Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V9fubyadY6.exe

Overview

General Information

Sample name:V9fubyadY6.exe
renamed because original name is a hash value
Original sample name:4e3692a35a3a1ae4e4b1613f9042e4d3.exe
Analysis ID:1544043
MD5:4e3692a35a3a1ae4e4b1613f9042e4d3
SHA1:81e4b2203e11bd642bca309a76e43c8d8fbdcaac
SHA256:3d64999908580361b2426500404c1198256cd6852c630f724525a3ea6a0afa56
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • V9fubyadY6.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\V9fubyadY6.exe" MD5: 4E3692A35A3A1AE4E4B1613F9042E4D3)
    • RegAsm.exe (PID: 7492 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7500 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7508 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "164.90.236.65:5520;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "e21de365-4ad7-41b0-9c44-b9d3fb6bfbb5", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "jkRRaxEjvO/G3m5gf0k7kZzJ+OMxC6L4YeaPk8C6K3/fKd0xuDxTj1XCXHSsSPDWwyz+EHHFpgKGQsiHQX8OvuPmn5cKBl29SfbHOoUdpBr8rVOYQGz1qOag+agT1ZQsmrKdntSJAURjNsUm8v7tIVJ2cl/Zj5kLCYu4rBoqjVNwVcQRm6GzCoei6ecXybNv6KVRpEBDFFtTHesSx674P7bRLsUJMWAe7im/w9ua5+2FMkpUChG+q39f1Z+3Y13qplXhv9Dx2zXQtk6qzmHIeV4rm0cQkhi2Cqk8/mM4Nf/mLHxBOYPSHZc2/7dTig+YnE0CffA7g33v96uay9jLiqcD5SZJ3bQtjqNgIktQ5xtw9XtSVJ6L0zD0a3XUMm8lICx11xeltwYL3QAz6SvFEkFH9Iv8Lj4DiHB03m8NFBMMqurpjXHR0mxZ03ZhOw9KWQDTwJrgcLadogxP/yssMSNuw2qleTfnezYnR55AblxwiW6GCXSbYmIQO8WXDRcW4da3NVdkFQmS8xQZ7I6mBvuhjEXhWl8ua9wjbFfP11ClgYGnnCBwATsUW+8RbA4naJyh9KkCbiEJ3OKSl2mgYnIVgZVCSs9JYrE5kr9BKsp4wiNPd2L9+NZS7Xd12fZR3OJh873Yj07eLVWHFLv7u9O85vwaVdKSAGKjjRrtBbY=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJ4i3L+Xa3VFJAV9yUR1zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyMjEwMTAzNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArpsI1q3Y/PESXfGxc3W236INlH9c2toyyIQHTLWW9Bbq4pC84hvcSCbXtNJstTaw8p97db66PAC9LT1u6dK2sNGcY/qtqU38YyWHUhptG/jntOIyDzYx8LG3tZh5DXyvt3OQtnG5DaEqMgZuRGXwG9a6w59hURPqyvKaXwU44XXMPfbhjuTDLr/YYk4Cm478ddlid78V60UGGxTIIeeI+dU3F8HhnyrCdXhQHrWKIbyhoVHcP2Vwn9MxGAXL4uYYNAKUmDXZpCgA3Q9dTVyi/47dZkdfeimolplSL6cmMyKLFJ01PkGN5gw8frcfJ13mDhTFZBAttJnD6u7bv0N+o+3dLJKdo1EAvNjmkEFDV18eZX+z6TnxioPINRviplDxSqFHzDXA2i528iYHJjb5My4Ke6fLer2T0ykvSnnMcFUMVd0E4yVSwVPI0ayoe2O2fT+cT5ggGI2r45DOTJzDifyZOPbb1eKqcDsjr+GJuidMTUwspEWdQtXcDdvgJ7SNPrTALX3ZhgkaQqgeZbj3lKywEVN17JTYSWmi5XCDahxawiQPQyKPtvxHtDmXUUOR+jARErzJB+HZiH2wcjJPrDbNCrG8AbAZaVbw4OFj4Pbcn1BhTceAO5hBSqm4eEiQ0FowmW6n8gYlj6JsyvjULTEXNJpfFMQEW1XGWzN1rJ8CAwEAAaMyMDAwHQYDVR0OBBYEFEA3S95dqb97X5uKfJeS4vQfZI8DMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAKU495vDoFRi7CSOxdp/CaBVGWi40G1XHHUmdJ5hlur0y1rQRZ9Pzz4NpOPSHVZlxdIg5dODCc5Ldj1LP0tcMCugOux6p3QLZZe2+g1U18EUFJoiljdIGPmjao7GoejfR5y+cTHuVH7s9mWk3QNygk5rXcOXmrPDqdsvQYjOF/KJw+FArrYpU8IQhS9/t88g6NVIcM2pMhUeb/fMY/lJ3/sS8SecYVVYnJQIKzen2xMKiWPIl87EKMjL5IUGy6tg1sM5dr2dE2QMuMNKdX+3x1fAwp5Kr2+c3c8b14aFzAnpw6tmQC1zh+Bb/Zy38zmZfbAA1mZmqUiYrkI6rECcNJI+5w681OYUcbDMsMM8szHWFUf2c6dWWxXM5cBDO4qFxrY6HPfa3HD7xA8JKueRf8/EKcTXNu2Kqt21SXPGdPeHHj/wdQh9StCY/X5P0x9tTjZhvC5C/ARYvgA+ySqt30UP2vwymB1F8aGG16296f1Q3ZexPROzANLh5QvfQ7Jpc9zLlo/FmfiHNXtZDa/XYUIxjjJE8o1YPGdrR3NFoH+6sszi27i590/PRkWDuU3hlLs1SCIYdRP7CiwOdUMGqP/oT+SSdL5DP3THHcXYm/NJUAKWZGkHaJfCc7swlulQ3vyzIlG5GzBmlxq2iwbPskfYBC5MK5zPf44Ht7rrT6V3"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.V9fubyadY6.exe.3d901d0.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              0.2.V9fubyadY6.exe.3d901d0.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
              • 0x28d0d7:$x1: Quasar.Common.Messages
              • 0x29d400:$x1: Quasar.Common.Messages
              • 0x2a9a1a:$x4: Uninstalling... good bye :-(
              • 0x2ab20f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
              0.2.V9fubyadY6.exe.3d901d0.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
              • 0x2a8fcc:$f1: FileZilla\recentservers.xml
              • 0x2a900c:$f2: FileZilla\sitemanager.xml
              • 0x2a904e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
              • 0x2a929a:$b1: Chrome\User Data\
              • 0x2a92f0:$b1: Chrome\User Data\
              • 0x2a95c8:$b2: Mozilla\Firefox\Profiles
              • 0x2a96c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2fb648:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x2a981c:$b4: Opera Software\Opera Stable\Login Data
              • 0x2a98d6:$b5: YandexBrowser\User Data\
              • 0x2a9944:$b5: YandexBrowser\User Data\
              • 0x2a9618:$s4: logins.json
              • 0x2a934e:$a1: username_value
              • 0x2a936c:$a2: password_value
              • 0x2a9658:$a3: encryptedUsername
              • 0x2fb58c:$a3: encryptedUsername
              • 0x2a967c:$a4: encryptedPassword
              • 0x2fb5aa:$a4: encryptedPassword
              • 0x2fb528:$a5: httpRealm
              0.2.V9fubyadY6.exe.3d901d0.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
              • 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
              • 0x2a9b04:$s3: Process already elevated.
              • 0x28cdd6:$s4: get_PotentiallyVulnerablePasswords
              • 0x276e92:$s5: GetKeyloggerLogsDirectory
              • 0x29cb5f:$s5: GetKeyloggerLogsDirectory
              • 0x28cdf9:$s6: set_PotentiallyVulnerablePasswords
              • 0x2fcc76:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
              3.2.RegAsm.exe.400000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Click to see the 18 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T18:42:01.173948+010020355951Domain Observed Used for C2 Detected164.90.236.655520192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T18:42:01.173948+010020276191Domain Observed Used for C2 Detected164.90.236.655520192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: V9fubyadY6.exeAvira: detected
                Found malware configuration
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "164.90.236.65:5520;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "e21de365-4ad7-41b0-9c44-b9d3fb6bfbb5", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "jkRRaxEjvO/G3m5gf0k7kZzJ+OMxC6L4YeaPk8C6K3/fKd0xuDxTj1XCXHSsSPDWwyz+EHHFpgKGQsiHQX8OvuPmn5cKBl29SfbHOoUdpBr8rVOYQGz1qOag+agT1ZQsmrKdntSJAURjNsUm8v7tIVJ2cl/Zj5kLCYu4rBoqjVNwVcQRm6GzCoei6ecXybNv6KVRpEBDFFtTHesSx674P7bRLsUJMWAe7im/w9ua5+2FMkpUChG+q39f1Z+3Y13qplXhv9Dx2zXQtk6qzmHIeV4rm0cQkhi2Cqk8/mM4Nf/mLHxBOYPSHZc2/7dTig+YnE0CffA7g33v96uay9jLiqcD5SZJ3bQtjqNgIktQ5xtw9XtSVJ6L0zD0a3XUMm8lICx11xeltwYL3QAz6SvFEkFH9Iv8Lj4DiHB03m8NFBMMqurpjXHR0mxZ03ZhOw9KWQDTwJrgcLadogxP/yssMSNuw2qleTfnezYnR55AblxwiW6GCXSbYmIQO8WXDRcW4da3NVdkFQmS8xQZ7I6mBvuhjEXhWl8ua9wjbFfP11ClgYGnnCBwATsUW+8RbA4naJyh9KkCbiEJ3OKSl2mgYnIVgZVCSs9JYrE5kr9BKsp4wiNPd2L9+NZS7Xd12fZR3OJh873Yj07eLVWHFLv7u9O85vwaVdKSAGKjjRrtBbY=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJ4i3L+Xa3VFJAV9yUR1zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyMjEwMTAzNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArpsI1q3Y/PESXfGxc3W236INlH9c2toyyIQHTLWW9Bbq4pC84hvcSCbXtNJstTaw8p97db66PAC9LT1u6dK2sNGcY/qtqU38YyWHUhptG/jntOIyDzYx8LG3tZh5DXyvt3OQtnG5DaEqMgZuRGXwG9a6w59hURPqyvKaXwU44XXMPfbhjuTDLr/YYk4Cm478ddlid78V60UGGxTIIeeI+dU3F8HhnyrCdXhQHrWKIbyhoVHcP2Vwn9MxGAXL4uYYNAKUmDXZpCgA3Q9dTVyi/47dZkdfeimolplSL6cmMyKLFJ01PkGN5gw8frcfJ13mDhTFZBAttJnD6u7bv0N+o+3dLJKdo1EAvNjmkEFDV18eZX+z6TnxioPINRviplDxSqFHzDXA2i528iYHJjb5My4Ke6fLer2T0ykvSnnMcFUMVd0E4yVSwVPI0ayoe2O2fT+cT5ggGI2r45DOTJzDifyZOPbb1eKqcDsjr+GJuidMTUwspEWdQtXcDdvgJ7SNPrTALX3ZhgkaQqgeZbj3lKywEVN17JTYSWmi5XCDahxawiQPQyKPtvxHtDmXUUOR+jARErzJB+HZiH2wcjJPrDbNCrG8AbAZaVbw4OFj4Pbcn1BhTceAO5hBSqm4eEiQ0FowmW6n8gYlj6JsyvjULTEXNJpfFMQEW1XGWzN1rJ8CAwEAAaMyMDAwHQYDVR0OBBYEFEA3S95dqb97X5uKfJeS4vQfZI8DMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAKU495vDoFRi7CSOxdp/CaBVGWi40G1XHHUmdJ5hlur0y1rQRZ9Pzz4NpOPSHVZlxdIg5dODCc5Ldj1LP0tcMCugOux6p3QLZZe2+g1U18EUFJoiljdIGPmjao7GoejfR5y+cTHuVH7s9mWk3QNygk5rXcOXmrPDqdsvQYjOF/KJw+FArrYpU8IQhS9/t88g6NVIcM2pMhUeb/fMY/lJ3/sS8SecYVVYnJQIKzen2xMKiWPIl87EKMjL5IUGy6tg1sM5dr2dE2QMuMNKdX+3x1fAwp5Kr2+c3c8b14aFzAnpw6tmQC1zh+Bb/Zy38zmZfbAA1mZmqUiYrkI6rECcNJI+5w681OYUcbDMsMM8szHWFUf2c6dWWxXM5cBDO4qFxrY6HPfa3HD7xA8JKueRf8/EKcTXNu2Kqt21SXPGdPeHHj/wdQh9StCY/X5P0x9tTjZhvC5C/ARYvgA+ySqt30UP2vwymB1F8aGG16296f1Q3ZexPROzANLh5QvfQ7Jpc9zLlo/FmfiHNXtZDa/XYUIxjjJE8o1YPGdrR3NFoH+6sszi27i590/PRkWDuU3hlLs1SCIYdRP7CiwOdUMGqP/oT+SSdL5DP3THHcXYm/NJUAKWZGkHaJfCc7swlulQ3vyzIlG5GzBmlxq2iwbPskfYBC5MK5zPf44Ht7rrT6V3"}
                Multi AV Scanner detection for submitted file
                Source: V9fubyadY6.exeReversingLabs: Detection: 65%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: V9fubyadY6.exe PID: 7468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7508, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: V9fubyadY6.exeJoe Sandbox ML: detected
                Source: V9fubyadY6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: V9fubyadY6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 164.90.236.65:5520 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 164.90.236.65:5520 -> 192.168.2.4:49730
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 164.90.236.65
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 164.90.236.65:5520
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.236.65
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: RegAsm.exe, 00000003.00000002.2934021204.0000000000F81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&c
                Source: RegAsm.exe, 00000003.00000002.2934675940.0000000001012000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002EEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: RegAsm.exe, 00000003.00000002.2935399171.0000000002ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2935399171.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2935399171.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: V9fubyadY6.exe PID: 7468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7508, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02C8F03C3_2_02C8F03C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0796A6203_2_0796A620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07966D883_2_07966D88
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs V9fubyadY6.exe
                Source: V9fubyadY6.exe, 00000000.00000002.1684271354.0000000000A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs V9fubyadY6.exe
                Source: V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs V9fubyadY6.exe
                Source: V9fubyadY6.exe, 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs V9fubyadY6.exe
                Source: V9fubyadY6.exeBinary or memory string: OriginalFilenamemagnify.exe4 vs V9fubyadY6.exe
                Source: V9fubyadY6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: V9fubyadY6.exe, by-unknown-------------------------.csBase64 encoded string: 'QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XFJlZ0FzbS5leGU='
                Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@1/2
                Source: C:\Users\user\Desktop\V9fubyadY6.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V9fubyadY6.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Local\e21de365-4ad7-41b0-9c44-b9d3fb6bfbb5
                Source: V9fubyadY6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: V9fubyadY6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\V9fubyadY6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: V9fubyadY6.exeReversingLabs: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\V9fubyadY6.exe "C:\Users\user\Desktop\V9fubyadY6.exe"
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: V9fubyadY6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: V9fubyadY6.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: V9fubyadY6.exeStatic file information: File size 3310080 > 1048576
                Source: V9fubyadY6.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x327800
                Source: V9fubyadY6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 691Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 406Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exe TID: 7488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7592Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\V9fubyadY6.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegAsm.exe, 00000003.00000002.2942848671.0000000005609000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942848671.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942848671.0000000005540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: V9fubyadY6.exe, by-unknown-------------------------.csReference to suspicious API methods: ReadProcessMemory(by_002Dunknown_FFFD_D83E_DD70_D83E_DD29_D83D_DD29_D83D_DC98_FFFD_FE0F_FFFD_FFFD_D83E_DE1C_FFFD_FFFD_FFFD_FFFD_200D_FFFD_FFFD_FFFD_D83D_DE35.ProcessHandle, num3 + 4 + 4, ref by_002Dunknown_FE0F_FFFD_FFFD_FFFD_FFFD_D83D_DCAB_FFFD_200D_FE0F_FFFD_FFFD_FFFD_D83D_DD14_FFFD_D83D_DCAB_FFFD_D83E_DFF3_FFFD_FFFD_FFFD_FFFD, 4, ref by_002Dunknown_D83D_DE3F_FFFD_D83E_DDE8_FE0F_D83D_DD29_FFFD_FE0F_FFFD_FE0F_FFFD_FFFD_FFFD_FFFD_D83E_DE35_FFFD_D83C_DCA3_FFFD_200D_FFFD_FFFD)
                Source: V9fubyadY6.exe, by-unknown-------------------------.csReference to suspicious API methods: VirtualAllocEx(by_002Dunknown_FFFD_D83E_DD70_D83E_DD29_D83D_DD29_D83D_DC98_FFFD_FE0F_FFFD_FFFD_D83E_DE1C_FFFD_FFFD_FFFD_FFFD_200D_FFFD_FFFD_FFFD_D83D_DE35.ProcessHandle, num2, num4, 12288, 64)
                Source: V9fubyadY6.exe, by-unknown-------------------------.csReference to suspicious API methods: WriteProcessMemory(by_002Dunknown_FFFD_D83E_DD70_D83E_DD29_D83D_DD29_D83D_DC98_FFFD_FE0F_FFFD_FFFD_D83E_DE1C_FFFD_FFFD_FFFD_FFFD_200D_FFFD_FFFD_FFFD_D83D_DE35.ProcessHandle, num6, by_002Dunknown_FFFD_FE0F_FFFD_FFFD_FFFD_FE0F_FFFD_200D_FFFD_D83E_DD15_FFFD_26A7_FFFD_FFFD_FFFD_D83E_DE35_FFFD_FFFD_FE0F_FFFD_FFFD_FFFD_2642, num5, ref by_002Dunknown_D83D_DE3F_FFFD_D83E_DDE8_FE0F_D83D_DD29_FFFD_FE0F_FFFD_FE0F_FFFD_FFFD_FFFD_FFFD_D83E_DE35_FFFD_D83C_DCA3_FFFD_200D_FFFD_FFFD)
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 720000Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 722000Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D46008Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeQueries volume information: C:\Users\user\Desktop\V9fubyadY6.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\V9fubyadY6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: V9fubyadY6.exe PID: 7468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7508, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3d901d0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.V9fubyadY6.exe.3a72ba0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: V9fubyadY6.exe PID: 7468, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7508, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping11
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                V9fubyadY6.exe66%ReversingLabsByteCode-MSIL.Hacktool.ResInject
                V9fubyadY6.exe100%AviraTR/Dropper.Gen
                V9fubyadY6.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.org/0%URL Reputationsafe
                https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipwho.is
                		195.201.57.90
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  164.90.236.65true
                    		unknown
                    https://ipwho.is/false
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/dRegAsm.exe, 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://stackoverflow.com/q/14436606/23354V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2935399171.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://stackoverflow.com/q/2152978/23354sCannotV9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.datacontract.org/2004/07/RegAsm.exe, 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ipwho.isRegAsm.exe, 00000003.00000002.2935399171.0000000002EEA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://stackoverflow.com/q/11564914/23354;V9fubyadY6.exe, 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, V9fubyadY6.exe, 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ipwho.isdRegAsm.exe, 00000003.00000002.2935399171.0000000002EEA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://ipwho.isRegAsm.exe, 00000003.00000002.2935399171.0000000002ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                164.90.236.65
                                		unknownUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                195.201.57.90
                                		ipwho.isGermany
                                		24940HETZNER-ASDEfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1544043
                                Start date and time:2024-10-28 18:41:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 9s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:V9fubyadY6.exe
                                renamed because original name is a hash value
                                Original Sample Name:4e3692a35a3a1ae4e4b1613f9042e4d3.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/3@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 74
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 2.19.126.163, 2.19.126.137
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: V9fubyadY6.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:42:02API Interceptor1x Sleep call for process: RegAsm.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                • /?output=json
                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • /?output=json
                                ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                • ipwhois.app/xml/
                                cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json
                                Clipper.exeGet hashmaliciousUnknownBrowse
                                • /?output=json
                                cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ipwho.ishttps://tronlkam8s2.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                http://tronlkam8s2.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                http://cint.securiguard.ccGet hashmaliciousTechSupportScamBrowse
                                • 108.181.98.179
                                https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                • 195.201.57.90
                                https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#Get hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                • 108.181.98.179
                                SCV.cmdGet hashmaliciousUnknownBrowse
                                • 15.204.213.5
                                SCV.cmdGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                mbbkel3.cmdGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                lcxMtt6sny.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HETZNER-ASDEXS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                • 135.181.116.240
                                https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                • 213.239.209.209
                                https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                • 144.76.38.164
                                https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                • 213.239.209.209
                                nabspc.elfGet hashmaliciousUnknownBrowse
                                • 176.9.43.60
                                la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                • 116.203.104.203
                                CQlUZ4KuAa.exeGet hashmaliciousVidarBrowse
                                • 116.202.182.67
                                9yJSTTEg68.exeGet hashmaliciousVidarBrowse
                                • 135.181.31.18
                                dZIZhRHDXv.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • 138.201.226.224
                                nklmpsl.elfGet hashmaliciousUnknownBrowse
                                • 5.75.234.236
                                DIGITALOCEAN-ASNUSla.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                • 167.71.77.78
                                splm68k.elfGet hashmaliciousUnknownBrowse
                                • 178.128.224.218
                                arm.elfGet hashmaliciousUnknownBrowse
                                • 107.170.128.150
                                http://delivery.aima.in/KUJABQ?id=12442=dkxVUwNRDAEFTQIMBlVXAlpcUABXUAlUW1BaUQMHCQQMB1RQBwAKAwMHUlMBVQsKAQ1KQ1IQSlQGdQtdWUFRG0VcGVIFUQENDgMABgcGBwdVAAUOTwpEQRIPTRxSUlxcQ1UXGhwCUVhWH15bGXhmeSN7ZwZaBkxDUQ==&fl=XUQRE0FZFxpUVFlBRFJfQw1LQlhfTFFHAV0HV0NUX1haXgwXQQtZG1hDUBtYVBxaDF1TQQBMWEEPWQ==Get hashmaliciousUnknownBrowse
                                • 139.59.79.179
                                debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                • 157.245.182.56
                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                • 157.245.75.207
                                x86.elfGet hashmaliciousMirai, MoobotBrowse
                                • 157.230.180.172
                                bot-armv7.elfGet hashmaliciousUnknownBrowse
                                • 167.172.21.155
                                bot-x86.elfGet hashmaliciousUnknownBrowse
                                • 167.172.21.155
                                splspc.elfGet hashmaliciousUnknownBrowse
                                • 134.209.44.102

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0e(No subject) (93).emlGet hashmaliciousHTMLPhisherBrowse
                                • 195.201.57.90
                                https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!sb98dbf79ab614921877689e4912e2fae&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VubV9qYmxocXlGSmgzYUo1SkV1TDY0QmtKQzA5SEFwTjV6cTh1YW5PSWxxNEE_ZT1pdGFpeGo&wd=target%28Sezione%20senza%20titolo.one%7Ccfe57f3b-5d7b-4d15-b045-f6fdb53b3776%2FRechnung%2039920898-43006843%20%5C%7C%20Ebner%20Media%20Group%7C205becae-dae9-4a36-907a-485bcab69387%2F%29&wdorigin=NavigationUrlGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 195.201.57.90
                                https://1drv.ms/o/c/dfbe417e0dc15e08/Esl_LBLy3yNEou5UFJ-QxnIBMGmncz8uv1GwgEHKevm1cw?e=C2cldFGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                • 195.201.57.90
                                https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                • 195.201.57.90
                                EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                • 195.201.57.90
                                come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 195.201.57.90

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):71954
                                Entropy (8bit):7.996617769952133
                                Encrypted:true
                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):328
                                Entropy (8bit):3.1440865988908944
                                Encrypted:false
                                SSDEEP:6:kKyPL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:qPiDnLNkPlE99SNxAhUe/3
                                MD5:5521A7C78B3EA60C2DC8BB8DC4D4E129
                                SHA1:D3EBDAACF74218414817503907386A4FAA4BF155
                                SHA-256:5A48A98FB1C0B54D1DAF1C6747174C23F4B6B67441DDE6E00B728AB90815E6F9
                                SHA-512:9D29982216DA502CBA0DE334A9A43515D14CF46E012F6B619E1B169353619CBDB5745562981DDA404F0161CDC1E1DA9A6D70F7C3611961CD38F0B50523865308
                                Malicious:false
                                Reputation:low
                                Preview:p...... ..........-.`)..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V9fubyadY6.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\V9fubyadY6.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):226
                                Entropy (8bit):5.360398796477698
                                Encrypted:false
                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                MD5:3A8957C6382192B71471BD14359D0B12
                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.998403642472572
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:V9fubyadY6.exe
                                File size:3'310'080 bytes
                                MD5:4e3692a35a3a1ae4e4b1613f9042e4d3
                                SHA1:81e4b2203e11bd642bca309a76e43c8d8fbdcaac
                                SHA256:3d64999908580361b2426500404c1198256cd6852c630f724525a3ea6a0afa56
                                SHA512:b930007e5f4429385b9e6126b34e69b34d39220485f49c1fd7e6e241fc3f6b502bdb13fbf0d0316884d1e999175684ed6aaae95012db314742c23d3950306ec8
                                SSDEEP:98304:ADGR5laH31reYTr+VBcMWy7hQd4S5D6XF5:2ckr+sO9QdXKF
                                TLSH:B4E5234B4458BD6ECB63523F45261FC4BBF236A32E08CFA461529B9C55742CFE603A93
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................x2...........2.. ....2...@.. ........................2...........@................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x7296be
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671A1F13 [Thu Oct 24 10:18:59 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3296640x57.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x32a0000x54a.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x32c0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x3276c40x3278008ef529f29d5221871c073ad72dddd81bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x32a0000x54a0x600afd00e047a23fa69e0d65414d610068eFalse0.40625data3.922575202625809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x32c0000xc0x200e8c7d3ef3488ddd8f42d7e67a70e97e8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x32a0a00x2c0data0.45454545454545453
                                RT_MANIFEST0x32a3600x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-28T18:42:01.173948+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1164.90.236.655520192.168.2.449730TCP
                                2024-10-28T18:42:01.173948+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1164.90.236.655520192.168.2.449730TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2024 18:42:00.304976940 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:00.310606956 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:00.310703993 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:00.339708090 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:00.345284939 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:01.162976027 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:01.163005114 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:01.163105011 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:01.168487072 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:01.173948050 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:01.417759895 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:01.468976974 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:02.996458054 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:02.996483088 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:02.996560097 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:02.998276949 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:02.998296976 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.131438017 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.131530046 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:04.136257887 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:04.136265039 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.136575937 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.167485952 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:04.215333939 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.426901102 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.426975012 CET44349732195.201.57.90192.168.2.4
                                Oct 28, 2024 18:42:04.427059889 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:04.496418953 CET49732443192.168.2.4195.201.57.90
                                Oct 28, 2024 18:42:04.624138117 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:04.629580975 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:04.629723072 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:04.635083914 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:04.877197027 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:04.922120094 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:05.000937939 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:05.047102928 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:30.016009092 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:30.021754980 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:42:55.031516075 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:42:55.036765099 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:43:20.047219038 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:43:20.052755117 CET552049730164.90.236.65192.168.2.4
                                Oct 28, 2024 18:43:45.062886953 CET497305520192.168.2.4164.90.236.65
                                Oct 28, 2024 18:43:45.069644928 CET552049730164.90.236.65192.168.2.4

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2024 18:42:02.982897997 CET6242853192.168.2.41.1.1.1
                                Oct 28, 2024 18:42:02.992485046 CET53624281.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 28, 2024 18:42:02.982897997 CET192.168.2.41.1.1.10x5359Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 28, 2024 18:42:02.992485046 CET1.1.1.1192.168.2.40x5359No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ipwho.is

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449732195.201.57.904437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                TimestampBytes transferredDirectionData
                                2024-10-28 17:42:04 UTC150OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                Host: ipwho.is
                                Connection: Keep-Alive
                                2024-10-28 17:42:04 UTC223INHTTP/1.1 200 OK
                                Date: Mon, 28 Oct 2024 17:42:04 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                2024-10-28 17:42:04 UTC1032INData Raw: 33 66 63 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 54 65 78 61
                                Data Ascii: 3fc{ "About Us": "https:\/\/ipwhois.io", "ip": "155.94.241.188", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "Texa


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:13:41:56
                                Start date:28/10/2024
                                Path:C:\Users\user\Desktop\V9fubyadY6.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\V9fubyadY6.exe"
                                Imagebase:0xf0000
                                File size:3'310'080 bytes
                                MD5 hash:4E3692A35A3A1AE4E4B1613F9042E4D3
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1685423043.0000000002751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1685559780.0000000003754000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1685559780.0000000004154000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:13:41:56
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:#system32
                                Imagebase:0x3a0000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:13:41:56
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:#system32
                                Imagebase:0x220000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:13:41:56
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:#system32
                                Imagebase:0x9f0000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2931138812.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2935399171.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2935399171.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2931138812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:50%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:64
                                  Total number of Limit Nodes:3
                                  execution_graph 623 2571442 624 2571494 Wow64SetThreadContext 623->624 625 257148a 623->625 626 25714c2 624->626 625->624 629 257120c 630 2571293 CreateProcessW 629->630 632 2571369 630->632 633 25715ba 634 2571610 WriteProcessMemory 633->634 635 2571608 633->635 636 257164b 634->636 635->634 555 2570848 556 2570852 555->556 559 2570c17 556->559 561 2570c39 559->561 560 25708c9 561->560 564 2570c78 561->564 584 2570c88 561->584 565 2570cf3 564->565 604 2570548 565->604 567 2570d74 568 2570554 Wow64SetThreadContext 567->568 571 2570ffa 567->571 569 2570dcc 568->569 570 2570560 ReadProcessMemory 569->570 569->571 572 2570e0a 570->572 574 257056c WriteProcessMemory 571->574 583 2571018 571->583 572->571 573 2570e9e VirtualAllocEx 572->573 575 2570ee5 573->575 574->571 575->571 576 257056c WriteProcessMemory 575->576 577 2570f1c 576->577 577->571 578 257056c WriteProcessMemory 577->578 579 2570f6e 578->579 579->571 580 2570578 Wow64SetThreadContext 579->580 581 2570fb8 580->581 581->571 582 2570fc0 ResumeThread 581->582 582->571 583->561 585 2570cf3 584->585 586 2570548 CreateProcessW 585->586 587 2570d74 586->587 598 2570ffa 587->598 608 2570554 587->608 592 2570e9e VirtualAllocEx 594 2570ee5 592->594 593 257056c WriteProcessMemory 593->598 594->598 615 257056c 594->615 597 257056c WriteProcessMemory 599 2570f6e 597->599 598->593 603 2571018 598->603 599->598 619 2570578 599->619 602 2570fc0 ResumeThread 602->598 603->561 605 2571218 CreateProcessW 604->605 607 2571369 605->607 609 2571448 Wow64SetThreadContext 608->609 611 2570dcc 609->611 611->598 612 2570560 611->612 613 2571500 ReadProcessMemory 612->613 614 2570e0a 613->614 614->592 614->598 616 25715c0 WriteProcessMemory 615->616 618 2570f1c 616->618 618->597 618->598 620 2571448 Wow64SetThreadContext 619->620 622 2570fb8 620->622 622->598 622->602 627 25714f8 ReadProcessMemory 628 2571580 627->628

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_02570554 1 Function_0257045C 2 Function_02570158 3 Function_02570258 4 Function_02571442 5 Function_0257004D 6 Function_02570148 7 Function_02570548 8 Function_02570848 22 Function_02570C17 8->22 60 Function_025709C2 8->60 9 Function_02570474 10 Function_02570070 11 Function_02570270 12 Function_0257027C 13 Function_02570178 14 Function_02570578 15 Function_02570C78 15->0 15->7 15->14 18 Function_02570560 15->18 19 Function_0257056C 15->19 16 Function_02570264 17 Function_02570060 20 Function_02570168 21 Function_02570468 22->15 92 Function_02570C88 22->92 96 Function_025711BE 22->96 23 Function_02570515 24 Function_02570511 25 Function_0257021D 26 Function_0257051D 27 Function_0257011C 28 Function_02570519 29 Function_02570505 30 Function_02570C02 31 Function_02570501 32 Function_02570600 33 Function_02570100 34 Function_0257050D 35 Function_0257120C 36 Function_0257060C 37 Function_0257010C 38 Function_02570509 39 Function_02570C09 40 Function_02570434 41 Function_02570533 42 Function_02570230 43 Function_02570138 44 Function_02570638 45 Function_02570525 46 Function_02570521 47 Function_0257052D 48 Function_0257012C 49 Function_0257062C 50 Function_02570529 51 Function_025700D4 52 Function_025701D4 53 Function_025704D4 54 Function_025705D0 55 Function_025713DF 56 Function_025705DC 57 Function_02570BDC 58 Function_025713D8 59 Function_025701C4 60->2 60->20 61 Function_025708CF 62 Function_025713CF 63 Function_025700C8 64 Function_025704C8 65 Function_025704F5 66 Function_025705F4 67 Function_025704F1 68 Function_025700F0 69 Function_025701F0 70 Function_02570BFF 71 Function_025704FD 72 Function_025701FC 73 Function_025704F9 74 Function_025714F8 75 Function_025701E4 76 Function_025700E4 77 Function_025704E0 78 Function_025704ED 79 Function_025705E8 80 Function_02570294 81 Function_02570090 82 Function_02570190 83 Function_0257019C 84 Function_02570498 85 Function_02570598 86 Function_02570184 87 Function_02570584 88 Function_02570B81 89 Function_02570480 90 Function_02570080 91 Function_0257048C 92->0 92->7 92->14 92->18 92->19 93 Function_02570288 94 Function_025704B5 95 Function_025700B0 96->87 97 Function_025700BC 98 Function_025704BC 99 Function_025715BA 100 Function_025701B8 101 Function_025702B8 102 Function_025709A7 103 Function_02570BA5 104 Function_025704A4 105 Function_025700A0 106 Function_025702A0 107 Function_025702AC 108 Function_02570BAC 109 Function_025701A8

                                  Executed Functions

                                  Function 02570C88 Relevance: 3.4, APIs: 2, Instructions: 378memorythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 2570c88-2570d76 call 2570548 9 2571124-2571137 0->9 10 2570d7c-2570db5 0->10 15 257113e 9->15 10->15 17 2570dbb-2570dce call 2570554 10->17 19 2571143-2571176 15->19 21 2570dd4-2570dde 17->21 22 257110a-257111d 17->22 35 25711b5-25711b8 19->35 36 2571178-25711a8 call 257056c 19->36 21->15 24 2570de4-2570e0c call 2570560 21->24 22->9 29 2570e12-2570e20 24->29 30 25710f0-2571103 24->30 33 2570e22-2570e5d 29->33 34 2570e80-2570ee3 VirtualAllocEx 29->34 30->22 44 2570e66-2570e7a 33->44 45 2570e5f-2570e65 33->45 49 2570ee5-2570eeb 34->49 50 2570eec-2570f03 34->50 38 25711e0-25711ff 35->38 53 25711ad-25711af 36->53 44->34 48 25710d6-25710e9 44->48 45->44 48->30 49->50 54 25710bc-25710cf 50->54 55 2570f09-2570f1e call 257056c 50->55 53->35 58 257103a-257104d 53->58 54->48 63 2570f24-2570f4b 55->63 64 25710a2-25710b5 55->64 72 2571054-2571067 58->72 63->19 70 2570f51-2570f70 call 257056c 63->70 64->54 70->72 77 2570f76-2570f8d 70->77 80 257106e-2571081 72->80 81 2570f95-2570fa4 77->81 82 2570f8f-2570f92 77->82 91 2571088-257109b 80->91 81->15 83 2570faa-2570fba call 2570578 81->83 82->81 83->80 88 2570fc0-2570ff8 ResumeThread 83->88 89 2571001-2571016 88->89 90 2570ffa-2571000 88->90 89->91 92 2571018-2571026 89->92 90->89 91->64 92->38 93 257102c-2571035 92->93 93->38
                                  APIs
                                    • Part of subcall function 02570548: CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                    • Part of subcall function 02570554: Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                    • Part of subcall function 02570560: ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                  • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02570ECF
                                  • ResumeThread.KERNELBASE(?), ref: 02570FE4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: ProcessThread$AllocContextCreateMemoryReadResumeVirtualWow64
                                  • String ID:
                                  • API String ID: 2498194165-0
                                  • Opcode ID: b8630cf9d3bf22107b56d578267c37fea044e08b7102b58588344e9fa025e828
                                  • Instruction ID: 6d216b3cb878d481d2633476997dd7b475267591efdb7a3a600d101e6b68801e
                                  • Opcode Fuzzy Hash: b8630cf9d3bf22107b56d578267c37fea044e08b7102b58588344e9fa025e828
                                  • Instruction Fuzzy Hash: 33E1AC70E002198BCB24DFB5D850BAEBBF6BF84344F248169D409AB295DF349D86CF95
                                  Function 02570C78 Relevance: 3.3, APIs: 2, Instructions: 270memorythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 98 2570c78-2570d76 call 2570548 107 2571124-2571137 98->107 108 2570d7c-2570db5 98->108 113 257113e 107->113 108->113 115 2570dbb-2570dce call 2570554 108->115 117 2571143-2571176 113->117 119 2570dd4-2570dde 115->119 120 257110a-257111d 115->120 133 25711b5-25711b8 117->133 134 2571178-25711a8 call 257056c 117->134 119->113 122 2570de4-2570e0c call 2570560 119->122 120->107 127 2570e12-2570e20 122->127 128 25710f0-2571103 122->128 131 2570e22-2570e5d 127->131 132 2570e80-2570ee3 VirtualAllocEx 127->132 128->120 142 2570e66-2570e7a 131->142 143 2570e5f-2570e65 131->143 147 2570ee5-2570eeb 132->147 148 2570eec-2570f03 132->148 136 25711e0-25711ff 133->136 151 25711ad-25711af 134->151 142->132 146 25710d6-25710e9 142->146 143->142 146->128 147->148 152 25710bc-25710cf 148->152 153 2570f09-2570f1e call 257056c 148->153 151->133 156 257103a-257104d 151->156 152->146 161 2570f24-2570f4b 153->161 162 25710a2-25710b5 153->162 170 2571054-2571067 156->170 161->117 168 2570f51-2570f70 call 257056c 161->168 162->152 168->170 175 2570f76-2570f8d 168->175 178 257106e-2571081 170->178 179 2570f95-2570fa4 175->179 180 2570f8f-2570f92 175->180 189 2571088-257109b 178->189 179->113 181 2570faa-2570fba call 2570578 179->181 180->179 181->178 186 2570fc0-2570ff8 ResumeThread 181->186 187 2571001-2571016 186->187 188 2570ffa-2571000 186->188 187->189 190 2571018-2571026 187->190 188->187 189->162 190->136 191 257102c-2571035 190->191 191->136
                                  APIs
                                    • Part of subcall function 02570548: CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                    • Part of subcall function 02570554: Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                    • Part of subcall function 02570560: ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                  • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02570ECF
                                  • ResumeThread.KERNELBASE(?), ref: 02570FE4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: ProcessThread$AllocContextCreateMemoryReadResumeVirtualWow64
                                  • String ID:
                                  • API String ID: 2498194165-0
                                  • Opcode ID: eb43eba1f6c6f82e17eed3ff966fcf0d3988484fa069fa1c919af887167a6242
                                  • Instruction ID: 34cd5a2cd5be19c84ba3d70b159762e193de003244878e0e82ce032d76a3ca2f
                                  • Opcode Fuzzy Hash: eb43eba1f6c6f82e17eed3ff966fcf0d3988484fa069fa1c919af887167a6242
                                  • Instruction Fuzzy Hash: 68B15A71E002198FDB24CFA5D884BEEBBF6BF88304F1481A9D418EB295DB749985CF54
                                  Function 02570548 Relevance: 1.6, APIs: 1, Instructions: 140processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 239 2570548-2571291 241 2571293-2571296 239->241 242 2571299-25712a0 239->242 241->242 243 25712a2-25712a8 242->243 244 25712ab-25712c1 242->244 243->244 245 25712c3-25712c9 244->245 246 25712cc-2571367 CreateProcessW 244->246 245->246 248 2571370-25713e4 246->248 249 2571369-257136f 246->249 257 25713f6-25713fd 248->257 258 25713e6-25713ec 248->258 249->248 259 2571414 257->259 260 25713ff-257140e 257->260 258->257 262 2571415 259->262 260->259 262->262
                                  APIs
                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: aa81b15cf9136660ee171c0338e223a7819f50a22008f6f198230a72f2944f1c
                                  • Instruction ID: f47286a9650ecda2b42383177e004c7d63fa2bd9051abd5918c90131501fe589
                                  • Opcode Fuzzy Hash: aa81b15cf9136660ee171c0338e223a7819f50a22008f6f198230a72f2944f1c
                                  • Instruction Fuzzy Hash: 85512771900719DFDF20CFA9D940BDEBBB6BF49304F1480AAE508A7250D7759A84CF91
                                  Function 0257120C Relevance: 1.6, APIs: 1, Instructions: 139processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 263 257120c-2571291 264 2571293-2571296 263->264 265 2571299-25712a0 263->265 264->265 266 25712a2-25712a8 265->266 267 25712ab-25712c1 265->267 266->267 268 25712c3-25712c9 267->268 269 25712cc-2571367 CreateProcessW 267->269 268->269 271 2571370-25713e4 269->271 272 2571369-257136f 269->272 280 25713f6-25713fd 271->280 281 25713e6-25713ec 271->281 272->271 282 2571414 280->282 283 25713ff-257140e 280->283 281->280 285 2571415 282->285 283->282 285->285
                                  APIs
                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: af884608e62bc56317a4d92823c95a3c46cf488d45547e491debbf9ccffda125
                                  • Instruction ID: c757bb58f5f20d1ad2056f5994c5e67f33d8978fcb82ca2585be30d7f6e59eb1
                                  • Opcode Fuzzy Hash: af884608e62bc56317a4d92823c95a3c46cf488d45547e491debbf9ccffda125
                                  • Instruction Fuzzy Hash: 66515771900329DFDF20CFA9D980BDEBBB6BF49304F1480AAE508A7250D7759A88CF51
                                  Function 0257056C Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 286 257056c-2571606 288 2571610-2571649 WriteProcessMemory 286->288 289 2571608-257160e 286->289 290 2571652-2571673 288->290 291 257164b-2571651 288->291 289->288 291->290
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,025711AD,?,?,00000000), ref: 0257163C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 3e106264d648d1d26cbfd2ad72826dfd970df7149fece8b4fa4d720f54698bfb
                                  • Instruction ID: c0e4dbf6140880e4d78fdf061332dc8ddb75184dbabd13fa659bdf75fcbe3b34
                                  • Opcode Fuzzy Hash: 3e106264d648d1d26cbfd2ad72826dfd970df7149fece8b4fa4d720f54698bfb
                                  • Instruction Fuzzy Hash: BD2115B5900709DFCB10DF9AD884BDEBBF4FB08310F54842AE958A7250D378A944CFA4
                                  Function 025715BA Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 293 25715ba-2571606 294 2571610-2571649 WriteProcessMemory 293->294 295 2571608-257160e 293->295 296 2571652-2571673 294->296 297 257164b-2571651 294->297 295->294 297->296
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,025711AD,?,?,00000000), ref: 0257163C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: a1110ef793ad046dcd6e8e335fd958a9516a2beb0b6adcc8d5e7c4e3512cffa2
                                  • Instruction ID: be616f3c2b4321797335f3ca7cf3249748800801656d17ce8e2c49279a84cb34
                                  • Opcode Fuzzy Hash: a1110ef793ad046dcd6e8e335fd958a9516a2beb0b6adcc8d5e7c4e3512cffa2
                                  • Instruction Fuzzy Hash: 582102B5900249DFCB10CFAAD884BDEBFF4FB48314F14842AE958A7651C378A944CFA4
                                  Function 02570560 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 299 2570560-257157e ReadProcessMemory 301 2571587-25715a8 299->301 302 2571580-2571586 299->302 302->301
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: c5791f9fb64a57763b533dae1f3c5d76bf15cc1432dc11d200fd15f3aff4d0f0
                                  • Instruction ID: a3fd328a5dda6beff3149f496804023689bd468bdbaa3b995328864f37846f09
                                  • Opcode Fuzzy Hash: c5791f9fb64a57763b533dae1f3c5d76bf15cc1432dc11d200fd15f3aff4d0f0
                                  • Instruction Fuzzy Hash: 8421E2B59007599FCB10DF9AD884BDEBBF4FB08360F10842AE958A7250D374A944CFA5
                                  Function 02570554 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 304 2570554-2571488 306 2571494-25714c0 Wow64SetThreadContext 304->306 307 257148a-2571492 304->307 308 25714c2-25714c8 306->308 309 25714c9-25714ea 306->309 307->306 308->309
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: d88ed9557d76ba55689bc6b8d8861de59f26e8f3fd8ebd1c2ba50f14cc5048fd
                                  • Instruction ID: 862848e60cc019e696d98fa37b0e6bc877746ee4d2091648800dd00fab0baec3
                                  • Opcode Fuzzy Hash: d88ed9557d76ba55689bc6b8d8861de59f26e8f3fd8ebd1c2ba50f14cc5048fd
                                  • Instruction Fuzzy Hash: 961112B5D006498FCB20DF9AD944BDEBBF5FB88320F14C469E458A7240D378A544CFA5
                                  Function 02570578 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 311 2570578-2571488 313 2571494-25714c0 Wow64SetThreadContext 311->313 314 257148a-2571492 311->314 315 25714c2-25714c8 313->315 316 25714c9-25714ea 313->316 314->313 315->316
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 94391badd7f33e6dc1bc1ebd6e6e8a425a85f4571fea1f737f96d627b9c0eb44
                                  • Instruction ID: 6d4a4dd61359dc8a0ce00528fbd7bbcdf957df645cb88137ae50cd6a7114a4e0
                                  • Opcode Fuzzy Hash: 94391badd7f33e6dc1bc1ebd6e6e8a425a85f4571fea1f737f96d627b9c0eb44
                                  • Instruction Fuzzy Hash: 081112B59006498FCB20DF9AD944BDEBBF5FB88324F14C469E458A7240D378A944CFA5
                                  Function 025714F8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 318 25714f8-257157e ReadProcessMemory 319 2571587-25715a8 318->319 320 2571580-2571586 318->320 320->319
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 6b3da5e48286af1893229cf1362b67ab1db42dc08b52a9d20c2af1981c502ad8
                                  • Instruction ID: 07afc384ace23b234b6263f8b16b724edf82836f21ace04612b59e13b0bf9fc7
                                  • Opcode Fuzzy Hash: 6b3da5e48286af1893229cf1362b67ab1db42dc08b52a9d20c2af1981c502ad8
                                  • Instruction Fuzzy Hash: CF21E3B5C012599FCB10CFAAD984ADEFBF4FB48314F10856AE958A7250C378A944CFA5
                                  Function 02571442 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 322 2571442-2571488 323 2571494-25714c0 Wow64SetThreadContext 322->323 324 257148a-2571492 322->324 325 25714c2-25714c8 323->325 326 25714c9-25714ea 323->326 324->323 325->326
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1684944629.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2570000_V9fubyadY6.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: c1a42a26f87dc4f1af4699c7f4062c7a9037d5b023c285119ed3a1d605ec0084
                                  • Instruction ID: bbb3c91a1420dd18846b80b5d4aacd2fec7d8042f3a50afdc7a7e08223cd74f0
                                  • Opcode Fuzzy Hash: c1a42a26f87dc4f1af4699c7f4062c7a9037d5b023c285119ed3a1d605ec0084
                                  • Instruction Fuzzy Hash: 991144B59002498FCB10CFAAD844BEEBFF5BB88224F14C069D458A3210D3389545CFA4

                                  Execution Graph

                                  Execution Coverage:9.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:111
                                  Total number of Limit Nodes:11
                                  execution_graph 21343 2c84668 21344 2c84676 21343->21344 21349 2c86de0 21344->21349 21347 2c84704 21350 2c86e05 21349->21350 21358 2c86edf 21350->21358 21362 2c86ef0 21350->21362 21351 2c846e9 21354 2c8421c 21351->21354 21355 2c84227 21354->21355 21370 2c88560 21355->21370 21357 2c88806 21357->21347 21360 2c86f17 21358->21360 21359 2c86ff4 21359->21359 21360->21359 21366 2c86414 21360->21366 21363 2c86f17 21362->21363 21364 2c86ff4 21363->21364 21365 2c86414 CreateActCtxA 21363->21365 21364->21364 21365->21364 21367 2c87370 CreateActCtxA 21366->21367 21369 2c87433 21367->21369 21371 2c8856b 21370->21371 21374 2c88580 21371->21374 21373 2c888dd 21373->21357 21375 2c8858b 21374->21375 21378 2c885b0 21375->21378 21377 2c889ba 21377->21373 21379 2c885bb 21378->21379 21382 2c885e0 21379->21382 21381 2c88aad 21381->21377 21383 2c885eb 21382->21383 21385 2c89e93 21383->21385 21389 2c8bed1 21383->21389 21384 2c89ed1 21384->21381 21385->21384 21395 2c8df70 21385->21395 21400 2c8df60 21385->21400 21390 2c8beda 21389->21390 21392 2c8be91 21389->21392 21405 2c8bef8 21390->21405 21409 2c8bf08 21390->21409 21391 2c8bee6 21391->21385 21392->21385 21396 2c8df91 21395->21396 21397 2c8dfb5 21396->21397 21444 2c8e110 21396->21444 21448 2c8e120 21396->21448 21397->21384 21401 2c8df91 21400->21401 21402 2c8dfb5 21401->21402 21403 2c8e110 5 API calls 21401->21403 21404 2c8e120 5 API calls 21401->21404 21402->21384 21403->21402 21404->21402 21413 2c8bff0 21405->21413 21423 2c8c000 21405->21423 21406 2c8bf17 21406->21391 21410 2c8bf17 21409->21410 21411 2c8c000 2 API calls 21409->21411 21412 2c8bff0 2 API calls 21409->21412 21410->21391 21411->21410 21412->21410 21414 2c8c011 21413->21414 21417 2c8c034 21413->21417 21433 2c8af60 21414->21433 21417->21406 21418 2c8c02c 21418->21417 21419 2c8c238 GetModuleHandleW 21418->21419 21420 2c8c265 21419->21420 21420->21406 21424 2c8c011 21423->21424 21428 2c8c034 21423->21428 21425 2c8af60 GetModuleHandleW 21424->21425 21426 2c8c01c 21425->21426 21426->21428 21431 2c8c698 GetModuleHandleW 21426->21431 21432 2c8c689 GetModuleHandleW 21426->21432 21427 2c8c02c 21427->21428 21429 2c8c238 GetModuleHandleW 21427->21429 21428->21406 21430 2c8c265 21429->21430 21430->21406 21431->21427 21432->21427 21434 2c8c1f0 GetModuleHandleW 21433->21434 21436 2c8c01c 21434->21436 21436->21417 21437 2c8c689 21436->21437 21441 2c8c698 21436->21441 21438 2c8c698 21437->21438 21439 2c8af60 GetModuleHandleW 21438->21439 21440 2c8c6ac 21439->21440 21440->21418 21442 2c8af60 GetModuleHandleW 21441->21442 21443 2c8c6ac 21442->21443 21443->21418 21445 2c8e120 21444->21445 21446 2c8e166 21445->21446 21452 2c8c464 21445->21452 21446->21397 21449 2c8e12d 21448->21449 21450 2c8e166 21449->21450 21451 2c8c464 5 API calls 21449->21451 21450->21397 21451->21450 21453 2c8c46f 21452->21453 21455 2c8e1d8 21453->21455 21456 2c8c498 21453->21456 21455->21455 21457 2c8c4a3 21456->21457 21458 2c885e0 5 API calls 21457->21458 21459 2c8e247 21458->21459 21460 2c8e256 21459->21460 21463 2c8e2b0 21459->21463 21467 2c8e2c0 21459->21467 21460->21455 21465 2c8e2c0 21463->21465 21464 2c8e3bf 21465->21464 21466 2c8e3ba KiUserCallbackDispatcher 21465->21466 21466->21464 21468 2c8e2ee 21467->21468 21469 2c8e3ba KiUserCallbackDispatcher 21468->21469 21470 2c8e3bf 21468->21470 21469->21470 21471 2c86540 21472 2c86586 21471->21472 21476 2c8670f 21472->21476 21480 2c86720 21472->21480 21473 2c86673 21477 2c86713 21476->21477 21484 2c8611c 21477->21484 21481 2c8673a 21480->21481 21482 2c8611c DuplicateHandle 21481->21482 21483 2c8674e 21482->21483 21483->21473 21485 2c86788 DuplicateHandle 21484->21485 21486 2c8674e 21485->21486 21486->21473

                                  Executed Functions

                                  Function 0796A620 Relevance: 3.2, Strings: 2, Instructions: 713COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 619 796a620-796a63c 620 796a6c6-796a71f 619->620 621 796a642-796a64f 619->621 638 796a725-796a72b 620->638 639 796a7e0-796a841 620->639 624 796a666-796a672 621->624 625 796a651-796a65c 621->625 630 796a674-796a698 624->630 631 796a69a 624->631 771 796a65f call 796a040 625->771 772 796a65f call 7969f91 625->772 773 796a65f call 7969f98 625->773 628 796a661-796a664 632 796a6a3-796a6b2 628->632 630->631 630->632 631->632 635 796a6ba-796a6c3 632->635 640 796a755-796a766 638->640 641 796a72d-796a730 638->641 658 796a843-796a86a 639->658 659 796a86b-796a8b9 639->659 647 796a76e-796a772 640->647 648 796a768 640->648 642 796a732-796a754 641->642 643 796a7ab-796a7d9 641->643 643->639 650 796a77a-796a7aa 647->650 648->650 651 796a76a-796a76c 648->651 651->647 651->650 664 796a8bb-796a8c4 call 796a4c8 659->664 665 796a8c9-796a8cd 659->665 664->665 667 796a8e3-796a8f4 665->667 668 796a8cf-796a8de 665->668 670 796adf2-796ae12 667->670 671 796a8fa-796a90f 667->671 669 796ac78-796ac7f 668->669 678 796ae14-796ae18 670->678 679 796ae2b-796ae76 670->679 672 796a911-796a916 671->672 673 796a91b-796a92e 671->673 672->669 674 796a934-796a940 673->674 675 796ac80-796ac9e 673->675 674->670 677 796a946-796a97d 674->677 686 796aca5-796acc3 675->686 682 796a97f-796a984 677->682 683 796a989-796a98d 677->683 680 796ae1a-796ae25 678->680 681 796ae28-796ae2a 678->681 710 796ae85-796ae8a 679->710 711 796ae78-796ae84 679->711 680->681 682->669 683->686 687 796a993-796a99f 683->687 696 796acca-796ace8 686->696 687->670 690 796a9a5-796a9dc 687->690 693 796a9de-796a9e3 690->693 694 796a9e8-796a9ec 690->694 693->669 695 796a9f2-796a9fe 694->695 694->696 695->670 698 796aa04-796aa3b 695->698 705 796acef-796ad0d 696->705 701 796aa47-796aa4b 698->701 702 796aa3d-796aa42 698->702 704 796aa51-796aa5d 701->704 701->705 702->669 704->670 709 796aa63-796aa9a 704->709 719 796ad14-796ad32 705->719 714 796aaa6-796aaaa 709->714 715 796aa9c-796aaa1 709->715 712 796ae8c-796ae8f 710->712 713 796aec8-796aecc 710->713 718 796aebd-796aec6 712->718 714->719 720 796aab0-796aabc 714->720 715->669 718->713 724 796ae91-796aea5 718->724 731 796ad39-796ad57 719->731 720->670 723 796aac2-796aaf9 720->723 725 796ab05-796ab09 723->725 726 796aafb-796ab00 723->726 733 796aea7-796aebb call 7962340 724->733 734 796aebc 724->734 730 796ab0f-796ab1b 725->730 725->731 726->669 730->670 735 796ab21-796ab58 730->735 740 796ad5e-796ad7c 731->740 734->718 738 796ab64-796ab68 735->738 739 796ab5a-796ab5f 735->739 738->740 741 796ab6e-796ab7a 738->741 739->669 749 796ad83-796ada1 740->749 741->670 744 796ab80-796abb7 741->744 746 796abc3-796abc7 744->746 747 796abb9-796abbe 744->747 746->749 750 796abcd-796abd9 746->750 747->669 758 796ada8-796adc6 749->758 750->670 753 796abdf-796ac16 750->753 755 796ac1f-796ac23 753->755 756 796ac18-796ac1d 753->756 755->758 759 796ac29-796ac32 755->759 756->669 763 796adcd-796adeb 758->763 759->670 761 796ac38-796ac6d 759->761 762 796ac73 761->762 761->763 762->669 763->670 771->628 772->628 773->628
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$(bq
                                  • API String ID: 0-4224401849
                                  • Opcode ID: 28cda4639961f6be0233194b4353492c015b413a1f4d0a81d07028743f4473be
                                  • Instruction ID: b30aad4a99b8cd7211fccf2a57f83435f8ba334606787bce21ad7623cf4a7759
                                  • Opcode Fuzzy Hash: 28cda4639961f6be0233194b4353492c015b413a1f4d0a81d07028743f4473be
                                  • Instruction Fuzzy Hash: 51427DB4B006168FCB19DF69C49866EFBF2FF88304F148669D55AA7781DB34E901CB90
                                  Function 07968640 Relevance: 9.2, Strings: 7, Instructions: 404COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 272 7968640-796864e 273 7968654-796865a 272->273 274 796891e-7968943 272->274 275 7968660-7968662 273->275 276 7968748-796874b 273->276 283 796894a-7968952 274->283 279 79687ed-79687f1 275->279 280 7968668-796866b 275->280 277 7968776-7968782 276->277 278 796874d-7968750 276->278 287 79687b4-79687cf call 7968608 277->287 288 7968784-7968788 277->288 282 7968756-7968771 call 7968120 278->282 278->283 284 79687f3-7968804 call 7968120 279->284 285 7968809-7968815 279->285 280->283 286 7968671-796867d 280->286 310 7968918-796891d 282->310 306 7968959-7968976 283->306 284->310 295 7968847-796885a 285->295 296 7968817-796881b 285->296 291 79686a3-79686ae 286->291 292 796867f-7968683 286->292 287->310 293 79687a0-79687ab 288->293 294 796878a-796879e 288->294 305 79686b4-79686c3 291->305 291->306 301 79687d4-79687e8 292->301 302 7968689-796869d 292->302 293->287 294->287 294->293 295->306 308 7968860-7968874 295->308 303 7968833-796883e 296->303 304 796881d-7968831 296->304 301->291 302->291 302->301 303->295 304->295 304->303 305->306 314 79686c9-79686d8 305->314 323 7968988-79689dc 306->323 324 7968978-7968987 306->324 308->306 309 796887a-796888e 308->309 309->306 315 7968894-79688a8 309->315 314->306 320 79686de-79686ed 314->320 315->306 322 79688ae-79688c2 315->322 320->306 325 79686f3-79686fc 320->325 322->306 326 79688c8-79688d1 322->326 344 79689e2-79689e4 323->344 345 7968aba-7968adf 323->345 325->306 327 7968702-796870c 325->327 326->306 328 79688d7-79688e1 326->328 327->306 331 7968712-796871c 327->331 328->306 333 79688e3-79688ed 328->333 331->306 332 7968722-796872c 331->332 332->306 335 7968732-7968743 call 7968608 332->335 333->306 336 79688ef-79688f9 333->336 335->310 336->306 338 79688fb-7968905 336->338 338->306 341 7968907-796890e 338->341 341->310 342 7968913 call 7968608 341->342 342->310 346 7968ae6-7968b0b 344->346 347 79689ea-79689f1 344->347 345->346 361 7968b12-7968b36 346->361 349 79689f7 347->349 350 7968aab-7968ab3 347->350 349->350 351 7968a40-7968a43 349->351 352 79689fe-7968a01 349->352 353 7968a4b-7968a5d call 7968120 349->353 350->345 356 7968b3d-7968b73 351->356 357 7968a49 351->357 360 7968a07-7968a12 352->360 352->361 367 7968a67-7968a6b 353->367 368 7968a5f-7968a64 353->368 357->360 362 7968a14-7968a16 360->362 363 7968a1e-7968a3d call 7968608 360->363 361->356 362->363 367->360 373 7968a6d-7968a73 367->373 373->360 376 7968a75-7968aa8 373->376
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$(bq$(bq$(bq$(bq$Hbq$Hbq
                                  • API String ID: 0-2847128760
                                  • Opcode ID: d990f7513f6922da4058d48f1e6763b4bcecc3cba13ef56751aa0ae60e1c2f58
                                  • Instruction ID: bab0459261d8c3c338b9be905cb1f68eb28dd4f5656731942bbe249c38483e47
                                  • Opcode Fuzzy Hash: d990f7513f6922da4058d48f1e6763b4bcecc3cba13ef56751aa0ae60e1c2f58
                                  • Instruction Fuzzy Hash: BAE1E4707006068FC714CF68D898A2EBBE6FF85319B548B19D48ADB746DB34F841CB96
                                  Function 07967E80 Relevance: 4.3, Strings: 3, Instructions: 504COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 384 7967e80-7967e92 385 7967f85-7967faa 384->385 386 7967e98-7967e9c 384->386 388 7967fb1-7968085 385->388 387 7967ea2-7967ea6 386->387 386->388 390 796808c-79680b0 387->390 391 7967eac-7967eb1 387->391 388->390 407 79680b7-7968136 390->407 392 7967eb3-7967edc 391->392 393 7967edf-7967ee2 391->393 397 7967ee4-7967ee8 393->397 398 7967f0e-7967f7e 393->398 401 7967efa-7967f0b 397->401 402 7967eea-7967eee 397->402 398->385 402->401 406 7967ef0-7967ef4 402->406 406->401 406->407 432 7968168-796816a 407->432 433 7968138-796813c 407->433 437 796816d-7968186 432->437 435 7968154-796815f 433->435 436 796813e-7968152 433->436 435->432 436->432 436->435 438 79681cf-7968202 437->438 439 7968188-7968198 437->439 445 7968204-7968208 438->445 446 7968248-796826d 438->446 439->437 442 796819a-79681a4 439->442 442->438 444 79681a6-79681ce 442->444 448 7968274-79682c0 445->448 449 796820a-7968221 445->449 446->448 463 79682c6-79682d0 448->463 464 7968420-7968445 448->464 457 7968227-7968233 449->457 461 796823e-7968245 457->461 465 79682d2 463->465 466 79682da-79682de 463->466 468 796844c-7968470 464->468 465->466 467 79682e4-79682ec 466->467 466->468 470 79682f2 467->470 471 7968411-7968419 467->471 480 7968477-7968489 468->480 470->471 472 7968395-796839b 470->472 473 796831b-7968330 470->473 474 79682f9-7968318 470->474 471->464 472->480 481 79683a1-79683af 472->481 477 7968332-7968336 473->477 478 7968361-7968392 473->478 483 7968350-7968359 477->483 484 7968338-796834e 477->484 486 79683e0-796840e 481->486 487 79683b1-79683b5 481->487 483->478 484->478 484->483 489 79683b7-79683cd 487->489 490 79683cf-79683d8 487->490 489->486 489->490 490->486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$(bq$(bq
                                  • API String ID: 0-2716923250
                                  • Opcode ID: d4345dd9c5a52b77e2f9aac24ee84aa852232f6a8ee688f85439d5bbf9c77fec
                                  • Instruction ID: 5da0a54c8a27e5a695dee6dfe7930bade556383b00c356cc686b107284b9f532
                                  • Opcode Fuzzy Hash: d4345dd9c5a52b77e2f9aac24ee84aa852232f6a8ee688f85439d5bbf9c77fec
                                  • Instruction Fuzzy Hash: 6702CFB0B006158FCB58DF68C554A6EBBF2FF88314B10866DD54ADB781DA34ED02CB95
                                  Function 079613D8 Relevance: 4.1, Strings: 3, Instructions: 370COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 496 79613d8-79613e8 497 7961501-7961526 496->497 498 79613ee-79613f2 496->498 499 796152d-7961552 497->499 498->499 500 79613f8-7961401 498->500 502 7961559-796158f 499->502 501 7961407-796142e 500->501 500->502 512 79614f6-7961500 501->512 513 7961434-7961436 501->513 518 7961596-79615f5 502->518 515 7961457-7961459 513->515 516 7961438-796143b 513->516 520 796145c-7961460 515->520 516->518 519 7961441-796144b 516->519 536 79615f7-796160b 518->536 537 7961619-7961630 518->537 519->518 521 7961451-7961455 519->521 523 7961462-7961471 520->523 524 79614c1-79614cd 520->524 521->515 521->520 523->518 530 7961477-79614be 523->530 524->518 525 79614d3-79614f0 524->525 525->512 525->513 530->524 594 796160e call 7961bd0 536->594 595 796160e call 7961be0 536->595 596 796160e call 7961b00 536->596 546 7961636-796171b call 7960910 537->546 547 7961720-7961730 537->547 542 7961614 544 7961842-796184d 542->544 551 796184f-796185f 544->551 552 796187c-796189d 544->552 546->547 553 7961736-796180f call 7960910 547->553 554 796181d-7961839 547->554 561 7961861-7961867 551->561 562 796186f-7961875 551->562 591 7961811 553->591 592 796181a 553->592 554->544 561->562 562->552 591->592 592->554 594->542 595->542 596->542
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$(bq$Hbq
                                  • API String ID: 0-2835675688
                                  • Opcode ID: aa5780f7699b65dbf7d70453da84479189138d50ee6f4cd4d1fd44f8ba7c1606
                                  • Instruction ID: 9326c414bb3136e307af4c9f26a7dd730bf9798197aceafc83c2c55e703777b1
                                  • Opcode Fuzzy Hash: aa5780f7699b65dbf7d70453da84479189138d50ee6f4cd4d1fd44f8ba7c1606
                                  • Instruction Fuzzy Hash: 7AE12E74A00209DFCB44EF64D4949AEBBB2FFC9310F108569E906AB365DB34ED46CB91
                                  Function 07966850 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 774 7966850-7966858 775 79667da-79667fc 774->775 776 796685a-79668ac 774->776 782 7966821-796682a 775->782 783 79667fe-796681f 775->783 788 79668b5-79668c0 776->788 783->782 789 79668c8-7966901 788->789 793 7966903-7966908 789->793 794 796690a-796694c 789->794 795 796694f-7966959 793->795 794->795 797 7966a55-7966b3a 795->797 798 796695f-7966a4d 795->798 836 7966b7e-7966be9 797->836 837 7966b3c-7966b71 797->837 798->797 851 7966bf4 836->851 852 7966beb 836->852 837->836 848 7966b73-7966b76 837->848 848->836 853 7966bf5 851->853 852->851 853->853
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q
                                  • API String ID: 0-2697143702
                                  • Opcode ID: 4b58098fcd4e527728227ec5b9c4ebebdcb12107c214ec0c79f9db9f6c274e00
                                  • Instruction ID: 04ae99e0314972653ce63bc09db17da2f4933923de31dc634ed5166d3817fbbf
                                  • Opcode Fuzzy Hash: 4b58098fcd4e527728227ec5b9c4ebebdcb12107c214ec0c79f9db9f6c274e00
                                  • Instruction Fuzzy Hash: 23D1FA75B00118CFC744EFA8C994AAEB7B6FF89304F104169E516AB3A5DB71EC42CB50
                                  Function 07966860 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 854 7966860-79668c0 859 79668c8-7966901 854->859 863 7966903-7966908 859->863 864 796690a-796694c 859->864 865 796694f-7966959 863->865 864->865 867 7966a55-7966b3a 865->867 868 796695f-7966a4d 865->868 906 7966b7e-7966be9 867->906 907 7966b3c-7966b71 867->907 868->867 921 7966bf4 906->921 922 7966beb 906->922 907->906 918 7966b73-7966b76 907->918 918->906 923 7966bf5 921->923 922->921 923->923
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q
                                  • API String ID: 0-2697143702
                                  • Opcode ID: 463f8b7ef8ab63297f1a856accf61a91cb14e0e8f94a2630c4aa783ea261d11e
                                  • Instruction ID: 1cf6aa31127ba9d382865a5db092481fcc4ada287be0649c5ea42d12363ade29
                                  • Opcode Fuzzy Hash: 463f8b7ef8ab63297f1a856accf61a91cb14e0e8f94a2630c4aa783ea261d11e
                                  • Instruction Fuzzy Hash: 72C1B875A00218CFCB48DFA8C994AADB7B6FF89304F105169E516AB3A5DB71EC42CF50
                                  Function 07966328 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 924 7966328-7966351 926 7966357-796635d 924->926 927 7966353 924->927 929 7966363-7966369 926->929 930 796635f 926->930 927->926 932 796636f-7966375 929->932 933 796636b-796636d 929->933 930->929 934 7966377-796637a 932->934 935 796637c-7966380 932->935 933->932 934->935 936 7966386-7966389 934->936 935->936 937 7966474-7966498 935->937 938 7966395-796639c 936->938 939 796638b-796638e 936->939 948 796649f-79664c3 937->948 942 79663a3-79663a7 938->942 939->938 941 7966390-7966393 939->941 941->938 943 796639e-79663a0 941->943 944 79663b4-79663bc 942->944 945 79663a9-79663ab 942->945 943->942 949 79663c2-79663d0 944->949 950 79663be 944->950 947 79663b1 945->947 945->948 947->944 955 79664ca-79664ef 948->955 954 79663d6-79663e2 949->954 949->955 950->949 960 79664f6-796652c 954->960 961 79663e8-7966407 954->961 955->960 974 7966533-7966581 960->974 970 796646a-7966471 961->970 971 7966409-7966419 961->971 975 7966421-796642f 971->975 990 7966583-7966589 974->990 991 79665c8-79665d6 974->991 978 7966431-7966441 975->978 979 7966458-7966464 975->979 978->979 984 7966443-7966452 978->984 979->970 979->974 984->979 987 7966454 984->987 987->979 992 79665d0-79665d6 990->992 993 796658b-7966595 990->993 993->991
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$Hbq
                                  • API String ID: 0-4081012451
                                  • Opcode ID: 756752be6f4516942cdf9c88191a26704c56846221496be3bfcee56b5602fe3d
                                  • Instruction ID: 657019e2211016db003b2513477176cab9149bbea1b7a62892dbee472dd47de1
                                  • Opcode Fuzzy Hash: 756752be6f4516942cdf9c88191a26704c56846221496be3bfcee56b5602fe3d
                                  • Instruction Fuzzy Hash: 2761F3B07002964FCB24DF39C81866F7BE6AF85318F14466DE546CB392DE38ED058B91
                                  Function 07966178 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 995 7966178-796618d 997 79661f1-7966253 995->997 998 796618f-796619f 995->998 1011 7966255-7966278 997->1011 1012 79662cf-79662fe 997->1012 1001 79661a1-79661ad 998->1001 1002 79661d8-79661f0 998->1002 1007 79661ce-79661d7 1001->1007 1008 79661af-79661cd 1001->1008 1011->1012 1016 796627a-79662cc 1011->1016 1020 7966300 call 7966318 1012->1020 1021 7966300 call 7966328 1012->1021 1017 7966306-796630f 1020->1017 1021->1017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$,bq
                                  • API String ID: 0-1616511919
                                  • Opcode ID: 4351de8ce2001d9838df92d372c7b5bdecde753a4ec1e2c52a2878dc48c494ef
                                  • Instruction ID: 530c309d5b40c0abf7f855143de92bdbd7dd9cd8b0b5b6bba68096c44683d3d7
                                  • Opcode Fuzzy Hash: 4351de8ce2001d9838df92d372c7b5bdecde753a4ec1e2c52a2878dc48c494ef
                                  • Instruction Fuzzy Hash: 7F41E2727000596FCF029EAA9C508FFBFEEEF88210B04407AFA15D3241DA39D9159BA0
                                  Function 02C8C000 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1022 2c8c000-2c8c00f 1023 2c8c03b-2c8c03f 1022->1023 1024 2c8c011-2c8c01e call 2c8af60 1022->1024 1025 2c8c041-2c8c04b 1023->1025 1026 2c8c053-2c8c094 1023->1026 1031 2c8c020 1024->1031 1032 2c8c034 1024->1032 1025->1026 1033 2c8c0a1-2c8c0af 1026->1033 1034 2c8c096-2c8c09e 1026->1034 1077 2c8c026 call 2c8c698 1031->1077 1078 2c8c026 call 2c8c689 1031->1078 1032->1023 1035 2c8c0b1-2c8c0b6 1033->1035 1036 2c8c0d3-2c8c0d5 1033->1036 1034->1033 1039 2c8c0b8-2c8c0bf call 2c8af6c 1035->1039 1040 2c8c0c1 1035->1040 1038 2c8c0d8-2c8c0df 1036->1038 1037 2c8c02c-2c8c02e 1037->1032 1041 2c8c170-2c8c230 1037->1041 1042 2c8c0ec-2c8c0f3 1038->1042 1043 2c8c0e1-2c8c0e9 1038->1043 1045 2c8c0c3-2c8c0d1 1039->1045 1040->1045 1072 2c8c238-2c8c263 GetModuleHandleW 1041->1072 1073 2c8c232-2c8c235 1041->1073 1046 2c8c100-2c8c109 call 2c8af7c 1042->1046 1047 2c8c0f5-2c8c0fd 1042->1047 1043->1042 1045->1038 1053 2c8c10b-2c8c113 1046->1053 1054 2c8c116-2c8c11b 1046->1054 1047->1046 1053->1054 1055 2c8c139-2c8c146 1054->1055 1056 2c8c11d-2c8c124 1054->1056 1062 2c8c148-2c8c166 1055->1062 1063 2c8c169-2c8c16f 1055->1063 1056->1055 1058 2c8c126-2c8c136 call 2c8af8c call 2c8af9c 1056->1058 1058->1055 1062->1063 1074 2c8c26c-2c8c280 1072->1074 1075 2c8c265-2c8c26b 1072->1075 1073->1072 1075->1074 1077->1037 1078->1037
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 8fc6862f9063f53d2b79181ae716e546c38a4d9dc66aca110bfecdd07f847492
                                  • Instruction ID: 35dbba27a572670587f2b44309d4a242b0651c5968045a0c5ced537c5d80ad85
                                  • Opcode Fuzzy Hash: 8fc6862f9063f53d2b79181ae716e546c38a4d9dc66aca110bfecdd07f847492
                                  • Instruction Fuzzy Hash: F07149B0A00B058FD728EF69D58475ABBF1FF88348F00892ED096D7A50D775EA45CBA1
                                  Function 02C87364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1079 2c87364-2c8736c 1080 2c87370-2c87431 CreateActCtxA 1079->1080 1082 2c8743a-2c87494 1080->1082 1083 2c87433-2c87439 1080->1083 1090 2c874a3-2c874a7 1082->1090 1091 2c87496-2c87499 1082->1091 1083->1082 1092 2c874b8 1090->1092 1093 2c874a9-2c874b5 1090->1093 1091->1090 1095 2c874b9 1092->1095 1093->1092 1095->1095
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02C87421
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 489f5f209b4364c3062251bf0e0c72f8b75d3dd6a0857e671823eca0a2da0ff3
                                  • Instruction ID: 24f0d1e404ee9a6f555bd67a732f87386c788118337339e0a487cbef059f145b
                                  • Opcode Fuzzy Hash: 489f5f209b4364c3062251bf0e0c72f8b75d3dd6a0857e671823eca0a2da0ff3
                                  • Instruction Fuzzy Hash: 4E41F3B5C00619DFDB24DFA9C844B9EFBB5BF84308F24806AD408AB255EB756949CF90
                                  Function 02C86414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1096 2c86414-2c87431 CreateActCtxA 1099 2c8743a-2c87494 1096->1099 1100 2c87433-2c87439 1096->1100 1107 2c874a3-2c874a7 1099->1107 1108 2c87496-2c87499 1099->1108 1100->1099 1109 2c874b8 1107->1109 1110 2c874a9-2c874b5 1107->1110 1108->1107 1112 2c874b9 1109->1112 1110->1109 1112->1112
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02C87421
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 09c6d222db5f253ee2d9be060c3895b64f7272724bd0ec9067f4b6ded21690e9
                                  • Instruction ID: 43c439dca4a94bbe617985ca44ffdb74bdbfdcb64d41ec89fbb6a48145543773
                                  • Opcode Fuzzy Hash: 09c6d222db5f253ee2d9be060c3895b64f7272724bd0ec9067f4b6ded21690e9
                                  • Instruction Fuzzy Hash: 9541E3B4C00619DFDB24DFA9C844B9EFBB5BF84308F24806AD408AB255EB756949CF90
                                  Function 02C86780 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1113 2c86780-2c86783 1115 2c86788-2c8681c DuplicateHandle 1113->1115 1116 2c8681e-2c86824 1115->1116 1117 2c86825-2c86842 1115->1117 1116->1117
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C8674E,?,?,?,?,?), ref: 02C8680F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 7b8c8045706edc979090a5e350897fbb26da7676ed003417b147ef463c083e94
                                  • Instruction ID: 14d8b577893c9155aa9c2373178be6e8250b9828505728bff84cb3d27fdd46c2
                                  • Opcode Fuzzy Hash: 7b8c8045706edc979090a5e350897fbb26da7676ed003417b147ef463c083e94
                                  • Instruction Fuzzy Hash: 1921F6B5D00208DFDB10CFAAD984ADEBBF8EF48324F14841AE914A3310D374A944CFA5
                                  Function 02C8611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1120 2c8611c-2c8681c DuplicateHandle 1122 2c8681e-2c86824 1120->1122 1123 2c86825-2c86842 1120->1123 1122->1123
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C8674E,?,?,?,?,?), ref: 02C8680F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 903edf6ef85b68d14dcbb129be8cf4ba41dc72e417618013c71ce91198c09dfb
                                  • Instruction ID: e87c6c961320065baed28724a1655253d6b12d50321ec043380d3f249952f00b
                                  • Opcode Fuzzy Hash: 903edf6ef85b68d14dcbb129be8cf4ba41dc72e417618013c71ce91198c09dfb
                                  • Instruction Fuzzy Hash: 4D2105B5D00208DFDB10CF9AD984ADEBFF8EB48324F14841AE918A7310D374A940CFA5
                                  Function 079655C0 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Pl^q
                                  • API String ID: 0-2831078282
                                  • Opcode ID: 3ca00d0ae632d0a1db13c5e4c2566c27d8f66eb4f37e6a07a650303353402c50
                                  • Instruction ID: e84589cd464e6118a6c0b1bc59fec699d9883a4930a866fdf91b3777e60e0799
                                  • Opcode Fuzzy Hash: 3ca00d0ae632d0a1db13c5e4c2566c27d8f66eb4f37e6a07a650303353402c50
                                  • Instruction Fuzzy Hash: B5D1DB74F112189FCB48EFA8D994E9DBBB2BFC9700F109558E405AB3A5DB71AC42CB50
                                  Function 02C8AF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,02C8C01C), ref: 02C8C256
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 4b787fd19967d69aafaae29f4f14bcbf761750ad5f9806fc4d147010b45f2383
                                  • Instruction ID: 33454a35533c20ddc15a48ce75debbe2359d03519ccc4a037b8642242f5097b9
                                  • Opcode Fuzzy Hash: 4b787fd19967d69aafaae29f4f14bcbf761750ad5f9806fc4d147010b45f2383
                                  • Instruction Fuzzy Hash: 431123B5D002498BCB14DF9AC844A9EFBF4AB88718F10841AD429B7250C374A645CFA5
                                  Function 07965590 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Pl^q
                                  • API String ID: 0-2831078282
                                  • Opcode ID: 00b307bfd95d27ce80084ac98a523cb1195ab0cd5ac12ffdb7976f3709c3f892
                                  • Instruction ID: d5ea493503e7f1d5c36f963c3235832faf9c216348337738a98d1fbda2f71eaa
                                  • Opcode Fuzzy Hash: 00b307bfd95d27ce80084ac98a523cb1195ab0cd5ac12ffdb7976f3709c3f892
                                  • Instruction Fuzzy Hash: 75B13D74B112189FCB48EFA8D894EADBBB2BFC9304F114159E405AB3A5CB71EC42CB50
                                  Function 079655B2 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Pl^q
                                  • API String ID: 0-2831078282
                                  • Opcode ID: 5481c1a04d1d587c90da3017b932faad4c10ce5c40c6304db0a92fd078d598e1
                                  • Instruction ID: 0604edb3c1d7a16a5704e0e3568f39e62c10bcbeba55faa329e3b8242a30d14d
                                  • Opcode Fuzzy Hash: 5481c1a04d1d587c90da3017b932faad4c10ce5c40c6304db0a92fd078d598e1
                                  • Instruction Fuzzy Hash: 04B10C74B112189FCB48EFA8D894E9EB7B6BFC9700F104558E405AB364DB71EC42CB50
                                  Function 07961B00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq
                                  • API String ID: 0-149360118
                                  • Opcode ID: 33ae100575a8f9b0f8a0636f780f485acbbaff66056de6ccfdb436cba4141bf8
                                  • Instruction ID: ff63618dac6d7e214245ca3ec1d831f4c5140e7b34fbd3d76f890f95c7c00b13
                                  • Opcode Fuzzy Hash: 33ae100575a8f9b0f8a0636f780f485acbbaff66056de6ccfdb436cba4141bf8
                                  • Instruction Fuzzy Hash: 1451D2323042449FCB069F68D854D6A7FB6EF89324B1580EAE209CF372CA36DC02DB51
                                  Function 07960AA8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: f9cdfe7493b3ea137d70f8f04919a8802e3403e249d0a63b5e47b397b03570d0
                                  • Instruction ID: d94a1fb1c35986cfa213f84e9e11f2a5b4516b1db3ef3f43044084befa51efcb
                                  • Opcode Fuzzy Hash: f9cdfe7493b3ea137d70f8f04919a8802e3403e249d0a63b5e47b397b03570d0
                                  • Instruction Fuzzy Hash: 9B417830B106148FCB49EB68D894AAEB7B7EFC9700F505529E402EB3A4DF749D46CB91
                                  Function 07966318 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N
                                  • API String ID: 0-1130791706
                                  • Opcode ID: d39c495e362770cb7a387b4ceb821ba787c82ab0c4cf333bc3128b3e07abccac
                                  • Instruction ID: 2de5cce6fc57d275ed9e13ba931367c8e19f2c6cd4ed431e41c9ae7e267a8c53
                                  • Opcode Fuzzy Hash: d39c495e362770cb7a387b4ceb821ba787c82ab0c4cf333bc3128b3e07abccac
                                  • Instruction Fuzzy Hash: 7041D4B06003864FDB24CF39C848B6A7FF9AF85318F084769E991CB291DB74E949CB51
                                  Function 07960A99 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: a9afcb1bfee8dd67da9b2ffc19b38547b348bf5e4059c414d710e38139128acd
                                  • Instruction ID: 306f14d95d6af9f70de1a5e81d1b75ef541e096f6000f4b7dd67c6a7f80008c9
                                  • Opcode Fuzzy Hash: a9afcb1bfee8dd67da9b2ffc19b38547b348bf5e4059c414d710e38139128acd
                                  • Instruction Fuzzy Hash: 8F21DB70F102184BCB496B68DC98ABEB7ABEFC5704F104529E406DB395CF749C06CB91
                                  Function 07969491 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: xbq
                                  • API String ID: 0-73991425
                                  • Opcode ID: 1058b2eeee26cf93c2818fdac0df613e34fd8ded6e4a1f0e28ab27ad2e231dbd
                                  • Instruction ID: abc5f6f39f6c39d5b7c7a850b111fa1897d79038d65b76d078c5d9622ea95168
                                  • Opcode Fuzzy Hash: 1058b2eeee26cf93c2818fdac0df613e34fd8ded6e4a1f0e28ab27ad2e231dbd
                                  • Instruction Fuzzy Hash: 0BF0E5747001109FDB04CB18D941B69BBE1FF88328F158599E109AF362C771FC018F90
                                  Function 07963840 Relevance: .7, Instructions: 659COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 185687fd1b1aaffef12a44b496dc927556c692d0e20efdfd834eeb9e460412ac
                                  • Instruction ID: fbf9fd71235f93eae3b01746a1d049baa083ea42b02eacca5b59d8142f157fb1
                                  • Opcode Fuzzy Hash: 185687fd1b1aaffef12a44b496dc927556c692d0e20efdfd834eeb9e460412ac
                                  • Instruction Fuzzy Hash: 21424B75A00219CFCB55DF64C984E99BBB2FF89300F1186E9E509AB261CB31ED85CF90
                                  Function 07960CE8 Relevance: .4, Instructions: 437COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54ef7e4f01c107eb579dc3355836abb8f92b49d13b0b32702bc47eb9552bfc4e
                                  • Instruction ID: 68b49a85ea9394a4da41788a2f87a370569b752233cd7690a0247bc04f473ffa
                                  • Opcode Fuzzy Hash: 54ef7e4f01c107eb579dc3355836abb8f92b49d13b0b32702bc47eb9552bfc4e
                                  • Instruction Fuzzy Hash: B1121E74A102198FCB54EF64C894B9DB7B2BF89304F5095A8D40AAB355DF70ED86CF40
                                  Function 0796A200 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50c540b90ba0eae4d0deca2a678cd5c6e204bba1ac9096fd3b18bc014dff254d
                                  • Instruction ID: 9a7360f80a163c2c8a551284dcb12de11b7c7243e483befbde1cead3628b29c6
                                  • Opcode Fuzzy Hash: 50c540b90ba0eae4d0deca2a678cd5c6e204bba1ac9096fd3b18bc014dff254d
                                  • Instruction Fuzzy Hash: 0EC1A4B1A046518FC725CF29C48CA2ABBF2FF85314F19C65DE4869B696DB34E841CB41
                                  Function 07965A7A Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa87e44a57a2effad021c558610cdd6de1f1684bf62622f0ff9931af7ad57288
                                  • Instruction ID: bda9f67a3c0be26a572823809065a66532f39f2bf330d75e7988864c553cc43d
                                  • Opcode Fuzzy Hash: fa87e44a57a2effad021c558610cdd6de1f1684bf62622f0ff9931af7ad57288
                                  • Instruction Fuzzy Hash: 5DA17F74B006188FCB44EF68C8949AD77B2AFC9700B104668E5169B3A4DF75ED42CB81
                                  Function 07965A88 Relevance: .3, Instructions: 256COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 596df95bc4ff4b45909331c15b93b25a5d8157b84fc950dcfa2ebf8e678c7cd1
                                  • Instruction ID: f800544250cd71c37883b639f2d42c6e078be36483f2e44b84435c2bf481544a
                                  • Opcode Fuzzy Hash: 596df95bc4ff4b45909331c15b93b25a5d8157b84fc950dcfa2ebf8e678c7cd1
                                  • Instruction Fuzzy Hash: 6CA16F74B006188FCB44EF68C8A49AE77B3AFC9700F105668E5169B3A4DF75ED42CB91
                                  Function 07965A54 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d49e35769386fb15f6cf9e2961d0922874eddaf3db960c258d8a12612064dc1
                                  • Instruction ID: dd302759cdedd3485cdd1124b22f2304896c7c33269d8c2c24245a4ab3283acd
                                  • Opcode Fuzzy Hash: 4d49e35769386fb15f6cf9e2961d0922874eddaf3db960c258d8a12612064dc1
                                  • Instruction Fuzzy Hash: F9A19E747006188FCB45EF64C8A4AAE7BB3AFC9700B105669E4129B3A4DF75ED43CB91
                                  Function 07960CD9 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51c9c54cce83264102c12bbaa08a14a4948e3f87e69429e96b15f42f9db000cc
                                  • Instruction ID: e19367a18acf9065812125fb2a5c3afc9cc0e4e91628dd0b1a10ac1919891260
                                  • Opcode Fuzzy Hash: 51c9c54cce83264102c12bbaa08a14a4948e3f87e69429e96b15f42f9db000cc
                                  • Instruction Fuzzy Hash: CCA11B74A002198FCB54DF24C898B9DBBB2BF89304F5085A8E54AAB361DF70ED85CF40
                                  Function 07961CA8 Relevance: .2, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0ca37ee0c392624d191b8fd97d5d4aa9f12b2356739815671bcea5be230b92
                                  • Instruction ID: 303286c2fc64d9cf63f8728c5a711df3ca9de8a156f47ce30bd8ca6c68544c21
                                  • Opcode Fuzzy Hash: 5e0ca37ee0c392624d191b8fd97d5d4aa9f12b2356739815671bcea5be230b92
                                  • Instruction Fuzzy Hash: F8917E74B501189FCB49DF68D898AADB7B6FF89710F1041A9E506DB3A1CB30EC02CB90
                                  Function 07964A08 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c4b9ea045829cb9b0ccc55a95282d250e1e439629a3f4a57d26917eb942926b
                                  • Instruction ID: 8494dc2521d48654a329c48fabcecdf29e5bab790c48d651868e3db31181065e
                                  • Opcode Fuzzy Hash: 6c4b9ea045829cb9b0ccc55a95282d250e1e439629a3f4a57d26917eb942926b
                                  • Instruction Fuzzy Hash: 1C819074B002099FCB49EFA4D854BEE77B2AFC8704F109128D411AB7A4CF759D42CB84
                                  Function 0796960B Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 121ce771b05a9443ecc016b930237bea1e8cf96bffcd70938cecb4e918293c8d
                                  • Instruction ID: 256390013a32c77d3253c1118be4b1a2194928cb5a59d16c03df319b8862ebcb
                                  • Opcode Fuzzy Hash: 121ce771b05a9443ecc016b930237bea1e8cf96bffcd70938cecb4e918293c8d
                                  • Instruction Fuzzy Hash: 458105B4A21229EFCB54CF98D984EADB7B2FF88328F114559E505AB362D771EC41CB40
                                  Function 07961C99 Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e2c5262320b3197eb28cd391b2fbb2a2789d041a65ca27517513c289efa624be
                                  • Instruction ID: ba04e0b58a804f783abd1ee68501f35a8c5093e02e4a37bd966011fb8c2510d6
                                  • Opcode Fuzzy Hash: e2c5262320b3197eb28cd391b2fbb2a2789d041a65ca27517513c289efa624be
                                  • Instruction Fuzzy Hash: 6F614D74B501189FCB48DF68D898AADB7B6FF89714F1441A9E9169B361CB30EC42CB90
                                  Function 079649F7 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 964048ab05c268214b9222363eed790a42684a46472ce64be15260b04a9ddbd6
                                  • Instruction ID: ee1451559ddd6b7126f6e6fb0e717329edf7f821d96a4268c14112b7ea9a6a5a
                                  • Opcode Fuzzy Hash: 964048ab05c268214b9222363eed790a42684a46472ce64be15260b04a9ddbd6
                                  • Instruction Fuzzy Hash: D551B1B4B006099FCB49EF64D8587EEBBB2AF88304F205129D401AB794CF75DE42CB94
                                  Function 079645A4 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e6da3c1ff28f5eaf0948dcc1a9eda81dda6e8e7073f019bfeafe5a5a0e25488
                                  • Instruction ID: 0c050fbbfec35e129beef3c0ce3691a07192603ea24f2ddde0223581e94523db
                                  • Opcode Fuzzy Hash: 5e6da3c1ff28f5eaf0948dcc1a9eda81dda6e8e7073f019bfeafe5a5a0e25488
                                  • Instruction Fuzzy Hash: 8641A171F002058FC704DB69D854A6EBBF6EFC9310B2586AAE509DB361DA31EC01CB80
                                  Function 0796A098 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90479116b956e302cc4be104bb52d378dbfa15f841036aa253876c8d68a71ea2
                                  • Instruction ID: ab2b627d123528b605b4be196fd9d58048325e098bcfbe5d496ecfb4f48f3c42
                                  • Opcode Fuzzy Hash: 90479116b956e302cc4be104bb52d378dbfa15f841036aa253876c8d68a71ea2
                                  • Instruction Fuzzy Hash: 1541BDB1B00B158FCB64DB78D94429ABBF2EF85314F048A6ED15AD7A40DB35E901CB82
                                  Function 07964D51 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97f4bcb3aa225aac4c91f71006946162f0efc633435a37fa7ca6bf15760e2d77
                                  • Instruction ID: d0b70057a6ea3cba7b586e9fbeb60f8ac043284d08e34dac6c47b43b9a3706cb
                                  • Opcode Fuzzy Hash: 97f4bcb3aa225aac4c91f71006946162f0efc633435a37fa7ca6bf15760e2d77
                                  • Instruction Fuzzy Hash: 6B31C174B102588FCB45EF68D8545AE7BB6AFC9700F10915AE5029B365DF70AD02CBE1
                                  Function 07961FC8 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd37a6e2caac541ae95bdde39f419eacaa44572970722771a3199b4834aecb0d
                                  • Instruction ID: 0579ca7f9d6761fea1ee19b32843f0bcb1110f10297497efc39a3fce3ff829d2
                                  • Opcode Fuzzy Hash: cd37a6e2caac541ae95bdde39f419eacaa44572970722771a3199b4834aecb0d
                                  • Instruction Fuzzy Hash: AC313975A401199BDF04EFA4D854AEEB7B6FF88310F108125E901B73A0CB759D16CBA0
                                  Function 07964D68 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f833cf6642d943be93139b4c1531961dbc671556a8baf53f6cf990d3341d72ef
                                  • Instruction ID: 0e38e7f4b4d6434ef1adc7e57e6d65d190d63213ebf987efde33edec8d88f4dc
                                  • Opcode Fuzzy Hash: f833cf6642d943be93139b4c1531961dbc671556a8baf53f6cf990d3341d72ef
                                  • Instruction Fuzzy Hash: 6E318634B105188FCB44EF68D8949AEBBB6EFC9700F10915AE5169B364DF70AD02CBD1
                                  Function 00F3D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2934001153.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_f3d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7122b427fa9fba1afe800989fdfa2ff8b33225885bca1e44f2fcb0b9c45991fc
                                  • Instruction ID: b6ffc68dc8b850adb830ae2071279fc2bb4ed725c1118eba59d682c81cf1066f
                                  • Opcode Fuzzy Hash: 7122b427fa9fba1afe800989fdfa2ff8b33225885bca1e44f2fcb0b9c45991fc
                                  • Instruction Fuzzy Hash: 8321F5B1504240DFCB18DF14E9C4B16BB65EB84B34F24C569D8494B25AC336D847DA61
                                  Function 07969AF8 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90f11d65fb3a72a1664257b716c9c382a22b407d70b652eb3177656d6fc320a4
                                  • Instruction ID: 585f60066d733f934cac66ab4c9a6b0a16dbdddb64718a09eb2474590207b665
                                  • Opcode Fuzzy Hash: 90f11d65fb3a72a1664257b716c9c382a22b407d70b652eb3177656d6fc320a4
                                  • Instruction Fuzzy Hash: F3215171A002199FDF159FA8C8549DE7FB6EF8D320F145229E415BB3A4DB71A841CFA0
                                  Function 07969B08 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a30c17c4c4069013bb1b0f577486a1c1493811ce007a1a88e603d753e5b1ed3
                                  • Instruction ID: 8b6cfff897fa6b02aa40ff965ce8b65b10724548b988cad82248353930ba0574
                                  • Opcode Fuzzy Hash: 0a30c17c4c4069013bb1b0f577486a1c1493811ce007a1a88e603d753e5b1ed3
                                  • Instruction Fuzzy Hash: 16214F71A002199FCF159FA8C8449DEBFB6EF8D324F145229E415BB394CB71A841CFA0
                                  Function 00F3D005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2934001153.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_f3d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57919930b4d4db45755378e83529586135e2f5bb325a42734b43e0f6d25be9ea
                                  • Instruction ID: 7e67735278696141f49eac5c97768463f57841de4485cfbdd031b0a02ffca759
                                  • Opcode Fuzzy Hash: 57919930b4d4db45755378e83529586135e2f5bb325a42734b43e0f6d25be9ea
                                  • Instruction Fuzzy Hash: E42180755093C08FCB06CF24D994715BF71EB46724F28C5EAD8498F6A7C33A980ADB62
                                  Function 07969F98 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffe8fe0c3a2e601a14aaa9b4bfeff3dbf900b099cc3be32691b935000bdfb72f
                                  • Instruction ID: f1989a74108061b263f44c1a15bf2be838849eb66771cf8a4eedc9d5f3e04bd4
                                  • Opcode Fuzzy Hash: ffe8fe0c3a2e601a14aaa9b4bfeff3dbf900b099cc3be32691b935000bdfb72f
                                  • Instruction Fuzzy Hash: 8211AD757402018FCB566B38D41C96E77AAEFC5365704847AE906CB362EF31DC12CBA1
                                  Function 07962100 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50dfbc95c46c0e0fe332c7061f689a1847b1b70270600c658d1c1f3fd8529b87
                                  • Instruction ID: 78d41d6c7327bb002510de5522dd87b74e6a81762d2f859ba9dcae58f7aabbbc
                                  • Opcode Fuzzy Hash: 50dfbc95c46c0e0fe332c7061f689a1847b1b70270600c658d1c1f3fd8529b87
                                  • Instruction Fuzzy Hash: C611E1703047048FC7269724CC58B6B7BA2ABCA324F14866DD5568B6E1CB76DC43DB81
                                  Function 07963831 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b326af111d4d17c37cf8a14b5019aca0e21f6a15778038386fb26b53d30c9a0
                                  • Instruction ID: 736942958aa9871ce83007d66d4fafc2577bb3b027f07b41e3a5cddd5454d22d
                                  • Opcode Fuzzy Hash: 4b326af111d4d17c37cf8a14b5019aca0e21f6a15778038386fb26b53d30c9a0
                                  • Instruction Fuzzy Hash: 7F019671B001089FDB44DB68D848BDAB7F6FB89714F1141A9E6099B351CE32AD49CB91
                                  Function 07962110 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b49c46f5a59b196bac36e245b60a4dfc1bd697843e088de8079d7eb274dc0e4
                                  • Instruction ID: f6f1e4b79b9d0bc50ea0a476620a232d5154c764b655128307f8dc18e3f17ed3
                                  • Opcode Fuzzy Hash: 3b49c46f5a59b196bac36e245b60a4dfc1bd697843e088de8079d7eb274dc0e4
                                  • Instruction Fuzzy Hash: BE019EB17002048FC7299B24C854A7B77A2ABC9324F14866CE5164B690CB72EC43CB80
                                  Function 0796A610 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: abc8767461c1480e17d9bfa0e316d1f7683196aa8cd4a452bfe3b8b0f976b2b1
                                  • Instruction ID: 0ac4ea685a36790ca82ce074ec2ae4de6820bb85185823be937012b761580741
                                  • Opcode Fuzzy Hash: abc8767461c1480e17d9bfa0e316d1f7683196aa8cd4a452bfe3b8b0f976b2b1
                                  • Instruction Fuzzy Hash: 59019275E006099FCB05DFA8D9045DDBBF5FF49300B10869AE155E7210E7309A05CB51
                                  Function 00F2D603 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2933946284.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_f2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 475abbea3493e2454f299a8a2c08f45f45c6bdba1c9241483226765c71684820
                                  • Instruction ID: 18662b78b410fa29025f9ba33aab6ddc2f1c05fc9b8397525b2f012ed7d78ff9
                                  • Opcode Fuzzy Hash: 475abbea3493e2454f299a8a2c08f45f45c6bdba1c9241483226765c71684820
                                  • Instruction Fuzzy Hash: 02F049B6600600AF93208F0ADC84C23FBA9EFC4730319C45AE84A5B612C631EC41CAA0
                                  Function 00F2D5F4 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2933946284.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_f2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fdf7b787ad7994be40404358a46f67784ce1e88d2a8bedbcfd87e515d3377eee
                                  • Instruction ID: d4034dde5b8ae0a97d86dcc074ed3fa314474f38f09b7c5ddbce112b1c79a926
                                  • Opcode Fuzzy Hash: fdf7b787ad7994be40404358a46f67784ce1e88d2a8bedbcfd87e515d3377eee
                                  • Instruction Fuzzy Hash: 34F03C75104680AFD325CF16CD84C23BFB9EF857607198489E84A5B352C631FC42DB60
                                  Function 07962F50 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b3aa5d81977b38aee755212d47ae14757a35d5afc5e2bc8d0ac95151e02bb59
                                  • Instruction ID: a8f584b803585b49334e5e265638d53c7317161ef6315f260f70e4e09b964b83
                                  • Opcode Fuzzy Hash: 6b3aa5d81977b38aee755212d47ae14757a35d5afc5e2bc8d0ac95151e02bb59
                                  • Instruction Fuzzy Hash: E2F0E571B403158FD7642B78980AB6677AEEBC1219F144979E106CB380EFB2DC00C7A0
                                  Function 07962F42 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a59330bcc0d01ee36c6c5a4c842c477e2843137ea1a6de52b1977cef32b820af
                                  • Instruction ID: 5fa1c464459b056de6b0351b81f2ce43437b7eae60363e61d6381d8454fc2807
                                  • Opcode Fuzzy Hash: a59330bcc0d01ee36c6c5a4c842c477e2843137ea1a6de52b1977cef32b820af
                                  • Instruction Fuzzy Hash: 80F05C307043108FD32517308C1AB653BA9BB83619F1446BAF5018F2C1EFB5DC00C791
                                  Function 07969800 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec9e302e856e6eac0df18e2de37cf08e97e3f1fae5846d3465204d3c58a6c4dd
                                  • Instruction ID: 98d1859e7c3cb21662c7a79f5a76ee8cc1982a6ddc52ecd00931b9247028bfbd
                                  • Opcode Fuzzy Hash: ec9e302e856e6eac0df18e2de37cf08e97e3f1fae5846d3465204d3c58a6c4dd
                                  • Instruction Fuzzy Hash: 72F032B0D21219DFCB14DF88D94CAACBBF0BF88728F008619E005AB262DB70A805CB00
                                  Function 07969960 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e28d76e2d92a72a882fe9137cf3349e702e7e4929cbceb47e2871ab9c6c838b
                                  • Instruction ID: 76d801b0bb244e7dc904f934c7a76223a53118028b960a91c92a4a90b1fb5a9c
                                  • Opcode Fuzzy Hash: 7e28d76e2d92a72a882fe9137cf3349e702e7e4929cbceb47e2871ab9c6c838b
                                  • Instruction Fuzzy Hash: 6AE026653083800BE30293B4582819A7B9BDBC7111B054197E0498B281CC708D0287A2
                                  Function 07968F18 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f7347ee6665c5caf81f1ecf790b824d805a0e5de9c1793e5cc47316c15d28d9
                                  • Instruction ID: af89c79b1aac84a959af1c89666696813e41b03a63971d2074fe0470613f5d17
                                  • Opcode Fuzzy Hash: 5f7347ee6665c5caf81f1ecf790b824d805a0e5de9c1793e5cc47316c15d28d9
                                  • Instruction Fuzzy Hash: 0BD0C231A10B208BC32C8B27940858ABBDA9B88220B05C12EE40A46600CF7958018BC0
                                  Function 0796A060 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9a4df95e21ab98615195a08b7b496757446793cd763f48dd4e86ae518927a42
                                  • Instruction ID: 966f9aaeebec134427b707d05a8f636c6dfa96c5be75fa274685e193e5a8278c
                                  • Opcode Fuzzy Hash: f9a4df95e21ab98615195a08b7b496757446793cd763f48dd4e86ae518927a42
                                  • Instruction Fuzzy Hash: C1D05E352092805FC2028A20CC51852FF61DF46215B28C6CEE0D68B193CA338903D740
                                  Function 07969970 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 007a2b345cdf0baf8ecbec1eebeb64ca848472916cf03a01dadbe881427790e0
                                  • Instruction ID: e6b47992507adb6f8bbd0c9dfbf794eb541c6f1d0f014623e1228d75012e9421
                                  • Opcode Fuzzy Hash: 007a2b345cdf0baf8ecbec1eebeb64ca848472916cf03a01dadbe881427790e0
                                  • Instruction Fuzzy Hash: B3D0A9B93001544BD608A6FAA4180AF72CFEBCA210B00802B990A83B44CD70DC028A96
                                  Function 07967E48 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc49086dabf53ad37f27d73e63e4e17fed32667d88a8ad6ac4129f5347488f6d
                                  • Instruction ID: 096e3029c8d7666885717d2f68058c445861a9595a91cdbeacd9d0bb16ddb3f3
                                  • Opcode Fuzzy Hash: bc49086dabf53ad37f27d73e63e4e17fed32667d88a8ad6ac4129f5347488f6d
                                  • Instruction Fuzzy Hash: 41D067241192C46FC7028F24C8659A5BFA15F87608B19C4CAE9D88B693C6229912EB66
                                  Function 07969F40 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                  • Instruction ID: c12b2347baa4506d4b9b0775252a941ea42cb00b0745f27be9e95f8055e2471b
                                  • Opcode Fuzzy Hash: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                  • Instruction Fuzzy Hash: F0C0023B3500149F87009B6DF884C99B7B9EBD9675320816BF209CB230C67298159B50
                                  Function 07968EA8 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f49c70c3f4d86d82f144cd1164329d739c0dd4e523bdb0f484f7579e5c26785c
                                  • Instruction ID: 23e3b7aed6e2c75d111962dcc21e121a18041161e2d48b7c10cc38c644a55d2f
                                  • Opcode Fuzzy Hash: f49c70c3f4d86d82f144cd1164329d739c0dd4e523bdb0f484f7579e5c26785c
                                  • Instruction Fuzzy Hash: 9CD05E7880D2848FEB224B5099597203B24AB4921DF1812DFD88859443C73A14AAC652
                                  Function 079623D0 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40c07d6b703a6a87784af6c6c7f195438e14e148d6b682dc3c4f7577eee12597
                                  • Instruction ID: 2c4e5bfcf87e3fa906c37fc6db7854860989089796e5fefe5f553e4f67087bd7
                                  • Opcode Fuzzy Hash: 40c07d6b703a6a87784af6c6c7f195438e14e148d6b682dc3c4f7577eee12597
                                  • Instruction Fuzzy Hash: A5D0A7314082C45FC3024B64D810861FF659B0320430AC0E7D1748A073C7259465C755
                                  Function 07968EB8 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a703db20f3ba3a07169079f172a3b772468912b366c165260c2b06333294ca0
                                  • Instruction ID: eb9dc5a246bae4e2523e86aba36ec4b7442d70fcd997dc854c3803004b9899e8
                                  • Opcode Fuzzy Hash: 3a703db20f3ba3a07169079f172a3b772468912b366c165260c2b06333294ca0
                                  • Instruction Fuzzy Hash: 58C08CB480020C8FCB206B50D40DB22775CE70822EF1013ADEC0809102DB7B64AAC692
                                  Function 079623E0 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 894d22299a02069f7ad09c179b65d80f63714110c7931c04b3cb89a42d26d0f3
                                  • Instruction ID: 27917e9cbe4b0729089034d2735b6b39c490422c8590ddb04b110fcc4c09770b
                                  • Opcode Fuzzy Hash: 894d22299a02069f7ad09c179b65d80f63714110c7931c04b3cb89a42d26d0f3
                                  • Instruction Fuzzy Hash: 8EB09232440208AB86019A84E8048A6BB69AB987117008025A609461228B72E862DA98

                                  Non-executed Functions

                                  Function 02C8F03C Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2935312558.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d99ef18cf09e1aba86d074fe661ea9a02e690e111a310d47262cce4e47ddb19e
                                  • Instruction ID: f38d0b6ddbe10b0d372b330a8185d06fa62738334875ff80e0291ec248d7a2ae
                                  • Opcode Fuzzy Hash: d99ef18cf09e1aba86d074fe661ea9a02e690e111a310d47262cce4e47ddb19e
                                  • Instruction Fuzzy Hash: 73A17E32A002198FCF05EFB4D8445AEB7B2FF89305B65856EE901AB261DB71E955CF80
                                  Function 07966D88 Relevance: .3, Instructions: 260COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d82fa5c0d9e3d635215efb31c09ed7ad7d34ea52cac2533fbab4cbefc72a692
                                  • Instruction ID: 67730e759f0e08a2b07df3d70fceadfe4880f161d968835d07091948a76c8874
                                  • Opcode Fuzzy Hash: 2d82fa5c0d9e3d635215efb31c09ed7ad7d34ea52cac2533fbab4cbefc72a692
                                  • Instruction Fuzzy Hash: FB9139757402058FDB04EF39D994A6A77A6EF89754F108168EA06CF3B5DA32EC02CB90
                                  Function 07960040 Relevance: 5.2, Strings: 4, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2950183004.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7960000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_^q$(_^q$(_^q$(_^q
                                  • API String ID: 0-2697572114
                                  • Opcode ID: 390be996470c04d66a8a6940029cbd51ff58ed8cda7b3bcf875650fafc9fa46a
                                  • Instruction ID: 1314846b4419f7c3c4846dcadf3e4ab75ce9ac6ab09ebb93e68c358a64f60e60
                                  • Opcode Fuzzy Hash: 390be996470c04d66a8a6940029cbd51ff58ed8cda7b3bcf875650fafc9fa46a
                                  • Instruction Fuzzy Hash: F661B0B5B002158FD704EF78D8989AEBBB2EF89314B114A6AD4469B351DB31DC46CB90