Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EQxFL1u3m1.exe

Overview

General Information

Sample name:EQxFL1u3m1.exe
renamed because original name is a hash value
Original sample name:92C93C0F3D586D4F26865F78C91C7200.exe
Analysis ID:1431045
MD5:92c93c0f3d586d4f26865f78c91c7200
SHA1:acfaf4714bd8dc1f784275a8a513a1e4c1a2de12
SHA256:c305dc9e2de49fecff28d19facee4e30fc568cbd04594f328c60301b1744387d
Tags:exeQuasarRATRAT
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Quasar
Snort IDS alert for network traffic
Yara detected Quasar RAT
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EQxFL1u3m1.exe (PID: 3128 cmdline: "C:\Users\user\Desktop\EQxFL1u3m1.exe" MD5: 92C93C0F3D586D4F26865F78C91C7200)
    • schtasks.exe (PID: 2124 cmdline: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Client.exe (PID: 2272 cmdline: "C:\Windows\system32\SubDir\Client.exe" MD5: 92C93C0F3D586D4F26865F78C91C7200)
      • schtasks.exe (PID: 736 cmdline: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Client.exe (PID: 3372 cmdline: C:\Windows\system32\SubDir\Client.exe MD5: 92C93C0F3D586D4F26865F78C91C7200)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "xm.wintk.vip:1994;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "09ae387c-a1cd-4bbc-a043-40c1658a6432", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "S9okwmp3BJya3MoaRfgpt4YpdU3Ugp4QlRG5am3kt0o5QK4aeeFKA5C+iJlurZd0jzDz5qfI1sg01R/GT1qRhzzyyHO19B5wfCzqlMPo5PvALjSvqwetaDWYpZwoqhxboSmcGmaODEsYhnyVj11UxoLnNRsQFvWHIbatXr8xj3LeC9yxO9frDLrdJoOXSJ3hs5VKgItHSzaCkB45Qk7G8HvHzJj/O2nTBeNRiGDuQyRLeAe+gkn6diSgPRxiSawSlylMYuIzMc8FF5a4m2TO34uHs0IDkdrJzy1jlFr6F1Lc+68+7ZqvoVmCNifyCXtEC3nCXHBnkspFIWUuxBRrpdMs3HvbjE6+WLQwashNmqW8d0XiPJ3tLt3eHY6Tw0tpWc2Et9XyqrXhuZtM7Xuutbk4nXBg6FTjn4hPrQZMqKHHdm1CSjkLzUebftVulRz2Pj//5KgAWONjUsCZbU0ZxdqIJbzMwO2iIpiLjaISHqnIi7x4x7l8/M0AG8peRsb6M4wVsq2edwPTpYDq3X+kMiAiiL10wzIC48njaH52lZaP8tfdPmYcfuPFsVWAgYOO/mz7TMBL2JtHZ48G8b1VmksVlch0MD2Eyu9Frows3ov2DwXV5z6XctQjKb/nujK519iVNj400kmXV2sQx4m56tkSpnwSVGhIXKP+T3OW4jQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAO8z+YiR7P++YmwsxqRSdzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMTA4MDA0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthfSzaM1RL1mW1oNqNPQoFj/sxWU3tdWYgSV4di210xdf2txzKmEcXuTdgMMUbiHKnXnnFsox7Nsb1px8B1pu7fuz2H6TlXBzRJZBA0W7GUEn5oPQFEjWk/6/5aV5YyX9LoFnXavtplzoaxQAC0s08JjhooIzI56hpOv0rW/0DP8OpKh7F2C+rtm+B5i435MHJndo3R1iDPz7d7dH7MqnVcfREk53mn9Simt8DwSPGYawwYrhSGKq4LxnY7OIqb7Bo0nm9+CCXLO5uf4AofTGWHsolTzAmB4r/tJGICdGZt8vvq4aBqoCii+o/acUiQmvXi81TEZuFi4syItFYjK7yVIltkNvT2G5tyvweyn1t4VKj16nWVhLZG01pqobPrQNYAJHVeICfr3vapvf0AyqIjE5R7rnnmOFIpHIDEVs8pzA+21X70wYnwONCB5SeZUJbfCVig05i4s/269+1Kciva4/ootpRyy06LFx3cBurc3atYX9rU5v4Af7P8wD2jJMk5x/FEv4Rz7MsY/PEwrKPQQJ4dpJMwUn9HF7tyD7MgGQHLLYO2SOfnCmw77he1NxuV/esWlVenYIfc7pcztOObpWvtUaf3AiZWM/pF3xH6axZSU8nFNb8EP1dDPbG+kMDnSgYWhc7vF3PLQIoDCdq8LBIaTOlQ2dLzyzOW2umECAwEAAaMyMDAwHQYDVR0OBBYEFMsOA66ejebpgm7UpYuXh8kFR5UUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEN+FdpCKZGcIdvvN0OHAyZZbHPkpEbZMjL5m9LNkIalYmbO60V4toVNnuqG4eSKJOrFb51+XS7KoVWoXk0IhY1/I6Vaz4hRZfvMosu4I7KIi43Db4a6E8zDk0tLRqmBZsTiwjX/CFOOC3QOPrLRh3K+RNkRNYr5Ex5BTRiFM+MoHlcme1KoBmIjyY7MZby/3zd2WPEspj1CWdm3QwDjcyfWdAN+chTAt4nWd/CZ2yPRrFdBx5b06m1UDz0piG2oQCQmz31EFo2n0wgdGtE+d4hZ0LO3Ld5eH3Wany4MiW1RtkT5vs/TqMgRPaX8J0h3MItlQjQzEO7JRjbQpHJUb2PkDlwiCvVYb086AUcgV20X8Oz51t7jbDBdaBilC3gAm3UHfFzJXT0enZj5M3jGjfZWb2af+ItlnW6J1Spfs2vAiOXXgQosHjcBKVsSKTC/E68V79aQR4aMH7xdIdWxwlWGM3s/xESGIdxvkBVuNmUwmBVe7SioN0hBJC5Xmnv/A6dGZQgW0gWxiD4EyWvHH06UY4WjJ9A6ef1a4mjHih0QfJ02+DSf5CzFNHEN8gcasEwezWOZvkBQtA/Vz16Bu7x8Y4COhgjv9AzRcvkj0LaPxbrFoocGBbVhaeY0rHyTuDaQmFM02uiGnjH7MO4q7NdD96DWwoK4Wre5z9uj+gXH"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EQxFL1u3m1.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    EQxFL1u3m1.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      EQxFL1u3m1.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28eed8:$x1: Quasar.Common.Messages
      • 0x29f201:$x1: Quasar.Common.Messages
      • 0x2ab81a:$x4: Uninstalling... good bye :-(
      • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      EQxFL1u3m1.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadcc:$f1: FileZilla\recentservers.xml
      • 0x2aae0c:$f2: FileZilla\sitemanager.xml
      • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab09a:$b1: Chrome\User Data\
      • 0x2ab0f0:$b1: Chrome\User Data\
      • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd448:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6d6:$b5: YandexBrowser\User Data\
      • 0x2ab744:$b5: YandexBrowser\User Data\
      • 0x2ab418:$s4: logins.json
      • 0x2ab14e:$a1: username_value
      • 0x2ab16c:$a2: password_value
      • 0x2ab458:$a3: encryptedUsername
      • 0x2fd38c:$a3: encryptedUsername
      • 0x2ab47c:$a4: encryptedPassword
      • 0x2fd3aa:$a4: encryptedPassword
      • 0x2fd328:$a5: httpRealm
      EQxFL1u3m1.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab904:$s3: Process already elevated.
      • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c93:$s5: GetKeyloggerLogsDirectory
      • 0x29e960:$s5: GetKeyloggerLogsDirectory
      • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea76:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\System32\SubDir\Client.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Windows\System32\SubDir\Client.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Windows\System32\SubDir\Client.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28eed8:$x1: Quasar.Common.Messages
          • 0x29f201:$x1: Quasar.Common.Messages
          • 0x2ab81a:$x4: Uninstalling... good bye :-(
          • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Windows\System32\SubDir\Client.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadcc:$f1: FileZilla\recentservers.xml
          • 0x2aae0c:$f2: FileZilla\sitemanager.xml
          • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab09a:$b1: Chrome\User Data\
          • 0x2ab0f0:$b1: Chrome\User Data\
          • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd448:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6d6:$b5: YandexBrowser\User Data\
          • 0x2ab744:$b5: YandexBrowser\User Data\
          • 0x2ab418:$s4: logins.json
          • 0x2ab14e:$a1: username_value
          • 0x2ab16c:$a2: password_value
          • 0x2ab458:$a3: encryptedUsername
          • 0x2fd38c:$a3: encryptedUsername
          • 0x2ab47c:$a4: encryptedPassword
          • 0x2fd3aa:$a4: encryptedPassword
          • 0x2fd328:$a5: httpRealm
          C:\Windows\System32\SubDir\Client.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab904:$s3: Process already elevated.
          • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c93:$s5: GetKeyloggerLogsDirectory
          • 0x29e960:$s5: GetKeyloggerLogsDirectory
          • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea76:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    Click to see the 16 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.EQxFL1u3m1.exe.6e0000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.EQxFL1u3m1.exe.6e0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.EQxFL1u3m1.exe.6e0000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28eed8:$x1: Quasar.Common.Messages
                        • 0x29f201:$x1: Quasar.Common.Messages
                        • 0x2ab81a:$x4: Uninstalling... good bye :-(
                        • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.EQxFL1u3m1.exe.6e0000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadcc:$f1: FileZilla\recentservers.xml
                        • 0x2aae0c:$f2: FileZilla\sitemanager.xml
                        • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab09a:$b1: Chrome\User Data\
                        • 0x2ab0f0:$b1: Chrome\User Data\
                        • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd448:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6d6:$b5: YandexBrowser\User Data\
                        • 0x2ab744:$b5: YandexBrowser\User Data\
                        • 0x2ab418:$s4: logins.json
                        • 0x2ab14e:$a1: username_value
                        • 0x2ab16c:$a2: password_value
                        • 0x2ab458:$a3: encryptedUsername
                        • 0x2fd38c:$a3: encryptedUsername
                        • 0x2ab47c:$a4: encryptedPassword
                        • 0x2fd3aa:$a4: encryptedPassword
                        • 0x2fd328:$a5: httpRealm
                        0.0.EQxFL1u3m1.exe.6e0000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab904:$s3: Process already elevated.
                        • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c93:$s5: GetKeyloggerLogsDirectory
                        • 0x29e960:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea76:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        AV Detection

                        barindex
                        Sigma detected: Quasar
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EQxFL1u3m1.exe", ParentImage: C:\Users\user\Desktop\EQxFL1u3m1.exe, ParentProcessId: 3128, ParentProcessName: EQxFL1u3m1.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 2124, ProcessName: schtasks.exe

                        E-Banking Fraud

                        barindex
                        Sigma detected: Quasar
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EQxFL1u3m1.exe", ParentImage: C:\Users\user\Desktop\EQxFL1u3m1.exe, ParentProcessId: 3128, ParentProcessName: EQxFL1u3m1.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 2124, ProcessName: schtasks.exe

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Quasar
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EQxFL1u3m1.exe", ParentImage: C:\Users\user\Desktop\EQxFL1u3m1.exe, ParentProcessId: 3128, ParentProcessName: EQxFL1u3m1.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 2124, ProcessName: schtasks.exe

                        Remote Access Functionality

                        barindex
                        Sigma detected: Quasar
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EQxFL1u3m1.exe", ParentImage: C:\Users\user\Desktop\EQxFL1u3m1.exe, ParentProcessId: 3128, ParentProcessName: EQxFL1u3m1.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 2124, ProcessName: schtasks.exe

                        Snort Signatures

                        Timestamp:04/24/24-13:52:05.675283
                        SID:2035595
                        Source Port:1994
                        Destination Port:49705
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: EQxFL1u3m1.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Windows\System32\SubDir\Client.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: EQxFL1u3m1.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "xm.wintk.vip:1994;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "09ae387c-a1cd-4bbc-a043-40c1658a6432", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "S9okwmp3BJya3MoaRfgpt4YpdU3Ugp4QlRG5am3kt0o5QK4aeeFKA5C+iJlurZd0jzDz5qfI1sg01R/GT1qRhzzyyHO19B5wfCzqlMPo5PvALjSvqwetaDWYpZwoqhxboSmcGmaODEsYhnyVj11UxoLnNRsQFvWHIbatXr8xj3LeC9yxO9frDLrdJoOXSJ3hs5VKgItHSzaCkB45Qk7G8HvHzJj/O2nTBeNRiGDuQyRLeAe+gkn6diSgPRxiSawSlylMYuIzMc8FF5a4m2TO34uHs0IDkdrJzy1jlFr6F1Lc+68+7ZqvoVmCNifyCXtEC3nCXHBnkspFIWUuxBRrpdMs3HvbjE6+WLQwashNmqW8d0XiPJ3tLt3eHY6Tw0tpWc2Et9XyqrXhuZtM7Xuutbk4nXBg6FTjn4hPrQZMqKHHdm1CSjkLzUebftVulRz2Pj//5KgAWONjUsCZbU0ZxdqIJbzMwO2iIpiLjaISHqnIi7x4x7l8/M0AG8peRsb6M4wVsq2edwPTpYDq3X+kMiAiiL10wzIC48njaH52lZaP8tfdPmYcfuPFsVWAgYOO/mz7TMBL2JtHZ48G8b1VmksVlch0MD2Eyu9Frows3ov2DwXV5z6XctQjKb/nujK519iVNj400kmXV2sQx4m56tkSpnwSVGhIXKP+T3OW4jQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAO8z+YiR7P++YmwsxqRSdzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMTA4MDA0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthfSzaM1RL1mW1oNqNPQoFj/sxWU3tdWYgSV4di210xdf2txzKmEcXuTdgMMUbiHKnXnnFsox7Nsb1px8B1pu7fuz2H6TlXBzRJZBA0W7GUEn5oPQFEjWk/6/5aV5YyX9LoFnXavtplzoaxQAC0s08JjhooIzI56hpOv0rW/0DP8OpKh7F2C+rtm+B5i435MHJndo3R1iDPz7d7dH7MqnVcfREk53mn9Simt8DwSPGYawwYrhSGKq4LxnY7OIqb7Bo0nm9+CCXLO5uf4AofTGWHsolTzAmB4r/tJGICdGZt8vvq4aBqoCii+o/acUiQmvXi81TEZuFi4syItFYjK7yVIltkNvT2G5tyvweyn1t4VKj16nWVhLZG01pqobPrQNYAJHVeICfr3vapvf0AyqIjE5R7rnnmOFIpHIDEVs8pzA+21X70wYnwONCB5SeZUJbfCVig05i4s/269+1Kciva4/ootpRyy06LFx3cBurc3atYX9rU5v4Af7P8wD2jJMk5x/FEv4Rz7MsY/PEwrKPQQJ4dpJMwUn9HF7tyD7MgGQHLLYO2SOfnCmw77he1NxuV/esWlVenYIfc7pcztOObpWvtUaf3AiZWM/pF3xH6axZSU8nFNb8EP1dDPbG+kMDnSgYWhc7vF3PLQIoDCdq8LBIaTOlQ2dLzyzOW2umECAwEAAaMyMDAwHQYDVR0OBBYEFMsOA66ejebpgm7UpYuXh8kFR5UUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEN+FdpCKZGcIdvvN0OHAyZZbHPkpEbZMjL5m9LNkIalYmbO60V4toVNnuqG4eSKJOrFb51+XS7KoVWoXk0IhY1/I6Vaz4hRZfvMosu4I7KIi43Db4a6E8zDk0tLRqmBZsTiwjX/CFOOC3QOPrLRh3K+RNkRNYr5Ex5BTRiFM+MoHlcme1KoBmIjyY7MZby/3zd2WPEspj1CWdm3QwDjcyfWdAN+chTAt4nWd/CZ2yPRrFdBx5b06m1UDz0piG2oQCQmz31EFo2n0wgdGtE+d4hZ0LO3Ld5eH3Wany4MiW1RtkT5vs/TqMgRPaX8J0h3MItlQjQzEO7JRjbQpHJUb2PkDlwiCvVYb086AUcgV20X8Oz51t7jbDBdaBilC3gAm3UHfFzJXT0enZj5M3jGjfZWb2af+ItlnW6J1Spfs2vAiOXXgQosHjcBKVsSKTC/E68V79aQR4aMH7xdIdWxwlWGM3s/xESGIdxvkBVuNmUwmBVe7SioN0hBJC5Xmnv/A6dGZQgW0gWxiD4EyWvHH06UY4WjJ9A6ef1a4mjHih0QfJ02+DSf5CzFNHEN8gcasEwezWOZvkBQtA/Vz16Bu7x8Y4COhgjv9AzRcvkj0LaPxbrFoocGBbVhaeY0rHyTuDaQmFM02uiGnjH7MO4q7NdD96DWwoK4Wre5z9uj+gXH"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Windows\System32\SubDir\Client.exeReversingLabs: Detection: 76%
                        Multi AV Scanner detection for submitted file
                        Source: EQxFL1u3m1.exeReversingLabs: Detection: 76%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: EQxFL1u3m1.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD3280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2069772715.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024569386.00000000006E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EQxFL1u3m1.exe PID: 3128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2272, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 3372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 736, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
                        Machine Learning detection for dropped file
                        Source: C:\Windows\System32\SubDir\Client.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: EQxFL1u3m1.exeJoe Sandbox ML: detected
                        Source: EQxFL1u3m1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 108.181.47.111:443 -> 192.168.2.5:49707 version: TLS 1.2
                        Source: EQxFL1u3m1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 192.144.128.196:1994 -> 192.168.2.5:49705
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: xm.wintk.vip
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: EQxFL1u3m1.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
                        Source: Joe Sandbox ViewIP Address: 108.181.47.111 108.181.47.111
                        Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: xm.wintk.vip
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: Client.exe, 00000004.00000002.3295978291.000000001BBF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                        Source: Client.exe, 00000004.00000002.3295978291.000000001BD1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: Client.exe, 00000004.00000002.3284348309.0000000001368000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Client.exe, 00000004.00000002.3285335572.0000000003355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: Client.exe, 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: EQxFL1u3m1.exe, 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: EQxFL1u3m1.exe, Client.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: Client.exe, 00000004.00000002.3285335572.000000000333B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: EQxFL1u3m1.exe, Client.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: EQxFL1u3m1.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: EQxFL1u3m1.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: EQxFL1u3m1.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownHTTPS traffic detected: 108.181.47.111:443 -> 192.168.2.5:49707 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Windows\System32\SubDir\Client.exeWindows user hook set: 0 keyboard low level C:\Windows\system32\SubDir\Client.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: EQxFL1u3m1.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD3280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2069772715.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024569386.00000000006E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EQxFL1u3m1.exe PID: 3128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2272, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 3372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 736, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile created: C:\Windows\system32\SubDirJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile created: C:\Windows\system32\SubDir\Client.exeJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF848F43C6F4_2_00007FF848F43C6F
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491B92714_2_00007FF8491B9271
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491CCAE54_2_00007FF8491CCAE5
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491C89D24_2_00007FF8491C89D2
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491C7C264_2_00007FF8491C7C26
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491CEBD44_2_00007FF8491CEBD4
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491B55D64_2_00007FF8491B55D6
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491CB8614_2_00007FF8491CB861
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491D50F04_2_00007FF8491D50F0
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491BAFDD4_2_00007FF8491BAFDD
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491B9FD04_2_00007FF8491B9FD0
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491B621F4_2_00007FF8491B621F
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8492D23624_2_00007FF8492D2362
                        Source: EQxFL1u3m1.exe, 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs EQxFL1u3m1.exe
                        Source: EQxFL1u3m1.exeBinary or memory string: OriginalFilenameClient.exe. vs EQxFL1u3m1.exe
                        Source: EQxFL1u3m1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: EQxFL1u3m1.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@2/2
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EQxFL1u3m1.exe.logJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
                        Source: C:\Windows\System32\SubDir\Client.exeMutant created: \Sessions\1\BaseNamedObjects\Local\09ae387c-a1cd-4bbc-a043-40c1658a6432
                        Source: EQxFL1u3m1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: EQxFL1u3m1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\System32\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: EQxFL1u3m1.exeReversingLabs: Detection: 76%
                        Source: EQxFL1u3m1.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile read: C:\Users\user\Desktop\EQxFL1u3m1.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\EQxFL1u3m1.exe "C:\Users\user\Desktop\EQxFL1u3m1.exe"
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe"
                        Source: unknownProcess created: C:\Windows\System32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe
                        Source: C:\Windows\System32\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe"Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: EQxFL1u3m1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: EQxFL1u3m1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: EQxFL1u3m1.exeStatic file information: File size 3266048 > 1048576
                        Source: EQxFL1u3m1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
                        Source: EQxFL1u3m1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF848E2D2A5 pushad ; iretd 4_2_00007FF848E2D2A6
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF848F42C10 push eax; iretd 4_2_00007FF848F42C4D
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF848F400BD pushad ; iretd 4_2_00007FF848F400C1
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491B33A0 push eax; ret 4_2_00007FF8491B340C
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8491CDBB0 push ss; retn FFD7h4_2_00007FF8491CDD1F
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF8492D2362 push edx; retf 5F1Dh4_2_00007FF8492D5A3B
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 5_2_00007FF848F100BD pushad ; iretd 5_2_00007FF848F100C1

                        Persistence and Installation Behavior

                        barindex
                        Drops executables to the windows directory (C:\Windows) and starts them
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeExecutable created and started: C:\Windows\system32\SubDir\Client.exeJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile created: C:\Windows\System32\SubDir\Client.exeJump to dropped file
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile created: C:\Windows\System32\SubDir\Client.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile opened: C:\Users\user\Desktop\EQxFL1u3m1.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeFile opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeFile opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeMemory allocated: 1AD60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeMemory allocated: 1AF70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeMemory allocated: 1A8F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeCode function: 4_2_00007FF848F4F1F2 str ax4_2_00007FF848F4F1F2
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeWindow / User API: threadDelayed 1937Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeWindow / User API: threadDelayed 7800Jump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exe TID: 2992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exe TID: 2952Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exe TID: 428Thread sleep count: 1937 > 30Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exe TID: 428Thread sleep count: 7800 > 30Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exe TID: 6604Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exe TID: 5612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Windows\System32\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Windows\System32\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Client.exe, 00000004.00000002.3295053906.000000001B8E2000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3295978291.000000001BD1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeProcess created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe"Jump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeQueries volume information: C:\Users\user\Desktop\EQxFL1u3m1.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\SubDir\Client.exeQueries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\EQxFL1u3m1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: EQxFL1u3m1.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD3280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2069772715.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024569386.00000000006E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EQxFL1u3m1.exe PID: 3128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2272, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 3372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 736, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: EQxFL1u3m1.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.EQxFL1u3m1.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055538186.000001ADFB548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043773340.000001BD327A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2043805988.000001BD3280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2055605743.000001ADFB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2069772715.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2024569386.00000000006E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EQxFL1u3m1.exe PID: 3128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2272, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 3372, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 736, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		121
                        Masquerading                        		11
                        Input Capture                        		111
                        Security Software Discovery                        		Remote Services11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory51
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS23
                        System Information Discovery                        		Distributed Component Object ModelInput Capture113
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431045 Sample: EQxFL1u3m1.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 29 xm.wintk.vip 2->29 31 ipwho.is 2->31 33 bg.microsoft.map.fastly.net 2->33 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 9 EQxFL1u3m1.exe 5 2->9         started        13 Client.exe 3 2->13         started        signatures3 process4 file5 27 C:\Windows\System32\SubDir\Client.exe, PE32 9->27 dropped 55 Drops executables to the windows directory (C:\Windows) and starts them 9->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 9->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->59 15 Client.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 35 xm.wintk.vip 192.144.128.196, 1994, 49705 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 15->35 37 ipwho.is 108.181.47.111, 443, 49707 ASN852CA Canada 15->37 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Machine Learning detection for dropped file 15->43 45 2 other signatures 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        EQxFL1u3m1.exe76%ReversingLabsByteCode-MSIL.Trojan.Quasar
                        EQxFL1u3m1.exe100%AviraHEUR/AGEN.1307453
                        EQxFL1u3m1.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Windows\System32\SubDir\Client.exe100%AviraHEUR/AGEN.1307453
                        C:\Windows\System32\SubDir\Client.exe100%Joe Sandbox ML
                        C:\Windows\System32\SubDir\Client.exe76%ReversingLabsByteCode-MSIL.Trojan.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://ipwho.is/0%URL Reputationsafe
                        http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                        http://crl.v0%URL Reputationsafe
                        xm.wintk.vip0%Avira URL Cloudsafe
                        http://ipwho.is0%Avira URL Cloudsafe
                        https://ipwho.is0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		unknown
                          ipwho.is
                          		108.181.47.111
                          		truefalse
                            		unknown
                            xm.wintk.vip
                            		192.144.128.196
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              xm.wintk.viptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://ipwho.is/false
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/EQxFL1u3m1.exe, Client.exe.0.drfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354EQxFL1u3m1.exe, Client.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354sCannotEQxFL1u3m1.exe, Client.exe.0.drfalse
                                    		high
                                    http://schemas.datacontract.org/2004/07/Client.exe, 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEQxFL1u3m1.exe, 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.vClient.exe, 00000004.00000002.3295978291.000000001BBF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ipwho.isClient.exe, 00000004.00000002.3285335572.0000000003355000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://stackoverflow.com/q/11564914/23354;EQxFL1u3m1.exe, Client.exe.0.drfalse
                                        		high
                                        https://ipwho.isClient.exe, 00000004.00000002.3285335572.000000000333B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        192.144.128.196
                                        		xm.wintk.vipChina
                                        		45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompatrue
                                        108.181.47.111
                                        		ipwho.isCanada
                                        		852ASN852CAfalse

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1431045
                                        Start date and time:2024-04-24 13:51:11 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 46s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:10
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:EQxFL1u3m1.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:92C93C0F3D586D4F26865F78C91C7200.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@10/5@2/2
                                        EGA Information:
                                        • Successful, ratio: 66.7%
                                        HCA Information:
                                        • Successful, ratio: 91%
                                        • Number of executed functions: 60
                                        • Number of non-executed functions: 2
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target Client.exe, PID 3372 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: EQxFL1u3m1.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        13:52:02Task SchedulerRun new task: Quasar Client Startup path: C:\Windows\system32\SubDir\Client.exe
                                        13:52:04API Interceptor4288084x Sleep call for process: Client.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        108.181.47.111NatureSetup.exeGet hashmaliciousUnknownBrowse
                                        • ipwho.is/
                                        NatureSetup.exeGet hashmaliciousUnknownBrowse
                                        • ipwho.is/
                                        Fortnite_CHEAT_CRACKED.exeGet hashmaliciousUnknownBrowse
                                        • ipwhois.app/xml/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ipwho.ishttps://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                        • 108.181.47.111
                                        KxgGGaiW3E.exeGet hashmaliciousQuasarBrowse
                                        • 15.204.213.5
                                        YZPS3Bfyza.exeGet hashmaliciousQuasarBrowse
                                        • 15.204.213.5
                                        YZPS3Bfyza.exeGet hashmaliciousQuasarBrowse
                                        • 15.204.213.5
                                        https://tom19-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=+1-888-289-1419Get hashmaliciousTechSupportScamBrowse
                                        • 15.204.213.5
                                        https://ozluc01lyejozbbzmr.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                        • 15.204.213.5
                                        https://yzkgxjyz0y4417anol.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                        • 15.204.213.5
                                        https://new1256.z1.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                        • 15.204.213.5
                                        fP4kybhBWi.exeGet hashmaliciousQuasarBrowse
                                        • 15.204.213.5
                                        https://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                        • 15.204.213.5
                                        bg.microsoft.map.fastly.nethttps://bafybeialjrwo2ct3n2glolpm3zfawtv73xej3opbbgjsfewkonoew4x5xe.ipfs.cf-ipfs.com/?sourceId=ukcompanyformations@vistra.comGet hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        http://stake.libertariancounterpoint.comGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        http://www.clinical-partners.co.ukGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        https://www.maultalk.com/url.php?to=https://www.serserijeans.com/gdy9haBM2BM2Fe5rss3RhBM2i2Pdk17x0qvi2PFe5nnaai2PrpWO3rk17dy9s3RWO3BM2Get hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        http://stake.libertariancounterpoint.comGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        http://awhauchoa.netGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 199.232.214.172
                                        Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                        • 199.232.210.172
                                        http://rum.browser-intake-foxbusiness.com:443Get hashmaliciousUnknownBrowse
                                        • 199.232.214.172

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.docGet hashmaliciousUnknownBrowse
                                        • 120.53.134.123
                                        xzk9TKqNoI.elfGet hashmaliciousMiraiBrowse
                                        • 111.230.96.254
                                        sora.x86.elfGet hashmaliciousMiraiBrowse
                                        • 150.158.166.53
                                        jdsfl.arm.elfGet hashmaliciousMiraiBrowse
                                        • 193.112.146.11
                                        tajma.x86-20240421-1027.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 49.236.55.124
                                        cH0s914NeF.exeGet hashmaliciousCobaltStrikeBrowse
                                        • 118.89.125.171
                                        BzmhHwFpCV.elfGet hashmaliciousMiraiBrowse
                                        • 150.158.129.2
                                        SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exeGet hashmaliciousPoisonivyBrowse
                                        • 139.199.218.80
                                        SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exeGet hashmaliciousUnknownBrowse
                                        • 139.199.218.80
                                        #U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.docGet hashmaliciousUnknownBrowse
                                        • 120.53.134.123
                                        ASN852CAhttps://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                        • 108.181.47.111
                                        sora.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 142.179.253.81
                                        caA474oBY2.elfGet hashmaliciousMiraiBrowse
                                        • 75.159.63.17
                                        CEPceaWQyI.elfGet hashmaliciousUnknownBrowse
                                        • 75.157.226.155
                                        g2PqnVy6cQ.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 154.20.194.161
                                        b3astmode.x86.elfGet hashmaliciousUnknownBrowse
                                        • 207.81.70.31
                                        dugw41p62T.elfGet hashmaliciousMiraiBrowse
                                        • 154.5.112.19
                                        Y98pGn3FUt.elfGet hashmaliciousMiraiBrowse
                                        • 142.41.252.240
                                        https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                        • 108.181.98.179
                                        Q2bIN963Kt.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 155.11.211.14

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eMt#879161_YAT_ORER_AY27102_3017182_2LAP183.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                        • 108.181.47.111
                                        http://stake.libertariancounterpoint.comGet hashmaliciousUnknownBrowse
                                        • 108.181.47.111
                                        https://stake.libertariancounterpoint.com/+6N67YCBGYSfgUDfzZBWz4mBQM+X0RyGi80NjJ/FF4eJwViQGet hashmaliciousUnknownBrowse
                                        • 108.181.47.111
                                        Spare part list.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 108.181.47.111
                                        https://funcallback.comGet hashmaliciousUnknownBrowse
                                        • 108.181.47.111
                                        ProSheets.msiGet hashmaliciousUnknownBrowse
                                        • 108.181.47.111
                                        QUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 108.181.47.111
                                        DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                        • 108.181.47.111
                                        Zapytanie ofertowe Fl#U00e4ktGroup 04232024.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 108.181.47.111
                                        DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • 108.181.47.111

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Windows\System32\SubDir\Client.exe
                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                        Category:dropped
                                        Size (bytes):69993
                                        Entropy (8bit):7.99584879649948
                                        Encrypted:true
                                        SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                        MD5:29F65BA8E88C063813CC50A4EA544E93
                                        SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                        SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                        SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Windows\System32\SubDir\Client.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):330
                                        Entropy (8bit):3.2194208623604657
                                        Encrypted:false
                                        SSDEEP:6:kKdFXSlEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:vSlbkPlE99SNxAhUeVLVt
                                        MD5:19DE9DE82E0AB35A80CF7CCFE0AF3C4F
                                        SHA1:A47E4E92C3133EB295FE575DC79CAC593E4EE1FD
                                        SHA-256:F2B48E65CBEC7E791C1347E24BC949587948880C94727F6A978BC43AD279985C
                                        SHA-512:C92FFCBAD4A489E1F7FDFFD02334D3C9639E7216C66C9A101D376FBC7B6564E25A8639D143E8922F6AEB615B03F2B896A3DF3D1129F9E8E2E9D2F4314B3F1CBD
                                        Malicious:false
                                        Reputation:low
                                        Preview:p...... .......... :>...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                        Download File
                                        Process:C:\Windows\System32\SubDir\Client.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EQxFL1u3m1.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\EQxFL1u3m1.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Windows\System32\SubDir\Client.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\EQxFL1u3m1.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3266048
                                        Entropy (8bit):6.083429142923717
                                        Encrypted:false
                                        SSDEEP:49152:rv2I22SsaNYfdPBldt698dBcjHMkxNESEVk/iELoGdB7JTHHB72eh2NT:rvb22SsaNYfdPBldt6+dBcjHvxgK
                                        MD5:92C93C0F3D586D4F26865F78C91C7200
                                        SHA1:ACFAF4714BD8DC1F784275A8A513A1E4C1A2DE12
                                        SHA-256:C305DC9E2DE49FECFF28D19FACEE4E30FC568CBD04594F328C60301B1744387D
                                        SHA-512:9198DD61F07EC9AC01816C57C3925E16C65687DF38AEEB8FA21C7E9AAA9A2011269A5023AC66FA4C0BE2185744F530C38B618196DB063ACD1582E3CFCC460CB5
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\SubDir\Client.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\SubDir\Client.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\SubDir\Client.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\SubDir\Client.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\SubDir\Client.exe, Author: ditekshen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 76%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.K.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):6.083429142923717
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:EQxFL1u3m1.exe
                                        File size:3'266'048 bytes
                                        MD5:92c93c0f3d586d4f26865f78c91c7200
                                        SHA1:acfaf4714bd8dc1f784275a8a513a1e4c1a2de12
                                        SHA256:c305dc9e2de49fecff28d19facee4e30fc568cbd04594f328c60301b1744387d
                                        SHA512:9198dd61f07ec9ac01816c57c3925e16c65687df38aeeb8fa21c7e9aaa9a2011269a5023ac66fa4c0be2185744f530c38b618196db063acd1582e3cfcc460cb5
                                        SSDEEP:49152:rv2I22SsaNYfdPBldt698dBcjHMkxNESEVk/iELoGdB7JTHHB72eh2NT:rvb22SsaNYfdPBldt6+dBcjHvxgK
                                        TLSH:36E55B143BF85F23E1BBE27395B0041667F0EC2AB3A3EB1B1191677E1C53B5059426AB
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x71e3fe
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3b00x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x31c4040x31c600ebf56641ef33874b06163baedd92889bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x3200000xa930xc00cdeae95ac72e9e58017d2bcc89d2fbeaFalse0.36328125data4.653972105845318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3220000xc0x200e7d4f7d5c6a56813a995215f35c1a9ceFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x3200a00x31cdata0.4484924623115578
                                        RT_MANIFEST0x3203bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        04/24/24-13:52:05.675283TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert199449705192.144.128.196192.168.2.5

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 13:52:05.000081062 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:05.321408987 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:05.321557045 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:05.346040964 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:05.675282955 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:05.675301075 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:05.675364017 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:05.678416967 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:05.995099068 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:06.041503906 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:07.147100925 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.147161007 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.147238016 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.148504972 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.148524046 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.672933102 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.673007011 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.678807020 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.678822041 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.679267883 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.716845036 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.764115095 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.889170885 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.889336109 CEST44349707108.181.47.111192.168.2.5
                                        Apr 24, 2024 13:52:07.889403105 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:07.998970985 CEST49707443192.168.2.5108.181.47.111
                                        Apr 24, 2024 13:52:08.423952103 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:08.794181108 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:08.794238091 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:09.110608101 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:09.150955915 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:09.469530106 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:09.510286093 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:34.479104042 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:34.792516947 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:34.824603081 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:52:34.824718952 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:52:59.807537079 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:00.128519058 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:53:00.150732040 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:53:00.150857925 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:25.135349035 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:25.456588984 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:53:25.469202995 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:53:25.469252110 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:50.463484049 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:50.776959896 CEST199449705192.144.128.196192.168.2.5
                                        Apr 24, 2024 13:53:50.777012110 CEST497051994192.168.2.5192.144.128.196
                                        Apr 24, 2024 13:53:50.785785913 CEST199449705192.144.128.196192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 13:52:04.798110962 CEST5232853192.168.2.51.1.1.1
                                        Apr 24, 2024 13:52:04.988682032 CEST53523281.1.1.1192.168.2.5
                                        Apr 24, 2024 13:52:06.973062038 CEST6245553192.168.2.51.1.1.1
                                        Apr 24, 2024 13:52:07.143213987 CEST53624551.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Apr 24, 2024 13:52:04.798110962 CEST192.168.2.51.1.1.10xd0a0Standard query (0)xm.wintk.vipA (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:52:06.973062038 CEST192.168.2.51.1.1.10x97b8Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Apr 24, 2024 13:52:04.988682032 CEST1.1.1.1192.168.2.50xd0a0No error (0)xm.wintk.vip192.144.128.196A (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:52:06.266897917 CEST1.1.1.1192.168.2.50x5f07No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:52:06.266897917 CEST1.1.1.1192.168.2.50x5f07No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:52:07.143213987 CEST1.1.1.1192.168.2.50x97b8No error (0)ipwho.is108.181.47.111A (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:53:19.376626015 CEST1.1.1.1192.168.2.50x778aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                        Apr 24, 2024 13:53:19.376626015 CEST1.1.1.1192.168.2.50x778aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ipwho.is

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549707108.181.47.1114432272C:\Windows\System32\SubDir\Client.exe
                                        TimestampBytes transferredDirectionData
                                        2024-04-24 11:52:07 UTC150OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                        Host: ipwho.is
                                        Connection: Keep-Alive
                                        2024-04-24 11:52:07 UTC223INHTTP/1.1 200 OK
                                        Date: Wed, 24 Apr 2024 11:52:07 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Server: ipwhois
                                        Access-Control-Allow-Headers: *
                                        X-Robots-Tag: noindex
                                        2024-04-24 11:52:07 UTC1012INData Raw: 33 65 38 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64
                                        Data Ascii: 3e8{ "About Us": "https:\/\/ipwhois.io", "ip": "154.16.105.36", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "Nevad


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:13:51:59
                                        Start date:24/04/2024
                                        Path:C:\Users\user\Desktop\EQxFL1u3m1.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\EQxFL1u3m1.exe"
                                        Imagebase:0x6e0000
                                        File size:3'266'048 bytes
                                        MD5 hash:92C93C0F3D586D4F26865F78C91C7200
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2024885502.0000000000A00000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2045178307.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2024569386.00000000006E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:13:52:01
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff762c60000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2043773340.000001BD327A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2043805988.000001BD32800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2043662966.000000251EAB9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2043773340.000001BD327A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2043805988.000001BD3280F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:13:52:01
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:13:52:01
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\SubDir\Client.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\SubDir\Client.exe"
                                        Imagebase:0x9a0000
                                        File size:3'266'048 bytes
                                        MD5 hash:92C93C0F3D586D4F26865F78C91C7200
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.3285335572.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.3285335572.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\SubDir\Client.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\SubDir\Client.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\SubDir\Client.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\SubDir\Client.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\SubDir\Client.exe, Author: ditekshen
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 76%, ReversingLabs
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:13:52:02
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\SubDir\Client.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\SubDir\Client.exe
                                        Imagebase:0x400000
                                        File size:3'266'048 bytes
                                        MD5 hash:92C93C0F3D586D4F26865F78C91C7200
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2069772715.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:13:52:02
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff762c60000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2055412636.000000938B5C9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2055538186.000001ADFB540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2055605743.000001ADFB7F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2055538186.000001ADFB548000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2055605743.000001ADFB7F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:13:52:02
                                        Start date:24/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:17.1%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:13
                                          Total number of Limit Nodes:0
                                          execution_graph 1838 7ff848f13569 1839 7ff848f13571 DeleteFileW 1838->1839 1841 7ff848f13616 1839->1841 1855 7ff848f1206a 1856 7ff848f13580 DeleteFileW 1855->1856 1858 7ff848f13616 1856->1858 1842 7ff848f13811 1843 7ff848f1382f 1842->1843 1844 7ff848f138c4 1843->1844 1847 7ff848f13540 1844->1847 1846 7ff848f138d1 1848 7ff848f13551 DeleteFileW 1847->1848 1850 7ff848f13616 1848->1850 1850->1846

                                          Executed Functions

                                          Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048057653.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff848f10000_EQxFL1u3m1.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 11306113dfcfc2e7334257a0edc0ba55b471e786e9c851790e5d73f08aefc21c
                                          • Instruction ID: d5d05302d93194ca6df07b92d3761fccf393113196c2c8da4d67322a037208f5
                                          • Opcode Fuzzy Hash: 11306113dfcfc2e7334257a0edc0ba55b471e786e9c851790e5d73f08aefc21c
                                          • Instruction Fuzzy Hash: C041F53190DB9C5FDB59EB6C98496E9BFF0FF56310F0442AFC049C7192DB2868498B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 13 7ff848f13569-7ff848f135d8 18 7ff848f135da-7ff848f135df 13->18 19 7ff848f135e2-7ff848f13614 DeleteFileW 13->19 18->19 20 7ff848f1361c-7ff848f1364a 19->20 21 7ff848f13616 19->21 21->20
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048057653.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff848f10000_EQxFL1u3m1.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 4f007c589294278f0caf559f15ed2cbc0067e30408a6abdf25023168d19823c6
                                          • Instruction ID: e601a5c1e15cd20e3e64e3b63d3854e7762ccf32fa3ca32efdc2229670a99e4a
                                          • Opcode Fuzzy Hash: 4f007c589294278f0caf559f15ed2cbc0067e30408a6abdf25023168d19823c6
                                          • Instruction Fuzzy Hash: 0F31EF3180DB5C8FDB19DB5888496E9BBF0FF65320F04426BD049D3292CB78A8468B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F1206A Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 23 7ff848f1206a-7ff848f135d8 27 7ff848f135da-7ff848f135df 23->27 28 7ff848f135e2-7ff848f13614 DeleteFileW 23->28 27->28 29 7ff848f1361c-7ff848f1364a 28->29 30 7ff848f13616 28->30 30->29
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2048057653.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff848f10000_EQxFL1u3m1.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 69c63b1559201f5ecd4be87cd447dec2fbc40f233fe2852a6a383ad300496134
                                          • Instruction ID: 1e533ce246a895c5a589012cc0a9bda098a9bce8f3d278404c45c96409d73903
                                          • Opcode Fuzzy Hash: 69c63b1559201f5ecd4be87cd447dec2fbc40f233fe2852a6a383ad300496134
                                          • Instruction Fuzzy Hash: BE318171908A1C9FDB58EF59C449AF9BBE0FF65321F00422FD04AD3651DB74A8458B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:6.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:8
                                          Total number of Limit Nodes:1
                                          execution_graph 52902 7ff848f43569 52903 7ff848f43571 DeleteFileW 52902->52903 52905 7ff848f43616 52903->52905 52897 7ff8491be709 52899 7ff8491be71f 52897->52899 52898 7ff8491be7cb 52899->52898 52900 7ff8491be8c4 SetWindowsHookExW 52899->52900 52901 7ff8491be906 52900->52901

                                          Executed Functions

                                          Function 00007FF8492D2362 Relevance: 149.9, Strings: 115, Instructions: 6162COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0I$ 0I$ 0I$ 0I$ 5I$ 5I$ 5I$(%I$(%I$(%I$(%I$(*I$(*I$(*I$(*I$(RI$(RI$(RI$(ZI$(ZI$(ZI$(ZI$0BI$0BI$0BI$0BI$0QI$0QI$0QI$0QI$8AI$8AI$8AI$8AI$8HI$8HI$8HI$8HI$8]I$8]I$8]I$8]I$H$H.I$H.I$H.I$H.I$H1I$H1I$H1I$H1I$P-I$P-I$P-I$P-I$P8I$P8I$P8I$P8I$X,I$X,I$X,I$X,I$X7I$X7I$X7I$X7I$XCI$XCI$XCI$XCI$XGI$XGI$XGI$XGI$`;I$`;I$`;I$`;I$p/I$p/I$p/I$p/I$p>I$p>I$p>I$p>I$x"I$x"I$x"I$x"I$x'I$x'I$x'I$x'I$I$I$I$I$I$I$I$I$<I$<I$<I$<I$HI$HI$HI$HI$II$II$II$II
                                          • API String ID: 0-1073685965
                                          • Opcode ID: 81e16c21b39a40a12b9d296877b3532fbe13195b336bddef803dd601cd50ee07
                                          • Instruction ID: 12f4a7938a9e847bf1a15184f1fd1944a3a2c50e43bb42f96d5661f735870bcd
                                          • Opcode Fuzzy Hash: 81e16c21b39a40a12b9d296877b3532fbe13195b336bddef803dd601cd50ee07
                                          • Instruction Fuzzy Hash: 0683A921F1CD9B0FF7F5BA2C145527956D6EFA8690B5906BAC01EC36DAEE5CEC024380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491B9FD0 Relevance: 9.8, Strings: 7, Instructions: 1061COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1375 7ff8491b9fd0-7ff8491ba018 1379 7ff8491ba5be-7ff8491ba5d0 1375->1379 1380 7ff8491ba01e-7ff8491ba030 1375->1380 1380->1379 1382 7ff8491ba036-7ff8491ba06f 1380->1382 1382->1379 1386 7ff8491ba075-7ff8491ba0b6 1382->1386 1390 7ff8491ba168-7ff8491ba17b 1386->1390 1391 7ff8491ba0bc-7ff8491ba0d4 1386->1391 1396 7ff8491ba1d0 1390->1396 1397 7ff8491ba17d-7ff8491ba19e 1390->1397 1394 7ff8491ba0da-7ff8491ba0fa 1391->1394 1395 7ff8491ba15c-7ff8491ba162 1391->1395 1394->1395 1411 7ff8491ba0fc-7ff8491ba10e 1394->1411 1395->1390 1395->1391 1398 7ff8491ba1d2-7ff8491ba1d7 1396->1398 1403 7ff8491ba1a0-7ff8491ba1c7 1397->1403 1404 7ff8491ba1c9-7ff8491ba1ce 1397->1404 1400 7ff8491ba1d9-7ff8491ba1e0 1398->1400 1401 7ff8491ba21e-7ff8491ba241 1398->1401 1406 7ff8491ba1e7-7ff8491ba201 1400->1406 1408 7ff8491ba337-7ff8491ba343 1401->1408 1409 7ff8491ba247-7ff8491ba26f 1401->1409 1403->1398 1404->1398 1406->1401 1415 7ff8491ba203-7ff8491ba21c 1406->1415 1408->1379 1412 7ff8491ba349-7ff8491ba35e 1408->1412 1422 7ff8491ba275-7ff8491ba290 1409->1422 1423 7ff8491ba32b-7ff8491ba331 1409->1423 1411->1395 1417 7ff8491ba110-7ff8491ba114 1411->1417 1412->1379 1415->1401 1418 7ff8491ba5d1-7ff8491ba673 1417->1418 1419 7ff8491ba11a-7ff8491ba12f 1417->1419 1433 7ff8491ba785-7ff8491ba791 1418->1433 1434 7ff8491ba679-7ff8491ba67b 1418->1434 1428 7ff8491ba136-7ff8491ba138 1419->1428 1422->1423 1435 7ff8491ba296-7ff8491ba2a8 1422->1435 1423->1408 1423->1409 1428->1395 1429 7ff8491ba13a-7ff8491ba158 call 7ff8491b53c0 1428->1429 1429->1395 1443 7ff8491ba793-7ff8491ba7af 1433->1443 1444 7ff8491ba7b7-7ff8491ba7b8 1433->1444 1437 7ff8491ba695-7ff8491ba6a3 1434->1437 1438 7ff8491ba67d-7ff8491ba68f 1434->1438 1435->1423 1449 7ff8491ba2ae-7ff8491ba2b2 1435->1449 1441 7ff8491ba6a9-7ff8491ba6c0 1437->1441 1442 7ff8491ba7f8-7ff8491ba82b 1437->1442 1438->1437 1452 7ff8491ba7bf-7ff8491ba7f1 1438->1452 1460 7ff8491ba6c2-7ff8491ba6d4 1441->1460 1461 7ff8491ba6da-7ff8491ba6dd 1441->1461 1462 7ff8491ba832-7ff8491ba83e 1442->1462 1443->1444 1444->1452 1449->1418 1450 7ff8491ba2b8-7ff8491ba2fb 1449->1450 1450->1423 1478 7ff8491ba2fd-7ff8491ba328 call 7ff8491b53c0 1450->1478 1452->1442 1460->1461 1460->1462 1463 7ff8491ba706-7ff8491ba722 call 7ff8491b7a50 1461->1463 1464 7ff8491ba6df-7ff8491ba6f6 1461->1464 1469 7ff8491ba840-7ff8491ba863 1462->1469 1470 7ff8491ba864-7ff8491ba871 1462->1470 1481 7ff8491ba753-7ff8491ba757 1463->1481 1482 7ff8491ba724-7ff8491ba752 1463->1482 1464->1463 1485 7ff8491ba6f8-7ff8491ba6fc 1464->1485 1469->1470 1483 7ff8491ba873-7ff8491ba879 1470->1483 1484 7ff8491ba87d 1470->1484 1478->1423 1491 7ff8491ba75e-7ff8491ba784 1481->1491 1486 7ff8491ba881-7ff8491ba8bc 1483->1486 1487 7ff8491ba87b 1483->1487 1484->1486 1489 7ff8491ba87f 1484->1489 1494 7ff8491ba703-7ff8491ba704 1485->1494 1496 7ff8491ba8ff-7ff8491ba932 1486->1496 1497 7ff8491ba8be-7ff8491ba8e5 1486->1497 1487->1484 1489->1486 1494->1463 1506 7ff8491ba939-7ff8491ba981 1496->1506 1497->1506 1508 7ff8491ba8e7-7ff8491ba8fe 1497->1508 1514 7ff8491ba983 1506->1514 1515 7ff8491ba985-7ff8491ba9a7 1506->1515 1514->1515 1517 7ff8491baa8a-7ff8491baa96 1515->1517 1518 7ff8491ba9ad-7ff8491ba9bf 1515->1518 1521 7ff8491baa98-7ff8491baab4 1517->1521 1522 7ff8491baabc-7ff8491baad3 1517->1522 1523 7ff8491ba9c1-7ff8491ba9ca 1518->1523 1524 7ff8491ba9cb-7ff8491ba9e3 call 7ff8491b40b0 1518->1524 1521->1522 1529 7ff8491bab15-7ff8491bab17 1522->1529 1530 7ff8491baad5-7ff8491baaf2 1522->1530 1531 7ff8491baa47-7ff8491baa50 1524->1531 1532 7ff8491ba9e5-7ff8491baa16 1524->1532 1534 7ff8491bab19-7ff8491bab1b 1529->1534 1530->1534 1537 7ff8491baaf4-7ff8491bab0f 1530->1537 1542 7ff8491baa41-7ff8491baa45 1532->1542 1543 7ff8491baa18-7ff8491baa3f 1532->1543 1535 7ff8491bab1d-7ff8491bab2b 1534->1535 1536 7ff8491bab2c-7ff8491bab3c 1534->1536 1537->1534 1538 7ff8491bab11-7ff8491bab12 1537->1538 1538->1534 1542->1531 1542->1532 1543->1542 1545 7ff8491baa51-7ff8491baa89 1543->1545
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                          • API String ID: 0-3722465034
                                          • Opcode ID: 3bb15e89accf7696367b5d113951977e9320a07c599bd4fcfceff3b9f9bc250f
                                          • Instruction ID: 69f60d9a8c888db6ae6f724e68bc720800b2498728364c86ac0d48cb0ac3ccd5
                                          • Opcode Fuzzy Hash: 3bb15e89accf7696367b5d113951977e9320a07c599bd4fcfceff3b9f9bc250f
                                          • Instruction Fuzzy Hash: F362E631B1C9894FEBA8FF2C945567977E2EFA9350F0501BAD44EC7292DE28EC428741
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491B55D6 Relevance: 5.9, Strings: 3, Instructions: 2123COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: *'I$HAH$HAH
                                          • API String ID: 0-3636139778
                                          • Opcode ID: 4d953f20abf28d5c6b041dbc3e64603cc2e4d02817b7b09b620b11c3c316d881
                                          • Instruction ID: 03709200e88c57c4ea6718a660344472c1b146b993bb80069d90b6f8650d230f
                                          • Opcode Fuzzy Hash: 4d953f20abf28d5c6b041dbc3e64603cc2e4d02817b7b09b620b11c3c316d881
                                          • Instruction Fuzzy Hash: 4EF28170E1CA498FDBA8EF18C495BA977E2FF68340F1441A9D04ED7296CA39E845CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491CEBD4 Relevance: 4.7, Strings: 3, Instructions: 948COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3372 7ff8491cebd4-7ff8491cec3f call 7ff8491b5070 3376 7ff8491cec41-7ff8491cec46 3372->3376 3377 7ff8491cec49-7ff8491cec59 3372->3377 3376->3377 3378 7ff8491cf182-7ff8491cf18d 3377->3378 3379 7ff8491cec5f-7ff8491cec6f call 7ff8491bac60 3377->3379 3381 7ff8491cf197-7ff8491cf1f7 call 7ff8491b4780 3378->3381 3382 7ff8491cf18f-7ff8491cf194 3378->3382 3383 7ff8491cec74-7ff8491cec79 3379->3383 3390 7ff8491cf121-7ff8491cf17d 3381->3390 3391 7ff8491cf1fd-7ff8491cf206 3381->3391 3382->3381 3385 7ff8491cf08f-7ff8491cf0e1 3383->3385 3386 7ff8491cec7f-7ff8491cec8a 3383->3386 3408 7ff8491cf0e8-7ff8491cf11a 3385->3408 3388 7ff8491ceca7-7ff8491cece0 call 7ff8491b4780 3386->3388 3389 7ff8491cec8c-7ff8491cec9d 3386->3389 3405 7ff8491cece2-7ff8491ced06 call 7ff8491ba990 call 7ff8491baae0 3388->3405 3406 7ff8491ced0b-7ff8491cede9 call 7ff8491b4780 3388->3406 3389->3388 3404 7ff8491cec9f-7ff8491ceca4 3389->3404 3395 7ff8491cf20c-7ff8491cf217 3391->3395 3396 7ff8491cf3fb-7ff8491cf447 3391->3396 3395->3396 3402 7ff8491cf21d-7ff8491cf220 3395->3402 3423 7ff8491cf44e-7ff8491cf495 3396->3423 3407 7ff8491cf226-7ff8491cf2c7 3402->3407 3402->3408 3404->3388 3405->3406 3464 7ff8491cf056-7ff8491cf061 3406->3464 3465 7ff8491cedef-7ff8491cedf3 3406->3465 3442 7ff8491cf514-7ff8491cf51d 3407->3442 3443 7ff8491cf2cd-7ff8491cf2d5 3407->3443 3408->3390 3430 7ff8491cf497-7ff8491cf4a6 3423->3430 3431 7ff8491cf4b2-7ff8491cf4bb 3423->3431 3437 7ff8491cf4ad-7ff8491cf4b0 3430->3437 3434 7ff8491cf4be-7ff8491cf505 3431->3434 3439 7ff8491cf50c-7ff8491cf50f 3434->3439 3437->3434 3441 7ff8491cf3a1-7ff8491cf3cf 3439->3441 3453 7ff8491cf3d5-7ff8491cf3f6 3441->3453 3454 7ff8491cef67-7ff8491cef73 3441->3454 3442->3441 3446 7ff8491cf523-7ff8491cf52b 3442->3446 3447 7ff8491cf2e4-7ff8491cf2fb 3443->3447 3448 7ff8491cf2d7-7ff8491cf2dc 3443->3448 3446->3441 3449 7ff8491cf531-7ff8491cf542 3446->3449 3447->3423 3456 7ff8491cf301-7ff8491cf34f 3447->3456 3448->3447 3449->3441 3460 7ff8491cf548-7ff8491cf578 3449->3460 3453->3454 3466 7ff8491cf022-7ff8491cf029 3454->3466 3467 7ff8491cef79-7ff8491cef91 3454->3467 3456->3441 3460->3441 3470 7ff8491cf02e 3465->3470 3471 7ff8491cedf9-7ff8491cee61 3465->3471 3472 7ff8491cf5e1-7ff8491cf601 call 7ff8491cf602 3466->3472 3476 7ff8491cef97-7ff8491cefc2 3467->3476 3477 7ff8491cf57d-7ff8491cf595 3467->3477 3480 7ff8491cf033-7ff8491cf04f 3470->3480 3487 7ff8491cefc9-7ff8491cefdd 3476->3487 3477->3480 3483 7ff8491cf59b-7ff8491cf5da 3477->3483 3480->3464 3483->3472 3493 7ff8491ceff2-7ff8491cf020 3487->3493 3494 7ff8491cefdf-7ff8491ceff0 3487->3494 3493->3466 3494->3466 3494->3493
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH$HAH$HAH
                                          • API String ID: 0-2719557456
                                          • Opcode ID: 1d7ecb63b559a80b7c9b058f1536b9479f2c6510234ddd4a16df6692b128f510
                                          • Instruction ID: 2e6fab10230d14247ffaf9b638cee09f6e9f9110c31b150cc615b05319ec10d3
                                          • Opcode Fuzzy Hash: 1d7ecb63b559a80b7c9b058f1536b9479f2c6510234ddd4a16df6692b128f510
                                          • Instruction Fuzzy Hash: 0C526131A1CA4A8FEB98EF18C49577977E2FF98740F540179D44AC7286CE38EC528B45
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491CB861 Relevance: 4.7, Strings: 3, Instructions: 919COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3503 7ff8491cb861-7ff8491cb8c4 3506 7ff8491cb925-7ff8491cb929 3503->3506 3507 7ff8491cb8c6-7ff8491cb920 3503->3507 3508 7ff8491cb93a 3506->3508 3509 7ff8491cb92b-7ff8491cb933 call 7ff8491b9fd0 3506->3509 3547 7ff8491cbeff-7ff8491cbf12 3507->3547 3512 7ff8491cb93c-7ff8491cb945 3508->3512 3514 7ff8491cb938 3509->3514 3515 7ff8491cba7a-7ff8491cba7f 3512->3515 3516 7ff8491cb94b-7ff8491cb950 3512->3516 3514->3512 3517 7ff8491cbae5-7ff8491cbae9 3515->3517 3518 7ff8491cba81-7ff8491cba93 call 7ff8491b3830 3515->3518 3519 7ff8491cb956-7ff8491cb95b 3516->3519 3520 7ff8491cbf13-7ff8491cbf45 3516->3520 3521 7ff8491cbb3a-7ff8491cbb65 3517->3521 3522 7ff8491cbaeb-7ff8491cbb07 call 7ff8491b4180 3517->3522 3536 7ff8491cba98-7ff8491cba9f 3518->3536 3526 7ff8491cb95d-7ff8491cb969 3519->3526 3527 7ff8491cb96f-7ff8491cb985 call 7ff8491b9bf0 3519->3527 3528 7ff8491cbf4c-7ff8491cbf7e 3520->3528 3550 7ff8491cbb74 3521->3550 3551 7ff8491cbb67-7ff8491cbb72 3521->3551 3553 7ff8491cbf85-7ff8491cbfa1 3522->3553 3554 7ff8491cbb0d-7ff8491cbb23 3522->3554 3526->3527 3526->3528 3534 7ff8491cb98a-7ff8491cba75 call 7ff8491ba890 3527->3534 3528->3553 3534->3547 3542 7ff8491cba95-7ff8491cba96 3536->3542 3543 7ff8491cbaa1-7ff8491cbab8 3536->3543 3542->3536 3555 7ff8491cbb24-7ff8491cbb35 3543->3555 3556 7ff8491cbaba-7ff8491cbac2 call 7ff8491cb700 3543->3556 3558 7ff8491cbb76-7ff8491cbb99 3550->3558 3551->3558 3575 7ff8491cbfa8-7ff8491cbfb3 3553->3575 3554->3555 3555->3547 3565 7ff8491cbac7-7ff8491cbae0 3556->3565 3569 7ff8491cbc05-7ff8491cbc0a 3558->3569 3570 7ff8491cbb9b-7ff8491cbba5 3558->3570 3565->3547 3573 7ff8491cbc36-7ff8491cbc3d 3569->3573 3574 7ff8491cbc0c-7ff8491cbc30 3569->3574 3576 7ff8491cbd87-7ff8491cbd8a 3570->3576 3577 7ff8491cbbab-7ff8491cbbca call 7ff8491b7b40 3570->3577 3579 7ff8491cbc43-7ff8491cbc5a 3573->3579 3580 7ff8491cbffe-7ff8491cc016 3573->3580 3574->3573 3574->3575 3587 7ff8491cbfb5 3575->3587 3588 7ff8491cc01a-7ff8491cc040 3575->3588 3583 7ff8491cbc9a-7ff8491cbc9c 3576->3583 3597 7ff8491cbbd0-7ff8491cbbe7 call 7ff8491b7220 3577->3597 3598 7ff8491cbd7f-7ff8491cbd82 3577->3598 3589 7ff8491cbc5c-7ff8491cbc79 3579->3589 3590 7ff8491cbc7b-7ff8491cbc94 call 7ff8491b7b40 3579->3590 3580->3588 3584 7ff8491cbd51-7ff8491cbd5a 3583->3584 3585 7ff8491cbca2-7ff8491cbcc1 call 7ff8491b7b40 3583->3585 3595 7ff8491cbe37-7ff8491cbe3c 3584->3595 3596 7ff8491cbd60-7ff8491cbd65 3584->3596 3585->3584 3611 7ff8491cbcc7-7ff8491cbcde call 7ff8491b7220 3585->3611 3594 7ff8491cbfb7-7ff8491cbfd2 3587->3594 3602 7ff8491cc042-7ff8491cc049 3588->3602 3603 7ff8491cc04b-7ff8491cc056 3588->3603 3589->3590 3590->3583 3635 7ff8491cbd77-7ff8491cbd78 3590->3635 3633 7ff8491cbfd4-7ff8491cbff7 3594->3633 3604 7ff8491cbe3e-7ff8491cbe62 3595->3604 3605 7ff8491cbe8a-7ff8491cbef4 3595->3605 3606 7ff8491cbd67-7ff8491cbd75 3596->3606 3607 7ff8491cbd8f 3596->3607 3630 7ff8491cbc00-7ff8491cbc04 3597->3630 3631 7ff8491cbbe9-7ff8491cbbff 3597->3631 3598->3583 3602->3603 3612 7ff8491cc057-7ff8491cc0a8 3602->3612 3626 7ff8491cbe64-7ff8491cbe7b 3604->3626 3627 7ff8491cbe82-7ff8491cbe83 3604->3627 3634 7ff8491cbefb-7ff8491cbefc 3605->3634 3618 7ff8491cbd91-7ff8491cbd93 3606->3618 3607->3618 3643 7ff8491cbcf7-7ff8491cbcfe 3611->3643 3644 7ff8491cbce0-7ff8491cbcf5 3611->3644 3620 7ff8491cbd95-7ff8491cbd98 3618->3620 3621 7ff8491cbd9a-7ff8491cbd9f 3618->3621 3636 7ff8491cbdd2-7ff8491cbdde 3620->3636 3637 7ff8491cbda1-7ff8491cbdc3 3621->3637 3638 7ff8491cbdca-7ff8491cbdcf 3621->3638 3626->3627 3627->3605 3630->3569 3631->3630 3633->3580 3634->3547 3635->3598 3652 7ff8491cbde0-7ff8491cbde3 3636->3652 3653 7ff8491cbe2a-7ff8491cbe31 3636->3653 3637->3638 3638->3636 3643->3580 3650 7ff8491cbd04-7ff8491cbd1a 3643->3650 3644->3643 3654 7ff8491cbd33-7ff8491cbd4b call 7ff8491b7b40 3650->3654 3655 7ff8491cbd1c-7ff8491cbd1d 3650->3655 3658 7ff8491cbde5-7ff8491cbe00 3652->3658 3659 7ff8491cbe08-7ff8491cbe26 call 7ff8491b53c0 3652->3659 3653->3595 3653->3596 3654->3584 3654->3611 3663 7ff8491cbd24-7ff8491cbd2c 3655->3663 3658->3659 3659->3653 3663->3654
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH$HAH$HAH
                                          • API String ID: 0-2719557456
                                          • Opcode ID: 86342ddba041acc8023ee703e1588baa3a563b29823de2a9ccb873ded5b1921f
                                          • Instruction ID: 9a3b53d1442c0e53d87c8581ef7bd93821613081b9902123a6a414e44e613c0f
                                          • Opcode Fuzzy Hash: 86342ddba041acc8023ee703e1588baa3a563b29823de2a9ccb873ded5b1921f
                                          • Instruction Fuzzy Hash: EE529331A1CE8A8FE7A8EF288455A75B3E1FF68750F440579D44EC3686DF28B841CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491CCAE5 Relevance: 3.9, Strings: 2, Instructions: 1429COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH$HAH
                                          • API String ID: 0-524784639
                                          • Opcode ID: efeb483c9347c454c8220b3e75335e3c7d4c10a2c95ede82226212917f5e3937
                                          • Instruction ID: d1fcb323f5b9e78ef4857509e7216c0ad938a93100e9138ef2d021468b7cfe9e
                                          • Opcode Fuzzy Hash: efeb483c9347c454c8220b3e75335e3c7d4c10a2c95ede82226212917f5e3937
                                          • Instruction Fuzzy Hash: FCA23775D1DACA4FE7B5EF2888466A43BE0EF99350F0405BAD04DC7593DE1CAC0A8B85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491B621F Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: *'I
                                          • API String ID: 0-3760434979
                                          • Opcode ID: e837b8f8a01a2d5c343d89536280d112871771eb4d235836fc5cf4816a2e758b
                                          • Instruction ID: 8ef89e7f70cb15e34b2080fef57b77ace63f83affe582c6fdd874ef8e635afec
                                          • Opcode Fuzzy Hash: e837b8f8a01a2d5c343d89536280d112871771eb4d235836fc5cf4816a2e758b
                                          • Instruction Fuzzy Hash: DD026030E18A598FEBA8EF18C445779B3E2FF68395F1445B9D44ED3295DE38B8818B40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491BAFDD Relevance: .9, Instructions: 864COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd5047125bb8ecef5c0db8b52358dc8fc63ca8b25746ee0885b0a9a0de2dd471
                                          • Instruction ID: 9f62fa8136ec56f233f1646e4c395b0f3180d2154dba639f8b81c4f6e68aa200
                                          • Opcode Fuzzy Hash: bd5047125bb8ecef5c0db8b52358dc8fc63ca8b25746ee0885b0a9a0de2dd471
                                          • Instruction Fuzzy Hash: 1052603061CA498FDBA8EF2CC455B6977E2FFA9340F5445B9E44DC72A2CE39E8418B41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491B9271 Relevance: .7, Instructions: 681COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60b8f8e99723dd83f51762fa9c0c79ed0ae94980bbd79df9ef43209ed2b42c1a
                                          • Instruction ID: 75e4bc333284db2e107c6fe44eca80147adb20a24b8597993df248b0de70e2e1
                                          • Opcode Fuzzy Hash: 60b8f8e99723dd83f51762fa9c0c79ed0ae94980bbd79df9ef43209ed2b42c1a
                                          • Instruction Fuzzy Hash: 3B227230A1CA494FEB68EF2884557B977E2FFA8744F14417DD44ED3293CE38A8468B45
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491C7C26 Relevance: .5, Instructions: 472COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 010f06ec2897240581a41e52daa258cc4f4c816ec1ab37d72994549385bf2f04
                                          • Instruction ID: 7a5bf2d69084b17a961de916b972d8c8b00d56b79d327786f67eef9484e3745b
                                          • Opcode Fuzzy Hash: 010f06ec2897240581a41e52daa258cc4f4c816ec1ab37d72994549385bf2f04
                                          • Instruction Fuzzy Hash: 8FF1923090CA8D8FEBA8EF28C8557F977E1FF55340F04426AE84DC7295DB7899448B86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491C89D2 Relevance: .5, Instructions: 455COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a09b67d9d9aafe3a7862fefd5c3b3680a2795e88a6cf014d3c02a20e58e06e3
                                          • Instruction ID: 73f9425f8f62a4905ad4276bbb533f022c7456b4b9a3bcc4fdf8f694da2a1f96
                                          • Opcode Fuzzy Hash: 9a09b67d9d9aafe3a7862fefd5c3b3680a2795e88a6cf014d3c02a20e58e06e3
                                          • Instruction Fuzzy Hash: D9E1A33090CA8E8FEBA8EF28C8957E977D1FF54351F04426ED84DC7291DB7899408B85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F43C6F Relevance: .4, Instructions: 404COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3298546790.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff848f40000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b25b769ac3510ba8d9397427037860212f3bf4c207d46cf3d96716a5cc059713
                                          • Instruction ID: db0ac3cae3046649433e4a030fb4d537243da889bb6a9aa6466001f5745db50e
                                          • Opcode Fuzzy Hash: b25b769ac3510ba8d9397427037860212f3bf4c207d46cf3d96716a5cc059713
                                          • Instruction Fuzzy Hash: 1DA14C27B1E9A25ED30577BCBC164F97B60EF926F6B08017BC188CE093DA09544B87E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491D50F0 Relevance: .4, Instructions: 381COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1ca3fcc15fb8a568ace474afd25f77e7a63bc63356cb1421f8917aa133fbfab
                                          • Instruction ID: c16070587d1faec5aef642557c5f95014856c8344f28d657ea0a36a9b7434688
                                          • Opcode Fuzzy Hash: f1ca3fcc15fb8a568ace474afd25f77e7a63bc63356cb1421f8917aa133fbfab
                                          • Instruction Fuzzy Hash: 51B18030B1CA498FEB58FB6C9455AB977E1FF59750F500279E00EC3296DE28BC428B85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D3D9F Relevance: 3.9, Strings: 3, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 5I$ 5I$ 5I
                                          • API String ID: 0-2278226157
                                          • Opcode ID: 8f4af0506254cbd784da508ba4dbed301ebfe21340da70d2a5900e2733f44d07
                                          • Instruction ID: b4079437e0cae7faa9c580ba6fee304b0235fdf2cf13416180d4379efb4646e5
                                          • Opcode Fuzzy Hash: 8f4af0506254cbd784da508ba4dbed301ebfe21340da70d2a5900e2733f44d07
                                          • Instruction Fuzzy Hash: DF310621F0ED9F0FF6A6BA3C145517656C6EFA9690B5802BAC00DC32C7EE6CEC024380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D39C2 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: p/I$p/I
                                          • API String ID: 0-593205840
                                          • Opcode ID: 2742a6688d38d0df3fee36b28361778c42535064d1da49e1e1ea5ab25bb54476
                                          • Instruction ID: 1759686263e8dc018d01faf57145e1b5f4b9b4cca15a797eae35065c8db5baf9
                                          • Opcode Fuzzy Hash: 2742a6688d38d0df3fee36b28361778c42535064d1da49e1e1ea5ab25bb54476
                                          • Instruction Fuzzy Hash: 0E21C521B0DD9F0FF6A5F62C145527956C6EFE8590B6906BBC01EC32DADE6DDC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D555F Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ZI$(ZI
                                          • API String ID: 0-1390570300
                                          • Opcode ID: c7821a99bd75b3305c013cc25d84705e84685db0fd7350babb8a73fa5c11cde2
                                          • Instruction ID: 2193851c59b2dd451076d1834fc73c098d00e933a6b61acf1ca098823cc93278
                                          • Opcode Fuzzy Hash: c7821a99bd75b3305c013cc25d84705e84685db0fd7350babb8a73fa5c11cde2
                                          • Instruction Fuzzy Hash: 3421D621F1DD9F0FF2A6B62C145567966C7EFA8590B5802BAD01EC32DADE68DC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D3762 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: X,I$X,I
                                          • API String ID: 0-4080895104
                                          • Opcode ID: 3a0e3e12d6e4f728e44e255d78c56ac76c62611d0cc63b9670c1f8ecd111d923
                                          • Instruction ID: f3674f5df23c9f19be7490dfa79785ecc1a262ab92adb0a2fd82c102ec2fb90b
                                          • Opcode Fuzzy Hash: 3a0e3e12d6e4f728e44e255d78c56ac76c62611d0cc63b9670c1f8ecd111d923
                                          • Instruction Fuzzy Hash: 9221D321B0DD9F0FF6A5FA3C145517A56C2EFA8590B6906BAC00EC77CAEE6CEC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D3B82 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H1I$H1I
                                          • API String ID: 0-4238640567
                                          • Opcode ID: e280434948be36fe931ed7e505804ae33c6eade17b3147fece94a73290859f53
                                          • Instruction ID: 9f9fa8584ee32615e8c1dda67e8f3306a5a96dcd1bd00485de3dddeecd0621ce
                                          • Opcode Fuzzy Hash: e280434948be36fe931ed7e505804ae33c6eade17b3147fece94a73290859f53
                                          • Instruction Fuzzy Hash: 8611E231B0DD9B0FF7B6B62C145127996C6EFA86A0B5902BAD01DC72CAEE6DD8024340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D5268 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (RI$(RI
                                          • API String ID: 0-2400461105
                                          • Opcode ID: d7876e49f65aa0ddb1749c5a43680424f047ee8f5405a3a612848f8074824748
                                          • Instruction ID: c83508f44a49e4b24a9cb3f4ecb4661c3e3489f71b7170006aaa9a245498e8a2
                                          • Opcode Fuzzy Hash: d7876e49f65aa0ddb1749c5a43680424f047ee8f5405a3a612848f8074824748
                                          • Instruction Fuzzy Hash: 7111EB21F0DD9B0FF7A5F63C145453955C6EF99590F590279C41DC72CADEA8DC014340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8491BE709 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3301237316.00007FF8491B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8491b0000_Client.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: 6ceb8a459f288131deabe43b0f6d8faf2a978df70a2a5e2eccca45283125a285
                                          • Instruction ID: 2d08920658ad26bb7afa9045bc203a6f59572d25b2e05ff3364729749c322587
                                          • Opcode Fuzzy Hash: 6ceb8a459f288131deabe43b0f6d8faf2a978df70a2a5e2eccca45283125a285
                                          • Instruction Fuzzy Hash: 22710731A1DA995FD758EB28985A1B97BE1FF69750F0001BFD04EC7283DE28A84687C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F43525 Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3298546790.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff848f40000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: ee66539225d4a741cd97441fd5b53e9037f485b1f8d4b7dfed0df085e7005d16
                                          • Instruction ID: f2b44b52ac9b756c2061e9dec2cdd01ea148000802f286d046ad92f420798bfa
                                          • Opcode Fuzzy Hash: ee66539225d4a741cd97441fd5b53e9037f485b1f8d4b7dfed0df085e7005d16
                                          • Instruction Fuzzy Hash: 3341F33180DA899FDB09EB6C8849AE97FF0FF66310F0441ABD049D7192DB2868098B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F43569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3298546790.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff848f40000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: ede0035911f10c65907c1264737617de5d98734e4b8c546b50695c95892c4650
                                          • Instruction ID: 8cd7898f5171b14a38f0566a1616160b114f25b2665c5e274b5d9a67c6b54bd6
                                          • Opcode Fuzzy Hash: ede0035911f10c65907c1264737617de5d98734e4b8c546b50695c95892c4650
                                          • Instruction Fuzzy Hash: 9B31F03180CB5C8FDB19DB588849AF9BBF0FF65310F04426BD049D3292CB78A849CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D52F1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H
                                          • API String ID: 0-2852464175
                                          • Opcode ID: f8cb16fb323950bdf7085c669904e04aa10ac1fa1e17cb56494196a36d2f1d88
                                          • Instruction ID: 02dff12b206d5e5d6aeecadaf21b3a7c2b44781e8fc262b4934c00229bf96921
                                          • Opcode Fuzzy Hash: f8cb16fb323950bdf7085c669904e04aa10ac1fa1e17cb56494196a36d2f1d88
                                          • Instruction Fuzzy Hash: 4021F821F0CD9B0FF6E6B63C145557956C6EFA5590F6406BAC00DC32CADEACEC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D20C2 Relevance: .2, Instructions: 245COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 694026e38c879f288c04bf739110f8391b26168591d13bccd03ffc2beecc3a98
                                          • Instruction ID: b5c22fd5afbaa0c84ad791a37a1a12f272f19176f1dc9e4367de58213f0f0c90
                                          • Opcode Fuzzy Hash: 694026e38c879f288c04bf739110f8391b26168591d13bccd03ffc2beecc3a98
                                          • Instruction Fuzzy Hash: 8C712921B2CEEB0FF695BB6C8496779629AEFA8740F544539D10DC32C7CE68E8014385
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848E2ED80 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3298257642.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff848e2d000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4680fce04d9fd4a2380ca343d0511c82e1124c5fca069d5c0964421f61cfb2dd
                                          • Instruction ID: c08872805e5071d00baacb5c8c0700e9f4b0b4f6dd43a57f969b486f084f8c57
                                          • Opcode Fuzzy Hash: 4680fce04d9fd4a2380ca343d0511c82e1124c5fca069d5c0964421f61cfb2dd
                                          • Instruction Fuzzy Hash: 0441B17180DBC58FD756DB28D8469623FF0FF56360B1506EFD088CB1A3D629A846C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D014A Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0ad267fd7cf9e35b82e92e88cc8400b9fcf1bef1623d0f27182e272fd034249
                                          • Instruction ID: 73a6a6eca5e29c828167fc526f9025f18038c60d91455f09e013e79d555fb58a
                                          • Opcode Fuzzy Hash: b0ad267fd7cf9e35b82e92e88cc8400b9fcf1bef1623d0f27182e272fd034249
                                          • Instruction Fuzzy Hash: C0313D32E5DAD94FF3A9EA2C686627477C1EB56250F0402BDD05EC32D3DD489C468346
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D0676 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44ef4cf563ca60621e0b1f33e200ec4f4092b07ca9b34e48ed66052d8fd927da
                                          • Instruction ID: e1fb9a6d3705f11ad3456022d51875d6f667688f243aa8021ea25395d75b21f8
                                          • Opcode Fuzzy Hash: 44ef4cf563ca60621e0b1f33e200ec4f4092b07ca9b34e48ed66052d8fd927da
                                          • Instruction Fuzzy Hash: B2314B32E5DA894FF3A8EA2C28162757BC1EB65760F4402BDD08EC32E3DD5C9C058786
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D0062 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e9ddef4a2628e514fd71b15ca4af4f157843e5eae000fb05820fe1add2947e3
                                          • Instruction ID: e76ab882151a5a22fa34c53363f51d68916dbd9bb954722de8644fa11ba485dd
                                          • Opcode Fuzzy Hash: 4e9ddef4a2628e514fd71b15ca4af4f157843e5eae000fb05820fe1add2947e3
                                          • Instruction Fuzzy Hash: F231083160D98C0FE758EA2CA859BB53BD5DB56321F0502BFD04EC32A3D954EC4687C4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D35BA Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93d442c9f6626daae47546b376bffad1a65ad24cedbcd3b1bbdd3f337a254153
                                          • Instruction ID: eef4038e03b6c2b341d28f207096c706ec97e683cf57a96a7ed794c11fd50371
                                          • Opcode Fuzzy Hash: 93d442c9f6626daae47546b376bffad1a65ad24cedbcd3b1bbdd3f337a254153
                                          • Instruction Fuzzy Hash: 9721FB21F0DD9B0FF7A9B63C545527556C6EFA85A0B9902BAD00DC33C6EE6CEC424384
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D2AAF Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c938d87282baa46b37bedb22785aa388a4c6cc954b03f2fd915ccecef6a7eb35
                                          • Instruction ID: 22983a2026b98e2c263b54c7b9e5ec3bd0df63fe4aee9fa453311ba79bda5887
                                          • Opcode Fuzzy Hash: c938d87282baa46b37bedb22785aa388a4c6cc954b03f2fd915ccecef6a7eb35
                                          • Instruction Fuzzy Hash: 2F21A522F0DD9F0FF6F5EA2C145567556C6EFA8690B5806BAC01EC72DAEE68DC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D5090 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34b4b37bf5bf9e3c9cab987c1c312f762fc8ce743f527e6cde3380996a1cd8d1
                                          • Instruction ID: 8fd3751375012bb072098b96ca46d69b3e02158b7a2cc61d99b8c51c15066b9b
                                          • Opcode Fuzzy Hash: 34b4b37bf5bf9e3c9cab987c1c312f762fc8ce743f527e6cde3380996a1cd8d1
                                          • Instruction Fuzzy Hash: CA21F821F0DD9B0FF6B5B63C146567556C6EFAD590B5802BAC01DC72CAEE98EC0243C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D3293 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdbdd54639a457173e3d12d67271ce5ee5a73724e55df28f30e44070c2685e17
                                          • Instruction ID: c6b7d99384aa7bc95d15e384a688e56ff3f639bebe39dcaba45f8fde1482a999
                                          • Opcode Fuzzy Hash: fdbdd54639a457173e3d12d67271ce5ee5a73724e55df28f30e44070c2685e17
                                          • Instruction Fuzzy Hash: FA210A31F0DD9B0FF2E5FA2C545513556C6EFA9A94B58067AC41DC36C6EE6CEC424380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D43EE Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff4ca384c5340865f86a578fbf77aa3b9254aaa3917affcbc0dc16d3940a1699
                                          • Instruction ID: d3c04997444c400248d18263e42b74b41509c5795ff17926f55d5905c17c593b
                                          • Opcode Fuzzy Hash: ff4ca384c5340865f86a578fbf77aa3b9254aaa3917affcbc0dc16d3940a1699
                                          • Instruction Fuzzy Hash: 17210A21F1DD9B0FF7A5FA3C145517596D6EFA8990B6806B9C40DC32CAEE58EC424380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D292E Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9643d340a06f9d092b529cefb8807eff7043b747d689937990cb90bf57471338
                                          • Instruction ID: 75ca508db8773452e2298a73a8a2b71a7d5455a7a6f0666a2755000efd8da8ef
                                          • Opcode Fuzzy Hash: 9643d340a06f9d092b529cefb8807eff7043b747d689937990cb90bf57471338
                                          • Instruction Fuzzy Hash: 0F21F821F1DD9F0FF6E5FA3C145527556C6EFA8590B6906BAC40DC32DADE58DC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D4E48 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6300465a717f207860e8dc9cc328617fe3b567d03421b44bdb3e9ca4c81546f
                                          • Instruction ID: 2a8619a743df49374b66ff6991ef32b80e387e132bcd717b63be70b457822517
                                          • Opcode Fuzzy Hash: d6300465a717f207860e8dc9cc328617fe3b567d03421b44bdb3e9ca4c81546f
                                          • Instruction Fuzzy Hash: 8521C521F1DD9F0FF7A6F72C145527956C6EFA8590B6906BAC01DC32DAEE68DC424340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D3CF1 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8f5aff67de9a656cf3d4a06dbb0d803edeed9ce1dca08e0ed070b796939e33b
                                          • Instruction ID: c6db4109e3240e097a233132619bea2781499609084408ff55002039f40cd713
                                          • Opcode Fuzzy Hash: d8f5aff67de9a656cf3d4a06dbb0d803edeed9ce1dca08e0ed070b796939e33b
                                          • Instruction Fuzzy Hash: 2A21D321F0DD9B0FF2AAF62C141123552C2EFA8590B6806BAC01EC72CADF6CDC024340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D26DA Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bcfd222dd96bbf681b3a9e68e851a61155bd10bee21686d08b2a40a9e36e091
                                          • Instruction ID: 500b55c363c51e99aefe845ed19b3cd6f82b44fd7af6181215b2fbc921857f1e
                                          • Opcode Fuzzy Hash: 0bcfd222dd96bbf681b3a9e68e851a61155bd10bee21686d08b2a40a9e36e091
                                          • Instruction Fuzzy Hash: FE21C521B1DE9B0FF2F5A62C145027661D7EFA8691F6902BAC51EC32CADE58EC424344
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D597E Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dbca35910419ad7039d098d6921c1ded79cf16e35e6276bd5db33127e876f00c
                                          • Instruction ID: 59179bff7beafd4b2de71015f1ea1b4feeb0adf930e57cf9f1b6ef34294ac427
                                          • Opcode Fuzzy Hash: dbca35910419ad7039d098d6921c1ded79cf16e35e6276bd5db33127e876f00c
                                          • Instruction Fuzzy Hash: 62110421B0DD9B0FF7B5B62C141067956D2EFA86A0F5902BEC01DC72CAEEACD8424344
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D5330 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a96e08b115182c8fb498608409ec48f4e5089c8042835329186989e6b217c8d9
                                          • Instruction ID: 85eea54b5791f76f726f99c733e83caeab82f62634c0f3323007886f385988f4
                                          • Opcode Fuzzy Hash: a96e08b115182c8fb498608409ec48f4e5089c8042835329186989e6b217c8d9
                                          • Instruction Fuzzy Hash: FF11C821B0DD9B0FF7E9F62C145063956D6EF99590F5902BAC41DC72CADEA8DC024340
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D0EE1 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                          • Instruction ID: 16da2f508daeee5e1b0f85db901c9b1893e64534fcc2eaba91910edec504b08e
                                          • Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                          • Instruction Fuzzy Hash: ABD0C93176D92A0BF214328D68423F8B285CB98B51F701137E409C22C6C9CEACC142C6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00007FF848F4F1F2 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3298546790.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff848f40000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f0717b503276039988b642c6afaae0a380b63b5cfb55ec11ec9af8c23d07141
                                          • Instruction ID: 7e5250de4747f41f0c04c82a0386a9777a2ae192505804c378064dfee39e2118
                                          • Opcode Fuzzy Hash: 7f0717b503276039988b642c6afaae0a380b63b5cfb55ec11ec9af8c23d07141
                                          • Instruction Fuzzy Hash: 3D31452791F1A56AE251B37C74924E77B60EF527BDB0843B7D18C4D0939E0C608641BD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF8492D14AE Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3302006468.00007FF8492D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff8492d0000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (*I$H.I$P-I$X,I
                                          • API String ID: 0-566514506
                                          • Opcode ID: 4df1283624565b4feabce6e29de85d054b531fd1a8cbb484fd01c7947e0bc480
                                          • Instruction ID: b70960c0bf654d7df42024ff27697f4a3d6e7efb92c119ec012d0bc673a7e508
                                          • Opcode Fuzzy Hash: 4df1283624565b4feabce6e29de85d054b531fd1a8cbb484fd01c7947e0bc480
                                          • Instruction Fuzzy Hash: A131A931B2CE6B4FF1687B9D54953B562CAEBA8B40F6402369509C37C6CE9CBC4142C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 00007FF848F10BBD Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;O_I
                                          • API String ID: 0-1334563566
                                          • Opcode ID: df8d0c51f311d21882625b4ec1d70f7b1bf1de89a0ba75f85da45a135fa47cdf
                                          • Instruction ID: 758df36d99393010d0e696c1057b216f1baac4f6052f1c8703db25d4b20eb8f5
                                          • Opcode Fuzzy Hash: df8d0c51f311d21882625b4ec1d70f7b1bf1de89a0ba75f85da45a135fa47cdf
                                          • Instruction Fuzzy Hash: D0912335A0F5D29FE319A72C94606A53FA0FF81344F9500BAD488873CBDE2CAD45D759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F12DC8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH
                                          • API String ID: 0-1579723087
                                          • Opcode ID: 097a5a9c5aaa957d62137d8c680dddf4349de729297ba84a2beeabb9821a2b6f
                                          • Instruction ID: 5a0b1b6c5ce79e4d556fa66f2b950db553594c2d3f9cac4db05a624f5c85539d
                                          • Opcode Fuzzy Hash: 097a5a9c5aaa957d62137d8c680dddf4349de729297ba84a2beeabb9821a2b6f
                                          • Instruction Fuzzy Hash: 85714F31E189094FEB98FBA894557BDB3E2EF98751F440579D00ED32C6CF28AC428745
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F12729 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAH
                                          • API String ID: 0-1579723087
                                          • Opcode ID: 41de66685f633e0ef6d557ddbaa470adb97aab58b4d98567f52442ae4dda74df
                                          • Instruction ID: 5732403133687bec7aef727551560dfad2c76acbae4b11a3fa8d3ae8fb9b3d26
                                          • Opcode Fuzzy Hash: 41de66685f633e0ef6d557ddbaa470adb97aab58b4d98567f52442ae4dda74df
                                          • Instruction Fuzzy Hash: B8410632E1DA495FE758E7A894167BA77D1EF95360F04017EE04EC32C2DE2C6C028396
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F115FA Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .O_^
                                          • API String ID: 0-2879385732
                                          • Opcode ID: 814a0ed31b7dee5a1a7a0daa26d11030d5f3d0b50b8188ec815622226f5a2540
                                          • Instruction ID: e151edff85d6d6ccc9cdd355e57f9c9e380b8ff4a21b42831ebd33aaca79414d
                                          • Opcode Fuzzy Hash: 814a0ed31b7dee5a1a7a0daa26d11030d5f3d0b50b8188ec815622226f5a2540
                                          • Instruction Fuzzy Hash: 98212426B0D9990FD756A72DA8652E43BE1EFD6371B0C01FBC18CCB193D90C5C4A8365
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F120FA Relevance: .4, Instructions: 358COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8866c4ec4f9822754b9637743398ae9cdb55eab178b1c67caafcb1633584ae27
                                          • Instruction ID: ed2ea4cf1be3abfbd454d08b3901fa2815dbbe3971bfce26d8a0759804ed834e
                                          • Opcode Fuzzy Hash: 8866c4ec4f9822754b9637743398ae9cdb55eab178b1c67caafcb1633584ae27
                                          • Instruction Fuzzy Hash: E4A1C331A0D98A4FEB95FB6894956B977E1FFA4380F0401BAD40DC72C7CF28AC428385
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F124A2 Relevance: .2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d291bb38aa9d45d557dc62909994092b7f695ceac32c985ce4158e8d8a9749a
                                          • Instruction ID: f7aa4cac2c0eea63cbdc22b641e42000d0a802b9c4276a7342d8e0bbcba3216c
                                          • Opcode Fuzzy Hash: 1d291bb38aa9d45d557dc62909994092b7f695ceac32c985ce4158e8d8a9749a
                                          • Instruction Fuzzy Hash: 9251A325B4D9661FEB85F3B840656AA3FE2EF85390F4444B6D00CC72DBCE2CAD468395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F12110 Relevance: .2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a940589d94cb65205f4bf512fd7e1a47756c91b3372bb763d2ce4aaafd24fd6
                                          • Instruction ID: db42b754fd4eb9fef7ac6f863e602a29b8d0c986d8e78e35b7f3837636389f01
                                          • Opcode Fuzzy Hash: 7a940589d94cb65205f4bf512fd7e1a47756c91b3372bb763d2ce4aaafd24fd6
                                          • Instruction Fuzzy Hash: BB41F631A0D98A4FEB95FBA894616FD77A1EF95380F0400BAD04DC71C7CF28AC518755
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F1196D Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f65c8a3523a2e280bb83b1e58a196a300ba563af22e42a6d880f20abc32d926d
                                          • Instruction ID: 94d834e2c3b57aeb015d72fc25a66bfd02721aa1c3296ffed76d3577b7d07655
                                          • Opcode Fuzzy Hash: f65c8a3523a2e280bb83b1e58a196a300ba563af22e42a6d880f20abc32d926d
                                          • Instruction Fuzzy Hash: 7E21D23190D5864FEB45AB2880955A5BBA1EF95310F1842F9D458CF1DBDB28ECC6C385
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F11BF5 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05a71cda1bd82ae98ad30c9c2fb54db0c9d375d431477808bbf265d89842c5a8
                                          • Instruction ID: 6758534ac3b25b0bc855e636ef4359fd05577931ff83cffb825a28d8ac075f8b
                                          • Opcode Fuzzy Hash: 05a71cda1bd82ae98ad30c9c2fb54db0c9d375d431477808bbf265d89842c5a8
                                          • Instruction Fuzzy Hash: 2631B63554B6969FE344EB2C80A17EA3F71EB84344F9041A5E508833CBCF7E6A48C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F10872 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06d540a7c53bc00f68f8f45ba532c15f9ece30697a231830b41f89d85935b091
                                          • Instruction ID: b011cd182307209e8e3775e385af5769db47860ddfb3b1e70cf194bafd93b3b2
                                          • Opcode Fuzzy Hash: 06d540a7c53bc00f68f8f45ba532c15f9ece30697a231830b41f89d85935b091
                                          • Instruction Fuzzy Hash: 6D212661C1EAD65FE346B33804666B9ABA0FF96790F4401FAC449CB1C7DE0C6C488391
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F132DD Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a6861ecf9bdeb33c8eb228f7ab092084f19ed43856e3cd4acdd05097f661306
                                          • Instruction ID: 6727b056e593284bb407f6fbf35dd3622791d0ba5efa85181183ef0a58a7a94c
                                          • Opcode Fuzzy Hash: 0a6861ecf9bdeb33c8eb228f7ab092084f19ed43856e3cd4acdd05097f661306
                                          • Instruction Fuzzy Hash: 3721A131E19A598FE794FB7894595B977E1EF58341F4504BAE00DC7292DE289C05C740
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F13491 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62fcfd2859cff4a726d371b09bf36c67cd8b66517ba7794947b850254a16a24e
                                          • Instruction ID: 220e6b9a45e67270f8278d59c55d77568f9b60e4d8b1ebac59c71a1ed823f9a2
                                          • Opcode Fuzzy Hash: 62fcfd2859cff4a726d371b09bf36c67cd8b66517ba7794947b850254a16a24e
                                          • Instruction Fuzzy Hash: 8D117A3190DA810FE341E73C68998F27BD0EB94324B0802BBE44DC31E3CE0C99868345
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F128D5 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4061aa30136a7dc36a66cf45928695a9604e1b7d08965d941ca80d12d4a1f02
                                          • Instruction ID: 15e0d24630c3468f5de159a9799d2dc9872be95c1cb7a11eb7a90372094bb308
                                          • Opcode Fuzzy Hash: c4061aa30136a7dc36a66cf45928695a9604e1b7d08965d941ca80d12d4a1f02
                                          • Instruction Fuzzy Hash: 7611C620A0EAC91FE347E37C5899AB43FD1EF86350B0901E7D088CB0A3CA694C45C356
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F10DA9 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57cd6c39d13ab288fa6d3879f26a8c336307572bf6985b3b7545dcef96e15392
                                          • Instruction ID: 92c1d9a2c037062e367d1c8c13c9d2029ca2a05a9047a6e8040e256dac0ad35a
                                          • Opcode Fuzzy Hash: 57cd6c39d13ab288fa6d3879f26a8c336307572bf6985b3b7545dcef96e15392
                                          • Instruction Fuzzy Hash: 87018532E2DC9A4ED69AB32814456F63BE1EBD4350F4409BAE40EC32CAEE0C6C424385
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F11E58 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 979a6dc8fedc9622c620b946b6ba51f16efa7dfe2f80ce06e6de88ce437d8dcc
                                          • Instruction ID: 4d229dcf6b3b66adec40fe92719d265a967423f4c7e221b4091ca35147cc0dc7
                                          • Opcode Fuzzy Hash: 979a6dc8fedc9622c620b946b6ba51f16efa7dfe2f80ce06e6de88ce437d8dcc
                                          • Instruction Fuzzy Hash: FCF02422B1DC1C1FE680F2AD54D9AFA27D0DBEC261B0401B7E00CCB2A3DD189C828390
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F11E70 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 465864d33a7c3e1e1648be18ceaa92b2423a9d95660b04d8c59bb076424a8bf0
                                          • Instruction ID: 9de1d90788fc21d4f40cc683f1aeb5dbcd81523031c1e33d4d648449fc1aa41b
                                          • Opcode Fuzzy Hash: 465864d33a7c3e1e1648be18ceaa92b2423a9d95660b04d8c59bb076424a8bf0
                                          • Instruction Fuzzy Hash: 1EE09231B19C1D1FAB94F7AD44C9B7962D1EBAC361B5105B6E40CC72A2DD29AC819380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF848F1094D Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2077527472.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ff848f10000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57152c13a2cf769b621919a12e35738435b339940f780bbcfe0445948c870693
                                          • Instruction ID: 6047ba88b3023810019a8c0249dbef1cdb69fedf777da383223f1933feaf6ef1
                                          • Opcode Fuzzy Hash: 57152c13a2cf769b621919a12e35738435b339940f780bbcfe0445948c870693
                                          • Instruction Fuzzy Hash: 93E08622F0E8269BE59D737C20561BC11C1EF95AD1F41147AE50ECA2C7DE6D5DD20289
                                          Uniqueness

                                          Uniqueness Score: -1.00%