • Instruction ID: aaac502b402d66e3c0a0d23f14f97932740b1e4084e6c22fc56c89f4945f9cc5
                                                                • Opcode Fuzzy Hash: 7a82e77ed7c45fc078201b3af1578dddc59b61fab118bbe009acda5269efba01
                                                                • Instruction Fuzzy Hash: 8991FE74A00209DFDB14EFA4E4949DDBBB2FF89311F509569E9066B360DB30EC82CB91
                                                                Function 08E44A08 Relevance: .2, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43ab1971dc46f713a1675105f189e83298c00580710efe5beea448b2a32e3b4c
                                                                • Instruction ID: dc807fa0a77e8cfa1f4a42fc24b3e2ae55dd8ffabb72ba7a5ab23d57993e5e52
                                                                • Opcode Fuzzy Hash: 43ab1971dc46f713a1675105f189e83298c00580710efe5beea448b2a32e3b4c
                                                                • Instruction Fuzzy Hash: 02818170B00619DFEB18EF68D454BAEB7B2AF88704F105129D50AAB7D0CF749C42CB95
                                                                Function 08E420B0 Relevance: .2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84d974bea455c2d4837951c996a31250d295bf303c98b53f938ecff0dd286afd
                                                                • Instruction ID: 63aaca06fc2d88604c70330df708d8083e4abbd8b6b0a3a2a1e2e63a264f220a
                                                                • Opcode Fuzzy Hash: 84d974bea455c2d4837951c996a31250d295bf303c98b53f938ecff0dd286afd
                                                                • Instruction Fuzzy Hash: B0716075B50215DFDB14DF68D494AADBBB5BF88701F109069E60A9F3A1CB34EC02CB91
                                                                Function 08E4960B Relevance: .2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0a1822f38eeb8a4fa135e330a1a87b9d81efd12770d4ba9e2af6a7d2a5c894dc
                                                                • Instruction ID: e5a4e6b5e3284a4f1c430f6e5b497e155535bf6eeb1810d708a0b1457905397b
                                                                • Opcode Fuzzy Hash: 0a1822f38eeb8a4fa135e330a1a87b9d81efd12770d4ba9e2af6a7d2a5c894dc
                                                                • Instruction Fuzzy Hash: 2D81F875A21228EFCB14DF58E984E9EBBB2FF48314F115159E909AB362D731EC42CB40
                                                                Function 08E4A200 Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad9c528bda7e67fe9581bb0219a3949d104d18e6e9903187dbe4d446ea3c339e
                                                                • Instruction ID: d864284e212f86120f10497c779917ceb8d3a1a8d41a81108e8c6ce84b9c838d
                                                                • Opcode Fuzzy Hash: ad9c528bda7e67fe9581bb0219a3949d104d18e6e9903187dbe4d446ea3c339e
                                                                • Instruction Fuzzy Hash: 2971B9367846708FCB258F24D05862D7BA2AFC5325B19A57DD49ECB692CB34D843CB44
                                                                Function 08E420AB Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e47a81de5af2eed2345d094b06ac73f19a63fde1d153fd3dfaf8a8a254e1782
                                                                • Instruction ID: f5aa12f0cddc70f744036a0843b92557fd396aa74fcf4b921bce86b8f324ce3e
                                                                • Opcode Fuzzy Hash: 3e47a81de5af2eed2345d094b06ac73f19a63fde1d153fd3dfaf8a8a254e1782
                                                                • Instruction Fuzzy Hash: C0515F75B10115DFDB14DF68D894AADB7B6FF88701F1091A9E90A9B3A1CB30EC42CB90
                                                                Function 08E4AEE0 Relevance: .2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: db59290423ef1da93157155b474a263ddeaebc6b71ff33df5f29bbea866342cc
                                                                • Instruction ID: e123e55ae9f95aa4b9b3f0672fbb9aaac5dbad852f883717a6db3aa2fd58bd37
                                                                • Opcode Fuzzy Hash: db59290423ef1da93157155b474a263ddeaebc6b71ff33df5f29bbea866342cc
                                                                • Instruction Fuzzy Hash: 8C51F6317446208FC724DB78E08025ABBE6EFC1325B149A6ED15ECB742DA36F843CB94
                                                                Function 08E44A05 Relevance: .2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 22dd4326340e3bd4c695a4aaaf5fe41f15a09b286c02a3f5400513ed69bd4b52
                                                                • Instruction ID: fd98c26e744b0a89377c2557b2070bdf336b93b29e30bc0e8b5294c590804f19
                                                                • Opcode Fuzzy Hash: 22dd4326340e3bd4c695a4aaaf5fe41f15a09b286c02a3f5400513ed69bd4b52
                                                                • Instruction Fuzzy Hash: BD51C170B01605DFEB18EF68D4547AEB7B2AF88305F205128D40AAB7D0CB74DD42CB99
                                                                Function 08E41D78 Relevance: .1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6464f9ff4a293d7c4e4a7dc90bdbd6d628906648f0ead9fca57dbe8ae199bf75
                                                                • Instruction ID: e9b719d17daa3c5eae70e624064f39c0d3ca5121acc6b3ae8905931cb13d6390
                                                                • Opcode Fuzzy Hash: 6464f9ff4a293d7c4e4a7dc90bdbd6d628906648f0ead9fca57dbe8ae199bf75
                                                                • Instruction Fuzzy Hash: CE4188753407019FEB299B24D494B2A77A3AFC8306F14966DD60A4B690CB76EC83CB81
                                                                Function 08E44D51 Relevance: .1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 526ead8d52988a52145e7cc6acadcb53ffcf8864c592243a0491af49e41aee9c
                                                                • Instruction ID: 120084791880b7518c954b01e3702c4d1ac99692f93ab92aa2452ca401431441
                                                                • Opcode Fuzzy Hash: 526ead8d52988a52145e7cc6acadcb53ffcf8864c592243a0491af49e41aee9c
                                                                • Instruction Fuzzy Hash: DF41E635B10608CFDB14EF78D4546AE7BB6EFC9301B10815AD506DB3A1DF349906CBA2
                                                                Function 08E423E0 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8141f068f401c1ab56447d78c8aa4a7c350594a8aa95d94639c101278d6ae9c9
                                                                • Instruction ID: b223fc3df0693d7b7b9dabe0772daf64a49421767e19065d8150d32cd70f7e38
                                                                • Opcode Fuzzy Hash: 8141f068f401c1ab56447d78c8aa4a7c350594a8aa95d94639c101278d6ae9c9
                                                                • Instruction Fuzzy Hash: 55314135A10119DBDF14DF68D855AEDBBB6FF88311F109029E905B7350CB356D06CBA0
                                                                Function 08E44D68 Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f30118b520b9161aade497fea46312b8373b1d78adee3fb14e27aaf71b97c61b
                                                                • Instruction ID: b9e36e60c5a99575777019ae4fa1da801223f1579b3b417ebda92c75b1282ea3
                                                                • Opcode Fuzzy Hash: f30118b520b9161aade497fea46312b8373b1d78adee3fb14e27aaf71b97c61b
                                                                • Instruction Fuzzy Hash: 9A318574B10618CFDB14EF68C4546AE77B6EFC9700F108159D90A9B364DF749D028BE1
                                                                Function 08E41F08 Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4371cb4215d681aff2d97fd6cbfcc0316f33ce5ff234d8195a82591785d0556
                                                                • Instruction ID: c1961921e01b6fbea44366fc31b0253b43bd32dce6c53c2afc27eab25a2b1c29
                                                                • Opcode Fuzzy Hash: f4371cb4215d681aff2d97fd6cbfcc0316f33ce5ff234d8195a82591785d0556
                                                                • Instruction Fuzzy Hash: 3D2141363442049FDB159F69D854E2A7BA6FFC9314B1580B9E209CF3B2CA35DC12DB51
                                                                Function 0377D1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4109371374.000000000377D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0377D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_377d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c04f25cac7fe72743167c98d40937eceb024b4e10e3569dc13b4d971661c1716
                                                                • Instruction ID: 744729e7827e597a04a96c8928fcbbf2deaf7043f1f1a7b8f02298464e604898
                                                                • Opcode Fuzzy Hash: c04f25cac7fe72743167c98d40937eceb024b4e10e3569dc13b4d971661c1716
                                                                • Instruction Fuzzy Hash: 4F21D0B1604200AFDF25DF14D9C4B26BBA5FF84324F24CAADD90A4B242C336D807CA61
                                                                Function 0377D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4109371374.000000000377D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0377D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_377d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6f9428d5d8e4dcf7d4bf4628fad11d0ce39f0f154ac5d532bc4b1ca6817cd9d8
                                                                • Instruction ID: bed6872cad258339c44bf23095529122c053f34bbdda2aa000a7be52f8f6102b
                                                                • Opcode Fuzzy Hash: 6f9428d5d8e4dcf7d4bf4628fad11d0ce39f0f154ac5d532bc4b1ca6817cd9d8
                                                                • Instruction Fuzzy Hash: 0721D0B5604208DFCF24DF14D9C4B26BBA5EF84314F24C9ADD80A4B246C33AD817CA61
                                                                Function 08E004F5 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113165261.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e00000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34447fbd0ab5c6d06244e5c8dab80b2f1eec06d32a427ecb10703f60e4b2d668
                                                                • Instruction ID: 8099761f54f381809d8619f3e9a9e08fe634fbc8f296b33a0c7c3a40a67d337c
                                                                • Opcode Fuzzy Hash: 34447fbd0ab5c6d06244e5c8dab80b2f1eec06d32a427ecb10703f60e4b2d668
                                                                • Instruction Fuzzy Hash: 7721D671B005199FDB20CB68D880BAE7BF2EF89305F108919D4599B391CB35CC85CBA1
                                                                Function 08E419B4 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0f170e200382d8f8a0df374d609e06da80a11d7fe921803e0066bb4fb7bc857
                                                                • Instruction ID: a2a51c3829253631ed6985b546edcdc93b0d4156127504dbf5e3444526a5df33
                                                                • Opcode Fuzzy Hash: c0f170e200382d8f8a0df374d609e06da80a11d7fe921803e0066bb4fb7bc857
                                                                • Instruction Fuzzy Hash: 9A210E35A10209EFCB18DF64E89899DBBB6FF89311F108169F81A97360DB35EC52CB50
                                                                Function 08E49B08 Relevance: .1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77386302859e726f4b07f42cf262ade4da817fc3997430ffad56e242e237e44c
                                                                • Instruction ID: 60dd348b73239346e9204611a1557b0072a820b5f51032f53f743c7cd2aff24b
                                                                • Opcode Fuzzy Hash: 77386302859e726f4b07f42cf262ade4da817fc3997430ffad56e242e237e44c
                                                                • Instruction Fuzzy Hash: 11217F31A002189FCB14DFA8C4449DE7FB6EF8C321F149129E515B7394CB759846CBA0
                                                                Function 08E41CB8 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 42f91e790468af298eda43d24150ba5a0535519d30d3a3df236b386b62ca97b9
                                                                • Instruction ID: 92438fe37e46b051a5502e50a2c090c8b198ca999193b590fe88ed60ee4c3cf0
                                                                • Opcode Fuzzy Hash: 42f91e790468af298eda43d24150ba5a0535519d30d3a3df236b386b62ca97b9
                                                                • Instruction Fuzzy Hash: 2421A175710604CFCB20DF24D984AAEBBF6BF85301F14456DE5069B361CB70AD05CB61
                                                                Function 08E49B05 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d7a41697ff95456745349b9dc3e35087e778170e6add781be49520aae5e43ff
                                                                • Instruction ID: 07be9fff60f4e56747338f428036a3dbeb8af881a72d64e826db235629cd6c13
                                                                • Opcode Fuzzy Hash: 8d7a41697ff95456745349b9dc3e35087e778170e6add781be49520aae5e43ff
                                                                • Instruction Fuzzy Hash: 1A216A31A00219DFCB05DF98C4449DE7BB2EF8C321F149629E515A73A4CB759842CB64
                                                                Function 0377D007 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4109371374.000000000377D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0377D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_377d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b859e7b191fc0f7eca2e50c6c0296a35d7b48f6628e155275e4a764f748e3d1
                                                                • Instruction ID: c994d643c9f642fdd37b3dabd1f513a8b30b9ea4a8c03f6275a6e90cbc65e753
                                                                • Opcode Fuzzy Hash: 9b859e7b191fc0f7eca2e50c6c0296a35d7b48f6628e155275e4a764f748e3d1
                                                                • Instruction Fuzzy Hash: 40219A755093848FCB12CF24D994B15BF71EF46214F28C5EAD8498F2A7C33AD80ACB62
                                                                Function 08E41CC8 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6226d6edc0c44e7c7ee2f78063e052014b9d53360bcae9ae8ac4feafc983afc
                                                                • Instruction ID: 9d3983c729f3461d4e27f136717cab923a1fd1abef17ff5cfc99220b93696490
                                                                • Opcode Fuzzy Hash: c6226d6edc0c44e7c7ee2f78063e052014b9d53360bcae9ae8ac4feafc983afc
                                                                • Instruction Fuzzy Hash: 1F117C75B10604CFDB24EF28D884AAEB7F6EF88301F144569E50A9B360DB70AD45CBA1
                                                                Function 0377D1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4109371374.000000000377D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0377D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_377d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b66950d079d991cda5921e8734c74321dedf0bd797cc1a3d67d75959aa2e4a35
                                                                • Instruction ID: 71fc863c9d5dfd0f695a2bf21e049d6ac7506dfec45bdce463bc754d11fc3e28
                                                                • Opcode Fuzzy Hash: b66950d079d991cda5921e8734c74321dedf0bd797cc1a3d67d75959aa2e4a35
                                                                • Instruction Fuzzy Hash: 5E118B75904280DFDB16CF14D5C4B15FBA1FF84324F28C6ADD8494B656C33AD44ACB61
                                                                Function 0362D006 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4108936017.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_362d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d998bdffff58a327dc9ad8596072530fa13ac27855fc29ddaff332c3e9e23f36
                                                                • Instruction ID: aef25ac0a4fad36583d3beace83e3a78411d795f35dabf9867c91e9ead6774c0
                                                                • Opcode Fuzzy Hash: d998bdffff58a327dc9ad8596072530fa13ac27855fc29ddaff332c3e9e23f36
                                                                • Instruction Fuzzy Hash: 8401807100E3D09FD7128B25CD84752BFA8DF53224F1980CBE8988F2A7C2689C45CB72
                                                                Function 08E42519 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fefc106b31298c29e778edd0af5da8449c0fe4d4a9b2adfddf46638b92995fe2
                                                                • Instruction ID: eaa3d9d762823c36582f68106dd0ded528c6fa2e52a652c4d1538d6d1b202e6a
                                                                • Opcode Fuzzy Hash: fefc106b31298c29e778edd0af5da8449c0fe4d4a9b2adfddf46638b92995fe2
                                                                • Instruction Fuzzy Hash: C90166303003418FD3298738D454A7A7FA2AFCA320F1496AEE15A8B6E1CB34DC03CB42
                                                                Function 08E49808 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0946e66d2fcf735e4815422dd578885d6f03c4a451ce464f321bfce929cc75d8
                                                                • Instruction ID: 64d3b9b0c687b385512d31305d543b1eee70bdd93d5409ecf09db527ab3b82fc
                                                                • Opcode Fuzzy Hash: 0946e66d2fcf735e4815422dd578885d6f03c4a451ce464f321bfce929cc75d8
                                                                • Instruction Fuzzy Hash: 7E113C71A11225DFCB15DFACD894EADBBB1FF88324F05105AE505AB3A2CB749C41CB40
                                                                Function 0362D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4108936017.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_362d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e57063b151a9eb89d540cec65d2d71d01c7bf69e104acb70149ec58418658a1
                                                                • Instruction ID: 40a57e7245cb4a82993497b5e11d9f874c8777ad6eaced9be20e453efbd00acd
                                                                • Opcode Fuzzy Hash: 4e57063b151a9eb89d540cec65d2d71d01c7bf69e104acb70149ec58418658a1
                                                                • Instruction Fuzzy Hash: C001F271009B54AAE720CE29CDC4B66FFD8DF51365F1CC45AED684B292C2789842CBB1
                                                                Function 08E481E4 Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 231f1ecfadb3c5ca8bb7d52a68bc64b5b0150d6cdd515cc796d6cf8941eea98a
                                                                • Instruction ID: 613b1400b8080e120adf3648fd9c72739c0afa8b427d4c9e9d08b5dba2261fa2
                                                                • Opcode Fuzzy Hash: 231f1ecfadb3c5ca8bb7d52a68bc64b5b0150d6cdd515cc796d6cf8941eea98a
                                                                • Instruction Fuzzy Hash: 7201A232A00215AFCB14CF69D844EABBBF9EF89715F14812DE608D3250D771AD06CBE2
                                                                Function 08E42528 Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ced65c6d683db9a222cb5d30017c56b79202c379cf5a3c0b247b62453625004
                                                                • Instruction ID: ff07f21a20b8716ce9b2d6d03bff4c850f51db140ab644a7e89a5b274ede46c2
                                                                • Opcode Fuzzy Hash: 2ced65c6d683db9a222cb5d30017c56b79202c379cf5a3c0b247b62453625004
                                                                • Instruction Fuzzy Hash: 13012431700200CFD3289B28D454B6A77A2EFC8325F10966DE61A4B790DB75EC03CB81
                                                                Function 08E4A61C Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c551fafa3b2f39e60a00264b01894721aa3bed42f91433dbcec7a95351a9318
                                                                • Instruction ID: d2931636e0a299ab67fb185896e6d08ae842f3470084716bf20f53f82b9cf7af
                                                                • Opcode Fuzzy Hash: 1c551fafa3b2f39e60a00264b01894721aa3bed42f91433dbcec7a95351a9318
                                                                • Instruction Fuzzy Hash: 1F014F36E00619DFCB00DFA9D5089DEB7F5EF89711F109169E559A3320EB30AA45CF61
                                                                Function 08E49A9C Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 406e581f25e01d11e5009e0ffad8e513bef0b306b6d5b870d37bf1b97f5b4dca
                                                                • Instruction ID: a922a2c0ce6752c54aa7ccdef81cb294a73e9d3712f9190dd0af8fa5068c533e
                                                                • Opcode Fuzzy Hash: 406e581f25e01d11e5009e0ffad8e513bef0b306b6d5b870d37bf1b97f5b4dca
                                                                • Instruction Fuzzy Hash: 9CF02432B042112FE3149618A804B6BFBEDDBC8721F08442AE409AB351CAA2EC4183D0
                                                                Function 0362D713 Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4108936017.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_362d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6ecc209026733edbfce66ba78f63b18c2d31a9def080957e007bf74fc2d9fd3
                                                                • Instruction ID: 0b36bd7c5f220b4b7c679bb6655cde298b586dfed79b6690da745e00bef638f6
                                                                • Opcode Fuzzy Hash: f6ecc209026733edbfce66ba78f63b18c2d31a9def080957e007bf74fc2d9fd3
                                                                • Instruction Fuzzy Hash: 82F0F976201A10AF9720CF0AD984C67FBA9EBD4770319C56AED4A5B712C671FC42CFA0
                                                                Function 08E49AA0 Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0a1a6076a0960d1cecb0713aefb84f03e942c2e2520c3c576936d1d20280330
                                                                • Instruction ID: c5fd1c2556d97efbd9b340211c368d3336df9df7756d9e72b1ec015e4430077b
                                                                • Opcode Fuzzy Hash: d0a1a6076a0960d1cecb0713aefb84f03e942c2e2520c3c576936d1d20280330
                                                                • Instruction Fuzzy Hash: A2F05932B042111FE3149608A804B2BFBEDDFC8720F084429D40DAF391CAB6EC0283C4
                                                                Function 0362D704 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4108936017.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_362d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ca03c8f820a5735ecbfe17072819830f0c4de134301338b34003a07d63c18a2
                                                                • Instruction ID: f9490aa9aa4da8cbd69a5cb5b23f2d95bc9935aa6313fc16551606cf3e38ae3c
                                                                • Opcode Fuzzy Hash: 9ca03c8f820a5735ecbfe17072819830f0c4de134301338b34003a07d63c18a2
                                                                • Instruction Fuzzy Hash: A5F03775105A80AFD325CF06CD84C62BFB9EF8676071A8489EC5A9B362C634FC42CF60
                                                                Function 08E4A1FB Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68a8419e1621c308d5229de89f5f090d13fb2d02646a527cd303f8c0c6c49e45
                                                                • Instruction ID: f932c78aa91fbda7c5e44a7d5969fd75b7a395522549107e7f5a7b3504371835
                                                                • Opcode Fuzzy Hash: 68a8419e1621c308d5229de89f5f090d13fb2d02646a527cd303f8c0c6c49e45
                                                                • Instruction Fuzzy Hash: 45E02B32380220EBD3208529F844F537BE9EBC5736F045036F609C7100D672584682B4
                                                                Function 08E4A1AC Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7fa0d610f8dded10372571fc57cc5d499867378d8614520aec530be93d6ca97c
                                                                • Instruction ID: 5652d793a1af138e358ee44fe9a19f1318ce877f0b3bc26a6679d4da95cdac4d
                                                                • Opcode Fuzzy Hash: 7fa0d610f8dded10372571fc57cc5d499867378d8614520aec530be93d6ca97c
                                                                • Instruction Fuzzy Hash: 9BF06576700B114BC764CA2EE454557B3E2EFC4721318C93EE59AC3B44EA70EC418B40
                                                                Function 08E48EB8 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09683c4bf12a4d7b624bd20de5d828229883342d0933f81f88e9372a387a8a0e
                                                                • Instruction ID: cb02d24a7072e1ca0f3023e5d2dc2eeeff34b8208da03e3344c35567ff4d42c7
                                                                • Opcode Fuzzy Hash: 09683c4bf12a4d7b624bd20de5d828229883342d0933f81f88e9372a387a8a0e
                                                                • Instruction Fuzzy Hash: 82F0A024A0828CDFD711DB74D82421D7FB5EF42205F6520FEC1498B282CB355D5BC722
                                                                Function 08E4AECF Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50c2cb313dea74a88a86ef248634a8d109c1831b0cbaa8978a1801afb3c7badb
                                                                • Instruction ID: 7fc8b7ca81b0c5d674e911abb4a694aa8c38aec3985607dc2640a09201e927fa
                                                                • Opcode Fuzzy Hash: 50c2cb313dea74a88a86ef248634a8d109c1831b0cbaa8978a1801afb3c7badb
                                                                • Instruction Fuzzy Hash: 04D0C23224E2A02FD6255668B854A963F8CDB02239F0400EEF449C6142C802E48283B6
                                                                Function 08E48F18 Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d6511addc2bde59a5b10ea399113b208ee76c411a718f6f64ae8bd19b184c6c0
                                                                • Instruction ID: a41751acf79dce5cae41ae027f600622baac18ea10513612ef9743b4df6f1825
                                                                • Opcode Fuzzy Hash: d6511addc2bde59a5b10ea399113b208ee76c411a718f6f64ae8bd19b184c6c0
                                                                • Instruction Fuzzy Hash: 8FD01231640B248BD32CDF66A40455AB7D7DF88621B05C53DD50A46640DB7958428FD1
                                                                Function 08E4996B Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b33a1f676667372b85f25872b29180ee1197b1c7d919e3008110efd53737655
                                                                • Instruction ID: 62620143a56c7651d4d40c2f415539c12c099d645f4f34974f3845d43b4be19c
                                                                • Opcode Fuzzy Hash: 3b33a1f676667372b85f25872b29180ee1197b1c7d919e3008110efd53737655
                                                                • Instruction Fuzzy Hash: 80D0A7F530005487F315A6B864145EE768F9FCE200B04802BD50EC7ED0CD714C024B96
                                                                Function 08E49970 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c83ac58b2fc9f635495fc918b5f732fdecbdccf2b330fac75aa9ec7f293fdfd5
                                                                • Instruction ID: 95c40fe2101aaec172d26404c73126a30a81264def621951d4002e1194c83747
                                                                • Opcode Fuzzy Hash: c83ac58b2fc9f635495fc918b5f732fdecbdccf2b330fac75aa9ec7f293fdfd5
                                                                • Instruction Fuzzy Hash: 65D0C7F530011957E61566B9541459FB2CFDFCD650B048026D50D87B94CD759C014696
                                                                Function 08E49F40 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                                                • Instruction ID: c12b2347baa4506d4b9b0775252a941ea42cb00b0745f27be9e95f8055e2471b
                                                                • Opcode Fuzzy Hash: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                                                • Instruction Fuzzy Hash: F0C0023B3500149F87009B6DF884C99B7B9EBD9675320816BF209CB230C67298159B50
                                                                Function 08E48EB4 Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9477837b8c408c08f5b2d9aa751bf29c2964e18237c05607c70aab0e356f026
                                                                • Instruction ID: ba7e1fc9f93a73dcc108f6235b8d1a22612bbc81db72d2c9964f084cbcd8556d
                                                                • Opcode Fuzzy Hash: e9477837b8c408c08f5b2d9aa751bf29c2964e18237c05607c70aab0e356f026
                                                                • Instruction Fuzzy Hash: 0FC01271440118CEDA209AA4E8483253394AB0423EF2037ACD81C852C1D73654E7D522
                                                                Function 08E4A05F Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 97a047cbe360d0875854f4c4dc3c80da8a58cb40d1873e506deded956b2f757d
                                                                • Instruction ID: 2d41d242378cb7ace11825cff53cb5faeff420ac4bc51e0970ecd4a30a4e1435
                                                                • Opcode Fuzzy Hash: 97a047cbe360d0875854f4c4dc3c80da8a58cb40d1873e506deded956b2f757d
                                                                • Instruction Fuzzy Hash: 0BD09E3510D2D45FC703CB68C994858BF659E47124F0DC4DE94989B5A3C62A8805D71A
                                                                Function 08E42800 Relevance: .0, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eece44da6bef52f4268bd25119df589fa5eb857a804cd68a9a961b9af1ad0cd5
                                                                • Instruction ID: b4f97f8f8d02c7912962d4a8126fa115faec404c0f2ccaa7387d47c89aaeabe5
                                                                • Opcode Fuzzy Hash: eece44da6bef52f4268bd25119df589fa5eb857a804cd68a9a961b9af1ad0cd5
                                                                • Instruction Fuzzy Hash: CCB0923201420AEB86009A88E909859BF69AB586007008026B60A062118B32B822DA94
                                                                Function 08E47E50 Relevance: .0, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8509c7fabb75ad5467e333014397e59fccd8fbdd18a3fd05b77660a425e28625
                                                                • Instruction ID: f582d84cfe865d3f3510331875e45996a879b868a60f64bb4baa01e4bac88490
                                                                • Opcode Fuzzy Hash: 8509c7fabb75ad5467e333014397e59fccd8fbdd18a3fd05b77660a425e28625
                                                                • Instruction Fuzzy Hash: 56C04C751011149BC600DF54CA95C15FBA1EFA5305B28C46AA48557216C737DD17DA54
                                                                Function 08E4A5FC Relevance: .0, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c52f88e2e10d54fe0d0234b6b03e1289a6c421465a685e3853db596f90b77762
                                                                • Instruction ID: 7fb7e5cf32c74022d36f6683077f22bb8b3fabebf33f1b960e3f2a795c1684dc
                                                                • Opcode Fuzzy Hash: c52f88e2e10d54fe0d0234b6b03e1289a6c421465a685e3853db596f90b77762
                                                                • Instruction Fuzzy Hash: DCB09236004200AAD6408F70C504B1AB6A1EF60B01F204818F2844115082310951DB22
                                                                Function 08E427FE Relevance: .0, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 793de482fb8c74c67ae35e086860451afe935539758c94db620e3b807b841b17
                                                                • Instruction ID: fc8ed34ddfff7b5a6bbe968eb265f2e024721afa215b16b460c42e5bcfb445f1
                                                                • Opcode Fuzzy Hash: 793de482fb8c74c67ae35e086860451afe935539758c94db620e3b807b841b17
                                                                • Instruction Fuzzy Hash: E9B09236010006EB86008B80EB09858BF26AB54209308801AF10A49A20CB32E422DB40

                                                                Non-executed Functions

                                                                Function 00A492F0 Relevance: 48.0, APIs: 1, Strings: 15, Instructions: 20001COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: YRT.$ay}Y$j*$k*$k*$k*$m|,U$m|,U$wE`q$wE`q$wE`q$wE`q$wE`q$1$N~Z
                                                                • API String ID: 0-3019274034
                                                                • Opcode ID: 85bb91506c2c165f40e6c290a4cac225e01eb3c2012700ffe62de9d43c5a88df
                                                                • Instruction ID: f2c8a70aa142266ebdeba6a8fb3133857f79c97379929cdd75dfc59b66fb3294
                                                                • Opcode Fuzzy Hash: 85bb91506c2c165f40e6c290a4cac225e01eb3c2012700ffe62de9d43c5a88df
                                                                • Instruction Fuzzy Hash: 3B54F97BF719210BAB4CC9BA8CA23EB56D357D8314B1FE03E495AE7245DCBD8C060694
                                                                Function 00A8310A Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A831FA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: FileFindFirst
                                                                • String ID:
                                                                • API String ID: 1974802433-0
                                                                • Opcode ID: f2d76e7cdddf14d82fc164d5ea3061ca895dc442441eb87939772bd5741b7366
                                                                • Instruction ID: c64d4c418d80a43ea4911e8bfb89ce96abbccfa9add9c00c14b9d48e684b924d
                                                                • Opcode Fuzzy Hash: f2d76e7cdddf14d82fc164d5ea3061ca895dc442441eb87939772bd5741b7366
                                                                • Instruction Fuzzy Hash: 4671B172905158AFDF21FF688C8DAFABBB8EB05700F5441E9E00DA7251EA304E859F10
                                                                Function 00A7D585 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A7D591
                                                                • IsDebuggerPresent.KERNEL32 ref: 00A7D65D
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A7D676
                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00A7D680
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                • String ID:
                                                                • API String ID: 254469556-0
                                                                • Opcode ID: e6fd3a968ee4d8a2d18dd1967a9697d68afeab45a450075275c69809ce3220ed
                                                                • Instruction ID: 2350e9493e390f351ac6a449eeb2317a6ef747e0ddb6c09e8fec3bd33ccd9f87
                                                                • Opcode Fuzzy Hash: e6fd3a968ee4d8a2d18dd1967a9697d68afeab45a450075275c69809ce3220ed
                                                                • Instruction Fuzzy Hash: 3531F6B5D013199BDF20DFA4DD49BCDBBB8BF08304F1081AAE50CAB251EB759A858F45
                                                                Function 00A81369 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A81461
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A8146B
                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00A81478
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                • String ID:
                                                                • API String ID: 3906539128-0
                                                                • Opcode ID: 095d4f439c25050ece32936cf1c46bbfa3e0d81649dbd9e166e8c9f4c73f4b01
                                                                • Instruction ID: b97962191d6f2a092190632d3d2adab220c04c9fafa36a962454fa04b18e95c7
                                                                • Opcode Fuzzy Hash: 095d4f439c25050ece32936cf1c46bbfa3e0d81649dbd9e166e8c9f4c73f4b01
                                                                • Instruction Fuzzy Hash: 8A31B5749012199BCB21DF64DD89B9CB7B8BF08310F5081EAE41CA7261E7709F858F45
                                                                Function 00A89772 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A896CD,?,?,00000008,?,?,00A8929F,00000000), ref: 00A8999F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ExceptionRaise
                                                                • String ID:
                                                                • API String ID: 3997070919-0
                                                                • Opcode ID: e68343c086a7cd8386ff44b6650a59a318595511bbf70ed94823206d494f4d03
                                                                • Instruction ID: 68347a1b2316fc18fdd44c048a426cfa3f8e5afc36edaae868cf116cf2a996fa
                                                                • Opcode Fuzzy Hash: e68343c086a7cd8386ff44b6650a59a318595511bbf70ed94823206d494f4d03
                                                                • Instruction Fuzzy Hash: ADB11C356106099FD719DF28C48AB667BE0FF45364F298658E8DACF2A2C335D992CB40
                                                                Function 00A83059 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00A82517: HeapAlloc.KERNEL32(00000008,?,?,?,00A8033C,00000001,00000364,?,00000002,000000FF,?,00A83A3C,00000000,00A7EE20,00000000), ref: 00A82558
                                                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A831FA
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00A832EE
                                                                • FindClose.KERNEL32(00000000), ref: 00A8332D
                                                                • FindClose.KERNEL32(00000000), ref: 00A83360
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                • String ID:
                                                                • API String ID: 2701053895-0
                                                                • Opcode ID: eb092e4001248eda19438e707cde540d69f0008e4263a278e779939945c9fa3e
                                                                • Instruction ID: 80081ec3d57596b25c5d3373a86b253b91c2b141d4dbd5fb6144325f57435954
                                                                • Opcode Fuzzy Hash: eb092e4001248eda19438e707cde540d69f0008e4263a278e779939945c9fa3e
                                                                • Instruction Fuzzy Hash: 48512976901118AFDF24FF289C89AFEB7B9DF85B14F1441ADF40997241EA308E429B60
                                                                Function 00A7D795 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A7D7AB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor
                                                                • String ID:
                                                                • API String ID: 2325560087-0
                                                                • Opcode ID: a0475d897fccc2fa0b30298e4ea3d2044bfab1d30fc464efbcd882ba2112b6ac
                                                                • Instruction ID: 139c8dd65f5fae464b0b6056257c64f58211adcfde85854617f7f7f01874b53b
                                                                • Opcode Fuzzy Hash: a0475d897fccc2fa0b30298e4ea3d2044bfab1d30fc464efbcd882ba2112b6ac
                                                                • Instruction Fuzzy Hash: 03513BB2A05205CBDB18CF59DD966AABBF0FB44310F24C66AD419EB750D374E904CB61
                                                                Function 00A7D579 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0008D69A,00A7D026), ref: 00A7D57E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 94d1721c879f61a56e7a698c9bd11c7108827a894e6b188e6b85d5f2ec4a6587
                                                                • Instruction ID: 90eb80991b5b6432b2da558ce1c0972d4cd7ec4f6e7cbfe511aa6ea317a0b5a7
                                                                • Opcode Fuzzy Hash: 94d1721c879f61a56e7a698c9bd11c7108827a894e6b188e6b85d5f2ec4a6587
                                                                • Instruction Fuzzy Hash:
                                                                Function 00A8013D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: HeapProcess
                                                                • String ID:
                                                                • API String ID: 54951025-0
                                                                • Opcode ID: 9ce40bcc99cb698d009e35c1cb257389d690316a6d7009454f2bfb48b7fc9ff4
                                                                • Instruction ID: d97b68a815bf8d4f12138cf248128e7e8c54981df7f35af479bd0f42661d9602
                                                                • Opcode Fuzzy Hash: 9ce40bcc99cb698d009e35c1cb257389d690316a6d7009454f2bfb48b7fc9ff4
                                                                • Instruction Fuzzy Hash: 66A02431300301CF4310DF355F0431D35DD57043D0300411D7004C4130D73044014F01
                                                                Function 018305F9 Relevance: .7, Instructions: 730COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4107808945.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1510000_SecuriteInfo.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                • Instruction ID: 5d350bb91bd656ddb8630aaffa3a7dcec6316dcd7ce0be6e3d9b285781d2f666
                                                                • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                • Instruction Fuzzy Hash: 88426A71608305AFEB25DF18C844B6BBBE8AFC8714F08492DF985DB251D770EA45CB92
                                                                Function 08E4A8A8 Relevance: .4, Instructions: 397COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 534eb715334d3ec2a7450d7bd06bd4f4fa69607a9ffcc1a252d5f0045ded56bd
                                                                • Instruction ID: 740ee9c34e0ff2423d3cb2a133d7a67ba40d4984b11a692346aa3e89952d5dd8
                                                                • Opcode Fuzzy Hash: 534eb715334d3ec2a7450d7bd06bd4f4fa69607a9ffcc1a252d5f0045ded56bd
                                                                • Instruction Fuzzy Hash: F2F16975B406268FCB48CF69C49463EFBF2BF88315F24962DD55A97381CB34A842CB94
                                                                Function 06100040 Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f972815e2d5155211d96f0d7df75b22f00fa60bc465e8c7eadefa1a50fcf91c
                                                                • Instruction ID: 7fafaab35aa7af4d1d58f8f5d958ffe6d4325fcfaaef6dbfd65450e538aebe02
                                                                • Opcode Fuzzy Hash: 3f972815e2d5155211d96f0d7df75b22f00fa60bc465e8c7eadefa1a50fcf91c
                                                                • Instruction Fuzzy Hash: 5E1275F06217468AD710CF66E95E18B3EB1BB453ECBD0460AE2E52B2E1DFB4154ACF44
                                                                Function 05E4E82C Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110531243.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88d087984d574000dc7609378c84129245017bcac5fa1082837ef1be120c7d49
                                                                • Instruction ID: 24707f9f01194f77e7c79e6d3b1b0f37dbd956d020c48848df68ecb4aa1ba20b
                                                                • Opcode Fuzzy Hash: 88d087984d574000dc7609378c84129245017bcac5fa1082837ef1be120c7d49
                                                                • Instruction Fuzzy Hash: 2CA18032E00209CFCF05DFB5E8444AEBBB6FF89704B1555AAE856AB211DB31E955CF40
                                                                Function 08E46D88 Relevance: .3, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: db73b11524c3dc33b22956e6d7b15b17244e3849bc999830a81cc6ab3e711ee4
                                                                • Instruction ID: f161e0909e6a0c93e9c688560676085ae51e0c944e9df4ff0bfb415018a4c35e
                                                                • Opcode Fuzzy Hash: db73b11524c3dc33b22956e6d7b15b17244e3849bc999830a81cc6ab3e711ee4
                                                                • Instruction Fuzzy Hash: 3E913A75700205DFEB04EF39D894A6A77A2EF89745B108169EA058F3B5EA71EC02CB90
                                                                Function 06100007 Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4110812553.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6100000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4c146a6ecd05cd5eed1edeb0378ecf90cdb69e6da7452d0cabe5cc1cb635db17
                                                                • Instruction ID: 7c0784ebb57becd0d00c2e881ada571ef1d57285a7460fe3fd3cf13e2c62bedf
                                                                • Opcode Fuzzy Hash: 4c146a6ecd05cd5eed1edeb0378ecf90cdb69e6da7452d0cabe5cc1cb635db17
                                                                • Instruction Fuzzy Hash: 63C10AF06217468AD710CF26E85A18B7FB1BB453ECB95420BE1E16B2D1DFB41446CF44
                                                                Function 00A85F67 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • type_info::operator==.LIBVCRUNTIME ref: 00A86086
                                                                • CatchIt.LIBVCRUNTIME ref: 00A861E5
                                                                • _UnwindNestedFrames.LIBCMT ref: 00A862E6
                                                                • CallUnexpected.LIBVCRUNTIME ref: 00A86301
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
                                                                • String ID: csm$csm$csm
                                                                • API String ID: 2332921423-393685449
                                                                • Opcode ID: 89e42ddbea56aea83fc6b201300296fb890396dc210b8fb21eba3b3faef8b0e0
                                                                • Instruction ID: 744c4f854a9bccdd19bd744c5bfff5388b6b8d8aaf82e0ee6df9d33a65de5509
                                                                • Opcode Fuzzy Hash: 89e42ddbea56aea83fc6b201300296fb890396dc210b8fb21eba3b3faef8b0e0
                                                                • Instruction Fuzzy Hash: 80B19E71C00209EFDF19EFA4CA819AEBBB5FF14310F1481AAE8156B212D731EA51CF91
                                                                Function 00A87894 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                • String ID:
                                                                • API String ID: 127012223-0
                                                                • Opcode ID: 701f149890b7d34250785026c92203f1e767040c1b245cba0c834dc0433eb6e8
                                                                • Instruction ID: e7cfdbca0b05ed1ce843e0d516e9209f2f457c22f0aa323410d0c4dc2f4d505a
                                                                • Opcode Fuzzy Hash: 701f149890b7d34250785026c92203f1e767040c1b245cba0c834dc0433eb6e8
                                                                • Instruction Fuzzy Hash: 9771D332908209ABDF25FF648D85BBEBBBA9F49350F380459E945A7291EB35DD00C760
                                                                Function 00A7DBF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _ValidateLocalCookies.LIBCMT ref: 00A7DC27
                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00A7DC2F
                                                                • _ValidateLocalCookies.LIBCMT ref: 00A7DCB8
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00A7DCE3
                                                                • _ValidateLocalCookies.LIBCMT ref: 00A7DD38
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                • String ID: csm
                                                                • API String ID: 1170836740-1018135373
                                                                • Opcode ID: 9e4387da925ee727eb6b0e6a7ce09cd2bcd54d34d89b8d64545705b27f9216a6
                                                                • Instruction ID: 96e16f0926e1aa9733d41a40872fdb416bd8928e1932f8e11964ef448182c172
                                                                • Opcode Fuzzy Hash: 9e4387da925ee727eb6b0e6a7ce09cd2bcd54d34d89b8d64545705b27f9216a6
                                                                • Instruction Fuzzy Hash: BF41C234A00208EFCF11DF68CC94A9EBBB5AF85324F14C165E91DAB392D771EA01CB91
                                                                Function 00A7FEE5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNEL32(00000000,?,00A7FFF4,00A7EE20,0000000C,00000000,?,00000000,?,00A7FDA6,00000022,FlsSetValue,00A8A658,00A8A660,?), ref: 00A7FFA6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID: api-ms-$ext-ms-
                                                                • API String ID: 3664257935-537541572
                                                                • Opcode ID: 198af507087366ec7747da071b03fa42e8372fc3fe852c2d233641fe2ce0c12a
                                                                • Instruction ID: 093e08c585246da9f1e7f6431777cd01dd1fc3c268bb34b24fa827cbe04ef643
                                                                • Opcode Fuzzy Hash: 198af507087366ec7747da071b03fa42e8372fc3fe852c2d233641fe2ce0c12a
                                                                • Instruction Fuzzy Hash: 5F21EB35A00211EFD721DB64DC44A6A77A89B52770B24C131E90AE7291EB31EE01C7F0
                                                                Function 00A7F757 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,00A7F74E,00A7DA53,00A7D6DE), ref: 00A7F765
                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A7F773
                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A7F78C
                                                                • SetLastError.KERNEL32(00000000,00A7F74E,00A7DA53,00A7D6DE), ref: 00A7F7DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastValue___vcrt_
                                                                • String ID:
                                                                • API String ID: 3852720340-0
                                                                • Opcode ID: 3bae75a20a0ff0a21775fce8211f34d8ffba2cec72c78d27f3109f67f42097f2
                                                                • Instruction ID: cbcf27cf0a0a2794aba7ba986f3d0b37ed0d98b1d10993e24d906b72d2562b9a
                                                                • Opcode Fuzzy Hash: 3bae75a20a0ff0a21775fce8211f34d8ffba2cec72c78d27f3109f67f42097f2
                                                                • Instruction Fuzzy Hash: 7B01F73610A313EEA7183FB47DC699A2B98EB16B75B708339F114945E0EF115E029350
                                                                Function 00A83483 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe, xrefs: 00A8349F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe
                                                                • API String ID: 0-4240107385
                                                                • Opcode ID: 1574e9f048a63c5fbc1b75722f0d81944034627d173ef10b099a79f02cb8a9fe
                                                                • Instruction ID: c31c88aba11980867e6e8c376b81d8c0aedb3299126fb9622b2b96f293f2fa25
                                                                • Opcode Fuzzy Hash: 1574e9f048a63c5fbc1b75722f0d81944034627d173ef10b099a79f02cb8a9fe
                                                                • Instruction Fuzzy Hash: 48219D72200216BFDF29BF65CD81A6BB7ADFF00B657108928F92997151E731EF1187A0
                                                                Function 00A7E6A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9B7275EC,?,?,00000000,00A89CFE,000000FF,?,00A7E768,?,?,00A7E804,?), ref: 00A7E6DC
                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A7E6EE
                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00A89CFE,000000FF,?,00A7E768,?,?,00A7E804,?), ref: 00A7E710
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                • String ID: CorExitProcess$mscoree.dll
                                                                • API String ID: 4061214504-1276376045
                                                                • Opcode ID: c15fdfe43defb776df784b6770007fdfda613ca64f1581e5a3e906bbb54ae8b9
                                                                • Instruction ID: 4a0e4da35ccaae665d9bdb4c4e78d1bc02adc62feed5a6e4560dbc876bbb2ce8
                                                                • Opcode Fuzzy Hash: c15fdfe43defb776df784b6770007fdfda613ca64f1581e5a3e906bbb54ae8b9
                                                                • Instruction Fuzzy Hash: 27018F31A04659EFDB11EF94CC09BBEBBB8FB08B55F008629E811A2290DB749900CB50
                                                                Function 00A8638C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A86292,?,?,00000000,00000000,00000000,?), ref: 00A863B1
                                                                • CatchIt.LIBVCRUNTIME ref: 00A86497
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CatchEncodePointer
                                                                • String ID: MOC$RCC
                                                                • API String ID: 1435073870-2084237596
                                                                • Opcode ID: d9f92c85ddd0b65c333f176185d7c29e36e8caa41ac00c16bb8ad009db088571
                                                                • Instruction ID: 60f58095c2dc994ddd5fa2c699e1305f8dd4f7323f04baffd2d3d74737c49d8d
                                                                • Opcode Fuzzy Hash: d9f92c85ddd0b65c333f176185d7c29e36e8caa41ac00c16bb8ad009db088571
                                                                • Instruction Fuzzy Hash: 8B413872900209AFDF15EF98CE81EEEBBB5FF48304F188169FA0466221D3359A50DB50
                                                                Function 00A84420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00A844BC,?,00000000,?,?,?,?,00A84304,00000000,FlsAlloc,00A8AF50,00A8AF58), ref: 00A8442D
                                                                • GetLastError.KERNEL32(?,00A844BC,?,00000000,?,?,?,?,00A84304,00000000,FlsAlloc,00A8AF50,00A8AF58,?,?,00A7F705), ref: 00A84437
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,00A81673,?,?,?,?,?,00000000,?,?,?,00A7F079), ref: 00A8445F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad$ErrorLast
                                                                • String ID: api-ms-
                                                                • API String ID: 3177248105-2084034818
                                                                • Opcode ID: b12bacbd1df1caf5fa82a5b8052b1992be28d4e7e62b1ca68d636bdbd300f03a
                                                                • Instruction ID: d049653a5f16c24a3d49c2f73e4e8fedb77387acd448cef2d32142a3f7e5e95d
                                                                • Opcode Fuzzy Hash: b12bacbd1df1caf5fa82a5b8052b1992be28d4e7e62b1ca68d636bdbd300f03a
                                                                • Instruction Fuzzy Hash: 90E04830780206BBFB116F90EC06B283A54AB54B41F204430FA0CE80E1E771D8218754
                                                                Function 00A84EA2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetConsoleOutputCP.KERNEL32(9B7275EC,00000000,00000000,?), ref: 00A84F05
                                                                  • Part of subcall function 00A83ADD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A848A3,?,00000000,-00000008), ref: 00A83B3E
                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A85157
                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A8519D
                                                                • GetLastError.KERNEL32 ref: 00A85240
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                • String ID:
                                                                • API String ID: 2112829910-0
                                                                • Opcode ID: a6e2134f032a89ab1174ac90afb99c38ce1d64476b217c12ad6e0ae4d242a8bb
                                                                • Instruction ID: 982f76b1ecb6f79441913088bab16eae62b301743c7e7a65d6c33306d14ec8e5
                                                                • Opcode Fuzzy Hash: a6e2134f032a89ab1174ac90afb99c38ce1d64476b217c12ad6e0ae4d242a8bb
                                                                • Instruction Fuzzy Hash: 61D15A75D04649DFCB15DFE8C884AEDBBB5FF09310F24422AE956EB351E630A942CB50
                                                                Function 00A85C8E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: AdjustPointer
                                                                • String ID:
                                                                • API String ID: 1740715915-0
                                                                • Opcode ID: 35a097cbbf0c1a7bc116c53a317ec5f7b120f532f900be202ccb81de8290f9f5
                                                                • Instruction ID: e2c4b1a0915efbdc22f49c1bcf0d5753ba5d6bc2cccaaf51689886b10d8551bc
                                                                • Opcode Fuzzy Hash: 35a097cbbf0c1a7bc116c53a317ec5f7b120f532f900be202ccb81de8290f9f5
                                                                • Instruction Fuzzy Hash: B851C072E01B069FDB29EF64D945BAAB7B5FF05310F148529EC0697291E731ED80CB90
                                                                Function 00A82EE7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00A83ADD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A848A3,?,00000000,-00000008), ref: 00A83B3E
                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00A8328D,?,?,?,00000000), ref: 00A82F4B
                                                                • __dosmaperr.LIBCMT ref: 00A82F52
                                                                • GetLastError.KERNEL32(00000000,00A8328D,?,?,00000000,?,?,?,00000000,00000000,?,00A8328D,?,?,?,00000000), ref: 00A82F8C
                                                                • __dosmaperr.LIBCMT ref: 00A82F93
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 1913693674-0
                                                                • Opcode ID: 9ae42a5769cef7b31f1accc49585ac2d79dcfd2a6f5ca31f676789cc7cde4414
                                                                • Instruction ID: 6b83c6d1c8a966aa18468c8347d13d10ca08dd2cbf3ad78b76d9595465ae585b
                                                                • Opcode Fuzzy Hash: 9ae42a5769cef7b31f1accc49585ac2d79dcfd2a6f5ca31f676789cc7cde4414
                                                                • Instruction Fuzzy Hash: A221AE71604205AF9B20BFA6C980E7BB7BCFF443647108529FA2A97250D770EC61DBA0
                                                                Function 00A83BD9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 00A83BE1
                                                                  • Part of subcall function 00A83ADD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A848A3,?,00000000,-00000008), ref: 00A83B3E
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A83C19
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A83C39
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 158306478-0
                                                                • Opcode ID: c39daf3a52fba83c3ac0a19c2ffbf88e2fc787086232ca4b136586b6a06354b3
                                                                • Instruction ID: 77fcae0762f220d7412227e9104809ddb7e29ca560427d3d618e316985b268c7
                                                                • Opcode Fuzzy Hash: c39daf3a52fba83c3ac0a19c2ffbf88e2fc787086232ca4b136586b6a06354b3
                                                                • Instruction Fuzzy Hash: 84116DF3901515BE6E1577BA9ECACBF79ACDE85BA87100024F946E1141FA648F0683B1
                                                                Function 00A87D20 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A87442,00000000,00000001,00000000,?,?,00A85294,?,00000000,00000000), ref: 00A87D37
                                                                • GetLastError.KERNEL32(?,00A87442,00000000,00000001,00000000,?,?,00A85294,?,00000000,00000000,?,?,?,00A84BDA,00000000), ref: 00A87D43
                                                                  • Part of subcall function 00A87D94: CloseHandle.KERNEL32(FFFFFFFE,00A87D53,?,00A87442,00000000,00000001,00000000,?,?,00A85294,?,00000000,00000000,?,?), ref: 00A87DA4
                                                                • ___initconout.LIBCMT ref: 00A87D53
                                                                  • Part of subcall function 00A87D75: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A87D11,00A8742F,?,?,00A85294,?,00000000,00000000,?), ref: 00A87D88
                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00A87442,00000000,00000001,00000000,?,?,00A85294,?,00000000,00000000,?), ref: 00A87D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                • String ID:
                                                                • API String ID: 2744216297-0
                                                                • Opcode ID: ba37299483d3ea541ac5f7ffdef8f468bd146248e31d369240c4e9beb336e727
                                                                • Instruction ID: 5b03031e548da8ebf53562571aef162c5b52fce5f6d778b24c46f0bdb7df5529
                                                                • Opcode Fuzzy Hash: ba37299483d3ea541ac5f7ffdef8f468bd146248e31d369240c4e9beb336e727
                                                                • Instruction Fuzzy Hash: 66F0AC36545615FFCF22AFD5DC08AAE3F66EF093A1B244120FA1995121E632C960EF91
                                                                Function 00A85BF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00A85E6E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4105262069.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                                                                • Associated: 00000000.00000002.4105245354.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105350705.0000000000A8A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105368092.0000000000A90000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105652475.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.4105670401.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9f0000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: ___except_validate_context_record
                                                                • String ID: csm$csm
                                                                • API String ID: 3493665558-3733052814
                                                                • Opcode ID: 8ca69e52d99c8c20a495dd5552962036cfa682e4eb06f6d852063fda179404aa
                                                                • Instruction ID: fe73ff180c8f7eb27c7b676592a085eaf87d101f1c65785928b60b2cd2014eef
                                                                • Opcode Fuzzy Hash: 8ca69e52d99c8c20a495dd5552962036cfa682e4eb06f6d852063fda179404aa
                                                                • Instruction Fuzzy Hash: 8A31C772D00618EFCF26AF71CD4496A7B66FF08315B18869AFE5849121C332DDA1DBD1
                                                                Function 08E40040 Relevance: 5.2, Strings: 4, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (_^q$(_^q$(_^q$(_^q
                                                                • API String ID: 0-2697572114
                                                                • Opcode ID: 95a1a21cc8f923aa616d8341605fddacf656a86889a1096f08610ab9c61e936a
                                                                • Instruction ID: c04c4720eae5656f11b3f705d1d011a33695258558b1cae291ad80285cd51738
                                                                • Opcode Fuzzy Hash: 95a1a21cc8f923aa616d8341605fddacf656a86889a1096f08610ab9c61e936a
                                                                • Instruction Fuzzy Hash: 3551F175B006048FCB44EF78D4584AE7BF2EF89205B2095BDD90A9B361EB35DC42CB91
                                                                Function 08E489C5 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.4113182843.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e40000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq$(bq$Hbq$Hbq
                                                                • API String ID: 0-2599935029
                                                                • Opcode ID: 6d0f2a3d7a9d92d275f02f598a7541d35f2bc4946292a161efcb51cd9bf3823a
                                                                • Instruction ID: e3abf7b72dc945ccecf49703ce1d8f179301178a519dbfd6d65b5a1f46227d19
                                                                • Opcode Fuzzy Hash: 6d0f2a3d7a9d92d275f02f598a7541d35f2bc4946292a161efcb51cd9bf3823a
                                                                • Instruction Fuzzy Hash: 4241F13AB04A648FCB549B29E45042EBBE2EFD4621B14952ED44ACB780CF34EC038B95