Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shitgame.bin

Overview

General Information

Sample Name:shitgame.bin (renamed file extension from bin to exe)
Analysis ID:649027
MD5:97532a90b14c6d0084fa2193982358bf
SHA1:dd4a9ddf2b84b3f500cc4a54f08aac1c00fc54cc
SHA256:4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9
Tags:exe
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Quasar RAT
Sigma detected: Schedule system process
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains executable resources (Code or Archives)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • shitgame.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\shitgame.exe" MD5: 97532A90B14C6D0084FA2193982358BF)
    • schtasks.exe (PID: 6760 cmdline: "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskmgr.exe (PID: 4496 cmdline: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe MD5: 97532A90B14C6D0084FA2193982358BF)
      • schtasks.exe (PID: 6956 cmdline: "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
        • conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • shitgame.exe (PID: 6888 cmdline: C:\Users\user\Desktop\shitgame.exe MD5: 97532A90B14C6D0084FA2193982358BF)
  • cleanup

Malware Configuration

Threatname: Quasar

{"Version": "1.4.0", "Host:Port": "67.241.61.219:4782;", "SubDirectory": "Windows NT Core", "InstallName": "taskmgr.exe", "MutexName": "672efd89-e31b-484e-bc00-af34f9f92a37", "StartupKey": "AMD Drivers", "Tag": "Disc 2.0", "LogDirectoryName": "Logs", "ServerSignature": "JbSQGGoDxDffXjSc40PWu718AVX5CSf5L+kr9tv15CtM45irRnz7we2Kf2gaLsrf3mMRJht+pqH8b7RhizWv3ioEMYj6852lFu6GiCSr4L1IyNzQT6d93Xpgyt3dGDbcdD99MQYlKdgcONIqx5dpesCgZk7SqdvfDniBNQYfgBlBr91StRJPz0KuqUMT5OLfjPP7CvDkyF+rYucQCi9fmJBHgKjO/dyTRMPtXSumzDbCxnLGiE8oznd92Blwlz1y9lME2FQ1WDn/6Yc6qI7qHqmDbQqRKaUIZaZTdAkRrZ5qnGEvEH6T7dTDgOUMriaJpzMdknK8kBqouYrxcXAYooDrbAtBe7BnFYg7J6EnoHUBqKwTPdI0UE8ojdg6WLSSR4UMNIo2e+OghrivZgXkZ6fU1QL9pw7pPHsM6/jUBIZ2qfGtBtXEyvNysfEq2sDPqhY4kcHfpK9CDGZvrhsxgR4tn3kfUpHIQSiy7ILl74f3XLCr4guHjlsaKnHbaQ/iwg+naRwaBQrJ5FnNSrJQUeT8+0BiLuIhms1M7+ftildjepMJprGoA3YYBykhWQshNlht67iVSLIu8ubmhY1Pzf0bPGybwSMs3+8bu8VBkuDzbpIF+v26IgRPljlRCOLVUoPoCoNWbNmCIt9Wtjmp5GyeUhN+Ns5lCpgJh9ysmI8=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAK2LJM7DXU56YQZF69q1oTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIyMDYxODA1MzE0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtpRxyXZK7m6EMmu4ouKZS5Lap8AJfE/IkZ68hrOV13nMm/h/b+AL5CCCRAgXEvwKzVFdtxQ75FXzWc/HA4rmAh+qGqVvu2MOkZTl4Gn1k02RQdx/gFlvlgBf0pA7JPoYKgHBigwEPm5GA2gQz4LUIWiSvUIHyIQ47M8oAzQDAxGwJUsoD2+hcpJ0pLsQd4r0fyvnvvxTo78pStlNacEy4b8EpZu3nYAzMC8npBztXFGi9OFgyED99fzo/WxqekA7PaszA4OGBLXlPRCkY94E5gBAVRgomEhvF2mV55yPIPVTuGjt/6QJi0Qxnp8qX4Tgry1ASv1davxVsRnI0h+iHhteihsgk91GAn6djWywJKBqWazvcU4WO4LH8wXDSegyB4X2c2oJCCLJLGLsHYvYGs5lAxdxXwifhmdkCIEMSN2ZYmbDZ7PeQfqJBeSlxtgw4ku0dUBZak402FlFq8g9wIJuQ7vYScgJuWZVzUZDjTYS7jP37gL2dw4eOQtNhv+dwupYNd8+Pxy32PsVNbGz3lgw3v3MzCaII78kEQPBxQdQMXMN7aFBCZJ28JJTM4zLyRrjFQ5WdVenDmxKamVbg3p4OdT3fpM0RcC4oD2Us/tNsQMVlmuIt3krf5ioKe45g/RXJI0EP8oiF2wciD3rnzi1nW8IKTxNSar9j7x9uDMCAwEAAaMyMDAwHQYDVR0OBBYEFEQghG3RfxUn6t9XUm9b1UISQ6YcMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBALQUti0JgvvwMcfopbgIkNvJSciCJfnmLeWXhNDqeXdkkpaPMjzghl+PPPATZJdHVZ3fkMzll6MsX8alI9X6fqB5Z8tVpYYYnhp9OMK5Q3tnHawtkXq5PTmwPQ8JnMIm41tajHb7aizir9sxoDb6eodh7dNLa3Ksei/gL7+N+HiGMGkZFhYunOyIxC+xhz4H87bYAJOwwiYWaZI8uDpfQwpv9+9urpuzzN0niJGmdoE/3j/aCMNYVBITnsU0syrT7exEV188kZEqfJDjN3tC3OKvptFhV8wFVGLKQDFnRs+pbGiTYjmXfPBZ1pqbjTB1e4CUTHqmXdn5eKGL8voXw7yDtdnRmEchzd6ROtZZsuAhHt/Att5NYyC8w8QXcExSOH3zyfBWyXNU659IpitHPs+x75J+8RGP5fwHigMg0RLyg3O0ZJFTvl8YMLg3l0Nituj4CVhIAtsCHb1YY2ZQQ6bIj5oFYBhPS0oGFoFqVykQIIXROJE8aEaiuqjx/aZHWVivc4EYrCqODLoNmj+dNSaAfqS1m19fhbH6PXkekRpN6ughP+yEnY/oNP3JgEqJO9pxjpvsGir5SBrhxH89ivZeb1ee3Lx/dHFH2gPCxKT4qJfXJG746AhMJhOepRdqbaK4XuSCla56QvD0Ddd87NSkELFC5JE6tF6B4UfYekz6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
shitgame.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
  • 0x5b594:$x1: Quasar.Common.Messages
  • 0x5ec4d:$x1: Quasar.Common.Messages
  • 0x6aedc:$x4: Uninstalling... good bye :-(
  • 0x6c601:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
shitgame.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    shitgame.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      shitgame.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x6a880:$f1: FileZilla\recentservers.xml
      • 0x6a8c0:$f2: FileZilla\sitemanager.xml
      • 0x6a902:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x6aa80:$b1: Chrome\User Data\
      • 0x6abf6:$b2: Mozilla\Firefox\Profiles
      • 0x6acf2:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x761eb:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x6ad8e:$b4: Opera Software\Opera Stable\Login Data
      • 0x6adf8:$b5: YandexBrowser\User Data\
      • 0x6ac46:$s4: logins.json
      • 0x6aaec:$a1: username_value
      • 0x6ab0a:$a2: password_value
      • 0x6ac86:$a3: encryptedUsername
      • 0x7612f:$a3: encryptedUsername
      • 0x6acaa:$a4: encryptedPassword
      • 0x7614d:$a4: encryptedPassword
      • 0x760cb:$a5: httpRealm
      shitgame.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null
      • 0x6afc6:$s3: Process already elevated.
      • 0x5b462:$s4: get_PotentiallyVulnerablePasswords
      • 0x561e4:$s5: GetKeyloggerLogsDirectory
      • 0x5ea08:$s5: GetKeyloggerLogsDirectory
      • 0x5b485:$s6: set_PotentiallyVulnerablePasswords
      • 0x7793f:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x5b594:$x1: Quasar.Common.Messages
      • 0x5ec4d:$x1: Quasar.Common.Messages
      • 0x6aedc:$x4: Uninstalling... good bye :-(
      • 0x6c601:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x6a880:$f1: FileZilla\recentservers.xml
          • 0x6a8c0:$f2: FileZilla\sitemanager.xml
          • 0x6a902:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x6aa80:$b1: Chrome\User Data\
          • 0x6abf6:$b2: Mozilla\Firefox\Profiles
          • 0x6acf2:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x761eb:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x6ad8e:$b4: Opera Software\Opera Stable\Login Data
          • 0x6adf8:$b5: YandexBrowser\User Data\
          • 0x6ac46:$s4: logins.json
          • 0x6aaec:$a1: username_value
          • 0x6ab0a:$a2: password_value
          • 0x6ac86:$a3: encryptedUsername
          • 0x7612f:$a3: encryptedUsername
          • 0x6acaa:$a4: encryptedPassword
          • 0x7614d:$a4: encryptedPassword
          • 0x760cb:$a5: httpRealm
          C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null
          • 0x6afc6:$s3: Process already elevated.
          • 0x5b462:$s4: get_PotentiallyVulnerablePasswords
          • 0x561e4:$s5: GetKeyloggerLogsDirectory
          • 0x5ea08:$s5: GetKeyloggerLogsDirectory
          • 0x5b485:$s6: set_PotentiallyVulnerablePasswords
          • 0x7793f:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    Click to see the 7 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    3.0.taskmgr.exe.8f0000.1.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                    • 0x5b594:$x1: Quasar.Common.Messages
                    • 0x5ec4d:$x1: Quasar.Common.Messages
                    • 0x6aedc:$x4: Uninstalling... good bye :-(
                    • 0x6c601:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                    3.0.taskmgr.exe.8f0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      3.0.taskmgr.exe.8f0000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        3.0.taskmgr.exe.8f0000.1.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x6a880:$f1: FileZilla\recentservers.xml
                        • 0x6a8c0:$f2: FileZilla\sitemanager.xml
                        • 0x6a902:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x6aa80:$b1: Chrome\User Data\
                        • 0x6abf6:$b2: Mozilla\Firefox\Profiles
                        • 0x6acf2:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x761eb:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x6ad8e:$b4: Opera Software\Opera Stable\Login Data
                        • 0x6adf8:$b5: YandexBrowser\User Data\
                        • 0x6ac46:$s4: logins.json
                        • 0x6aaec:$a1: username_value
                        • 0x6ab0a:$a2: password_value
                        • 0x6ac86:$a3: encryptedUsername
                        • 0x7612f:$a3: encryptedUsername
                        • 0x6acaa:$a4: encryptedPassword
                        • 0x7614d:$a4: encryptedPassword
                        • 0x760cb:$a5: httpRealm
                        3.0.taskmgr.exe.8f0000.1.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null
                        • 0x6afc6:$s3: Process already elevated.
                        • 0x5b462:$s4: get_PotentiallyVulnerablePasswords
                        • 0x561e4:$s5: GetKeyloggerLogsDirectory
                        • 0x5ea08:$s5: GetKeyloggerLogsDirectory
                        • 0x5b485:$s6: set_PotentiallyVulnerablePasswords
                        • 0x7793f:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
                        Click to see the 35 entries

                        Sigma Signatures

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule system process
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, ParentImage: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, ParentProcessId: 4496, ParentProcessName: taskmgr.exe, ProcessCommandLine: "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f, ProcessId: 6956, ProcessName: schtasks.exe

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: shitgame.exeAvira: detected
                        Multi AV Scanner detection for submitted file
                        Source: shitgame.exeReversingLabs: Detection: 80%
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeAvira: detection malicious, Label: HEUR/AGEN.1235885
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeReversingLabs: Detection: 80%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: shitgame.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.355019365.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353514883.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.347620833.000000001B511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.385882984.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6352, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: taskmgr.exe PID: 4496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6888, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPED
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: shitgame.exeJoe Sandbox ML: detected
                        Source: 3.2.taskmgr.exe.8f0000.0.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.0", "Host:Port": "67.241.61.219:4782;", "SubDirectory": "Windows NT Core", "InstallName": "taskmgr.exe", "MutexName": "672efd89-e31b-484e-bc00-af34f9f92a37", "StartupKey": "AMD Drivers", "Tag": "Disc 2.0", "LogDirectoryName": "Logs", "ServerSignature": "JbSQGGoDxDffXjSc40PWu718AVX5CSf5L+kr9tv15CtM45irRnz7we2Kf2gaLsrf3mMRJht+pqH8b7RhizWv3ioEMYj6852lFu6GiCSr4L1IyNzQT6d93Xpgyt3dGDbcdD99MQYlKdgcONIqx5dpesCgZk7SqdvfDniBNQYfgBlBr91StRJPz0KuqUMT5OLfjPP7CvDkyF+rYucQCi9fmJBHgKjO/dyTRMPtXSumzDbCxnLGiE8oznd92Blwlz1y9lME2FQ1WDn/6Yc6qI7qHqmDbQqRKaUIZaZTdAkRrZ5qnGEvEH6T7dTDgOUMriaJpzMdknK8kBqouYrxcXAYooDrbAtBe7BnFYg7J6EnoHUBqKwTPdI0UE8ojdg6WLSSR4UMNIo2e+OghrivZgXkZ6fU1QL9pw7pPHsM6/jUBIZ2qfGtBtXEyvNysfEq2sDPqhY4kcHfpK9CDGZvrhsxgR4tn3kfUpHIQSiy7ILl74f3XLCr4guHjlsaKnHbaQ/iwg+naRwaBQrJ5FnNSrJQUeT8+0BiLuIhms1M7+ftildjepMJprGoA3YYBykhWQshNlht67iVSLIu8ubmhY1Pzf0bPGybwSMs3+8bu8VBkuDzbpIF+v26IgRPljlRCOLVUoPoCoNWbNmCIt9Wtjmp5GyeUhN+Ns5lCpgJh9ysmI8=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAK2LJM7DXU56YQZF69q1oTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIyMDYxODA1MzE0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtpRxyXZK7m6EMmu4ouKZS5Lap8AJfE/IkZ68hrOV13nMm/h/b+AL5CCCRAgXEvwKzVFdtxQ75FXzWc/HA4rmAh+qGqVvu2MOkZTl4Gn1k02RQdx/gFlvlgBf0pA7JPoYKgHBigwEPm5GA2gQz4LUIWiSvUIHyIQ47M8oAzQDAxGwJUsoD2+hcpJ0pLsQd4r0fyvnvvxTo78pStlNacEy4b8EpZu3nYAzMC8npBztXFGi9OFgyED99fzo/WxqekA7PaszA4OGBLXlPRCkY94E5gBAVRgomEhvF2mV55yPIPVTuGjt/6QJi0Qxnp8qX4Tgry1ASv1davxVsRnI0h+iHhteihsgk91GAn6djWywJKBqWazvcU4WO4LH8wXDSegyB4X2c2oJCCLJLGLsHYvYGs5lAxdxXwifhmdkCIEMSN2ZYmbDZ7PeQfqJBeSlxtgw4ku0dUBZak402FlFq8g9wIJuQ7vYScgJuWZVzUZDjTYS7jP37gL2dw4eOQtNhv+dwupYNd8+Pxy32PsVNbGz3lgw3v3MzCaII78kEQPBxQdQMXMN7aFBCZJ28JJTM4zLyRrjFQ5WdVenDmxKamVbg3p4OdT3fpM0RcC4oD2Us/tNsQMVlmuIt3krf5ioKe45g/RXJI0EP8oiF2wciD3rnzi1nW8IKTxNSar9j7x9uDMCAwEAAaMyMDAwHQYDVR0OBBYEFEQghG3RfxUn6t9XUm9b1UISQ6YcMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBALQUti0JgvvwMcfopbgIkNvJSciCJfnmLeWXhNDqeXdkkpaPMjzghl+PPPATZJdHVZ3fkMzll6MsX8alI9X6fqB5Z8tVpYYYnhp9OMK5Q3tnHawtkXq5PTmwPQ8JnMIm41tajHb7aizir9sxoDb6eodh7dNLa3Ksei/gL7+N+HiGMGkZFhYunOyIxC+xhz4H87bYAJOwwiYWaZI8uDpfQwpv9+9urpuzzN0niJGmdoE/3j/aCMNYVBITnsU0syrT7exEV188kZEqfJDjN3tC3OKvptFhV8wFVGLKQDFnRs+pbGiTYjmXfPBZ1pqbjTB1e4CUTHqmXdn5eKGL8voXw7yDtdnRmEchzd6ROtZZsuAhHt/Att5NYyC8w8QXcExSOH3zyfBWyXNU659IpitHPs+x75J+8RGP5fwHigMg0RLyg3O0ZJFTvl8YMLg3l0Nituj4CVhIAtsCHb1YY2ZQQ6bIj5oFYBhPS0oGFoFqVykQIIXROJE8aEaiuqjx/aZHWVivc4EYrCqODLoNmj+dNSaAfqS1m19fhbH6PXkekRpN6ughP+yEnY/oNP3JgEqJO9pxjpvsGir5SBrhxH89ivZeb1ee3Lx/dHFH2gPCxKT4qJfXJG746AhMJhOepRdqbaK4XuSCla56QvD0Ddd87NSkELFC5JE6tF6B4UfYekz6"}
                        Source: shitgame.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: shitgame.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: shitgame.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPED
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 67.241.61.219
                        Source: shitgame.exe, 00000000.00000002.355432829.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, taskmgr.exe, 00000003.00000002.382869466.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, shitgame.exe, 00000004.00000002.387076224.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: shitgame.exe, taskmgr.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: shitgame.exe, taskmgr.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: shitgame.exe, taskmgr.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: shitgame.exe, taskmgr.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: shitgame.exe, taskmgr.exe.0.drString found in binary or memory: https://tools.keycdn.com/geo.json

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: shitgame.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.355019365.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353514883.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.347620833.000000001B511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.385882984.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6352, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: taskmgr.exe PID: 4496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6888, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: shitgame.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: shitgame.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: shitgame.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: shitgame.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: shitgame.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: shitgame.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: shitgame.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: shitgame.exe, 00000000.00000002.355153222.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shitgame.exe
                        Source: shitgame.exe, 00000004.00000002.386179567.00000000012DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shitgame.exe
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF859091ED23_2_00007FF859091ED2
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85908D9D03_2_00007FF85908D9D0
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85909326D3_2_00007FF85909326D
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85908C42F3_2_00007FF85908C42F
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF8590860603_2_00007FF859086060
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85908E47F3_2_00007FF85908E47F
                        Source: shitgame.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: taskmgr.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: shitgame.exeReversingLabs: Detection: 80%
                        Source: C:\Users\user\Desktop\shitgame.exeFile read: C:\Users\user\Desktop\shitgame.exeJump to behavior
                        Source: shitgame.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\shitgame.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: shitgame.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\shitgame.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\shitgame.exe "C:\Users\user\Desktop\shitgame.exe"
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe
                        Source: unknownProcess created: C:\Users\user\Desktop\shitgame.exe C:\Users\user\Desktop\shitgame.exe
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\672efd89-e31b-484e-bc00-af34f9f92a37
                        Source: C:\Users\user\Desktop\shitgame.exeFile created: C:\Users\user\AppData\Roaming\Windows NT CoreJump to behavior
                        Source: shitgame.exeString found in binary or memory: Conflicting item/add type
                        Source: taskmgr.exeString found in binary or memory: Conflicting item/add type
                        Source: shitgame.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@10/2@0/0
                        Source: shitgame.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: shitgame.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85908B2C0 push eax; ret 3_2_00007FF85908B32C
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeCode function: 3_2_00007FF85908B172 push eax; ret 3_2_00007FF85908B32C
                        Source: C:\Users\user\Desktop\shitgame.exeFile created: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\shitgame.exeFile opened: C:\Users\user\Desktop\shitgame.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeFile opened: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeFile opened: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeFile opened: C:\Users\user\Desktop\shitgame.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exe TID: 5648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exe TID: 4928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\shitgame.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeProcess created: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeQueries volume information: C:\Users\user\Desktop\shitgame.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeQueries volume information: C:\Users\user\Desktop\shitgame.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\shitgame.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: shitgame.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.355019365.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353514883.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.347620833.000000001B511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.385882984.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6352, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: taskmgr.exe PID: 4496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6888, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: shitgame.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.shitgame.exe.640000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.shitgame.exe.ce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.taskmgr.exe.8f0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.355019365.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.353514883.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.347620833.000000001B511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.385882984.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6352, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: taskmgr.exe PID: 4496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: shitgame.exe PID: 6888, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts2
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping1
                        Security Software Discovery                        		Remote Services1
                        Archive Collected Data                        		Exfiltration Over Other Network Medium1
                        Encrypted Channel                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default Accounts1
                        Scheduled Task/Job                        		Boot or Logon Initialization Scripts1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                        Application Layer Protocol                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                        Virtualization/Sandbox Evasion                        		Security Account Manager21
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                        Process Injection                        		NTDS12
                        System Information Discovery                        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common1
                        Obfuscated Files or Information                        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 649027 Sample: shitgame.bin Startdate: 20/06/2022 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 8 other signatures 2->35 8 shitgame.exe 5 2->8         started        12 shitgame.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\taskmgr.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\...\shitgame.exe.log, ASCII 8->27 dropped 37 Uses schtasks.exe or at.exe to add and modify task schedules 8->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->39 14 taskmgr.exe 2 8->14         started        17 schtasks.exe 1 8->17         started        signatures5 process6 signatures7 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 19 schtasks.exe 1 14->19         started        21 conhost.exe 17->21         started        process8 process9 23 conhost.exe 19->23         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        shitgame.exe80%ReversingLabsByteCode-MSIL.Trojan.Quasar
                        shitgame.exe100%AviraHEUR/AGEN.1235885
                        shitgame.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe100%AviraHEUR/AGEN.1235885
                        C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe80%ReversingLabsByteCode-MSIL.Trojan.Quasar

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        3.2.taskmgr.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        0.2.shitgame.exe.640000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        4.0.shitgame.exe.ce0000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        0.0.shitgame.exe.640000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        3.0.taskmgr.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        4.2.shitgame.exe.ce0000.0.unpack100%AviraHEUR/AGEN.1235885Download File
                        3.0.taskmgr.exe.8f0000.1.unpack100%AviraHEUR/AGEN.1235885Download File
                        3.0.taskmgr.exe.8f0000.2.unpack100%AviraHEUR/AGEN.1235885Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        67.241.61.2190%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        67.241.61.219true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/shitgame.exe, taskmgr.exe.0.drfalse
                          		high
                          https://stackoverflow.com/q/14436606/23354shitgame.exe, taskmgr.exe.0.drfalse
                            		high
                            https://stackoverflow.com/q/2152978/23354sCannotshitgame.exe, taskmgr.exe.0.drfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameshitgame.exe, 00000000.00000002.355432829.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, taskmgr.exe, 00000003.00000002.382869466.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, shitgame.exe, 00000004.00000002.387076224.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/11564914/23354;shitgame.exe, taskmgr.exe.0.drfalse
                                  		high
                                  https://tools.keycdn.com/geo.jsonshitgame.exe, taskmgr.exe.0.drfalse
                                    		high

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:35.0.0 Citrine
                                    Analysis ID:649027
                                    Start date and time: 20/06/202219:21:262022-06-20 19:21:26 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 20s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:shitgame.bin (renamed file extension from bin to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:22
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@10/2@0/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 1.7% (good quality ratio 0.8%)
                                    • Quality average: 14.9%
                                    • Quality standard deviation: 27.9%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 7
                                    • Number of non-executed functions: 3
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fp-afd.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, b-ring.msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, fp-vp.azureedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    19:22:38Task SchedulerRun new task: AMD Drivers path: C:\Users\user\Desktop\shitgame.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\shitgame.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\shitgame.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.367899416177239
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
                                    MD5:7115A3215A4C22EF20AB9AF4160EE8F5
                                    SHA1:A4CAB34355971C1FBAABECEFA91458C4936F2C24
                                    SHA-256:A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
                                    SHA-512:2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\shitgame.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):514048
                                    Entropy (8bit):6.16054631778045
                                    Encrypted:false
                                    SSDEEP:6144:JTEgdc0YtX7IxUpGREWCvnfneqgZXrO1uvkAlcEY3fb8FgEjOjlhTcZ96cTR3J:JTEgdfY2xUZmXDE8HjM7Ta96cdJ
                                    MD5:97532A90B14C6D0084FA2193982358BF
                                    SHA1:DD4A9DDF2B84B3F500CC4A54F08AAC1C00FC54CC
                                    SHA-256:4A3A8ABD7F6D5FD9ADFB51703085E839781CFFC341705123BE40B0C146DCF0A9
                                    SHA-512:6698D12709DDC4F282D5D1955432474335F891C092B17429105FE312E058D01570E5C3FAE4298FAC2C5F9EF02BE346832D6B4B27F773A976D5E98A6011416C42
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Florian Roth
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: ditekSHen
                                    • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: ditekshen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 80%
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.^............................n.... ........@.. .......................@............@.....................................O.......0.................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B................P.......H.......L................................................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(.....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(.....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~....,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):6.16054631778045
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:shitgame.exe
                                    File size:514048
                                    MD5:97532a90b14c6d0084fa2193982358bf
                                    SHA1:dd4a9ddf2b84b3f500cc4a54f08aac1c00fc54cc
                                    SHA256:4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9
                                    SHA512:6698d12709ddc4f282d5d1955432474335f891c092b17429105fe312e058d01570e5c3fae4298fac2c5f9ef02be346832d6b4b27f773a976d5e98a6011416c42
                                    SSDEEP:6144:JTEgdc0YtX7IxUpGREWCvnfneqgZXrO1uvkAlcEY3fb8FgEjOjlhTcZ96cTR3J:JTEgdfY2xUZmXDE8HjM7Ta96cdJ
                                    TLSH:95B46D4067F88527E1AE577AE87104319BF5F807B26BEF4F4A40A2F92C6670A9D40773
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.^............................n.... ........@.. .......................@............@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x47e76e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x5EDA6BF5 [Fri Jun 5 15:59:49 2020 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7e71c0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000xb30.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x7c7740x7c800False0.45249945092871485data6.165389637491439IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x800000xb300xc00False0.3896484375data5.124518650507584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x820000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0x800a00x3b8COM executable for DOS
                                    RT_MANIFEST0x804580x6d7XML 1.0 document, UTF-8 Unicode (with BOM) text

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    No network behavior found

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:19:22:31
                                    Start date:20/06/2022
                                    Path:C:\Users\user\Desktop\shitgame.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\shitgame.exe"
                                    Imagebase:0x640000
                                    File size:514048 bytes
                                    MD5 hash:97532A90B14C6D0084FA2193982358BF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.337813611.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.355019365.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000003.347620833.000000001B511000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:1
                                    Start time:19:22:36
                                    Start date:20/06/2022
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\Desktop\shitgame.exe" /rl HIGHEST /f
                                    Imagebase:0x7ff6604e0000
                                    File size:226816 bytes
                                    MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:2
                                    Start time:19:22:37
                                    Start date:20/06/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7bab80000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:3
                                    Start time:19:22:38
                                    Start date:20/06/2022
                                    Path:C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe
                                    Imagebase:0x8f0000
                                    File size:514048 bytes
                                    MD5 hash:97532A90B14C6D0084FA2193982358BF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000000.352566919.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000000.353062897.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.381210997.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000000.353514883.00000000008F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Florian Roth
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: ditekSHen
                                    • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe, Author: ditekshen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 80%, ReversingLabs
                                    Reputation:low

                                    General

                                    Target ID:4
                                    Start time:19:22:38
                                    Start date:20/06/2022
                                    Path:C:\Users\user\Desktop\shitgame.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\Desktop\shitgame.exe
                                    Imagebase:0xce0000
                                    File size:514048 bytes
                                    MD5 hash:97532A90B14C6D0084FA2193982358BF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000000.353449048.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.385882984.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:6
                                    Start time:19:22:42
                                    Start date:20/06/2022
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"schtasks" /create /tn "AMD Drivers" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Windows NT Core\taskmgr.exe" /rl HIGHEST /f
                                    Imagebase:0x7ff6604e0000
                                    File size:226816 bytes
                                    MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:19:22:43
                                    Start date:20/06/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7e8070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:27.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:13
                                      Total number of Limit Nodes:0
                                      execution_graph 1785 7ff8590821bd 1786 7ff8590821c3 DeleteFileW 1785->1786 1788 7ff859082346 1786->1788 1793 7ff859082255 1794 7ff859082261 DeleteFileW 1793->1794 1796 7ff859082346 1794->1796 1776 7ff859082531 1777 7ff85908254f 1776->1777 1778 7ff8590825e2 1777->1778 1781 7ff859082270 1778->1781 1780 7ff8590825ef 1782 7ff859082281 DeleteFileW 1781->1782 1784 7ff859082346 1782->1784 1784->1780

                                      Callgraph

                                      • Executed
                                      • Not Executed
                                      • Opacity -> Relevance
                                      • Disassembly available
                                      callgraph 0 Function_00007FF85908060F 1 Function_00007FF85908200D 68 Function_00007FF859080FA8 1->68 2 Function_00007FF85908000B 3 Function_00007FF859082A12 4 Function_00007FF8590817FD 5 Function_00007FF859080EF8 6 Function_00007FF859081606 31 Function_00007FF859080F40 6->31 39 Function_00007FF859080F58 6->39 50 Function_00007FF859080188 6->50 7 Function_00007FF859082102 45 Function_00007FF85908218C 7->45 8 Function_00007FF859080D01 9 Function_00007FF859080200 10 Function_00007FF85908092D 11 Function_00007FF859080A29 12 Function_00007FF859081A29 42 Function_00007FF859080F60 12->42 13 Function_00007FF859080228 14 Function_00648B4D 15 Function_00007FF859082531 26 Function_00007FF859080138 15->26 33 Function_00007FF859082270 15->33 55 Function_00007FF859081078 15->55 16 Function_00007FF859080F30 17 Function_00007FF85908271D 51 Function_00007FF859081088 17->51 79 Function_00007FF8590823A0 17->79 18 Function_00007FF859081E23 19 Function_00007FF85908244F 20 Function_00648C20 21 Function_00007FF859080448 22 Function_00007FF859082648 22->55 23 Function_00007FF859082255 24 Function_0064352F 25 Function_00007FF85908053D 27 Function_00007FF859080438 28 Function_0064673A 29 Function_00007FF859080140 30 Function_00007FF859081240 30->5 30->9 30->16 30->26 30->29 60 Function_00007FF859080180 30->60 70 Function_00007FF8590800B0 30->70 92 Function_00007FF8590801C0 30->92 96 Function_00007FF859080EF0 30->96 31->42 32 Function_00643405 34 Function_00007FF85908145F 34->13 34->21 34->27 41 Function_00007FF859080160 34->41 80 Function_00007FF8590802C8 34->80 81 Function_00007FF8590803C8 34->81 82 Function_00007FF8590800C8 34->82 35 Function_00007FF859080F5D 36 Function_00007FF85908285D 37 Function_00648C17 38 Function_00007FF859081E5A 39->42 40 Function_00007FF859080D65 42->18 43 Function_00007FF859081D8D 42->43 49 Function_00007FF859080F88 42->49 85 Function_00007FF859081DBF 42->85 95 Function_00007FF859081DF1 42->95 44 Function_006466E6 46 Function_00007FF859081889 99 Function_00007FF8590819E7 46->99 47 Function_00007FF859080A89 48 Function_00007FF859082489 52 Function_006457EE 53 Function_006452E8 54 Function_00648AF7 56 Function_006452F3 57 Function_00007FF859080683 58 Function_00007FF859080783 59 Function_00007FF859082380 59->19 61 Function_00007FF859082880 62 Function_00007FF859080CAF 63 Function_00007FF8590810AB 64 Function_00007FF8590803AA 65 Function_00007FF8590800AA 66 Function_00007FF8590806AA 67 Function_00007FF8590807AA 69 Function_00007FF8590810A8 71 Function_00007FF85908059F 72 Function_00007FF859082299 73 Function_006457D3 74 Function_00007FF8590805A7 75 Function_00648DDD 76 Function_00007FF8590828A5 76->69 77 Function_00007FF859081AA5 77->18 77->43 77->49 77->85 77->95 78 Function_00007FF8590803A2 79->19 83 Function_00007FF8590820D5 84 Function_00007FF8590811D0 84->5 84->9 84->16 84->26 84->29 84->60 84->70 84->92 84->96 86 Function_00007FF8590821BD 87 Function_00007FF859080BBD 88 Function_006482B0 89 Function_00007FF8590815B9 90 Function_00007FF8590806B8 91 Function_00648DBF 93 Function_00007FF859080AED 93->90 94 Function_00007FF8590824ED 97 Function_00007FF8590815DE 98 Function_00007FF859080ED9 100 Function_0064559F

                                      Executed Functions

                                      Function 00007FF859082255 Relevance: 1.6, APIs: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 124 7ff859082255-7ff85908225f 125 7ff8590822a1-7ff859082308 124->125 126 7ff859082261-7ff859082292 124->126 133 7ff85908230a-7ff85908230f 125->133 134 7ff859082312-7ff859082344 DeleteFileW 125->134 126->125 133->134 135 7ff85908234c-7ff85908237a 134->135 136 7ff859082346 134->136 136->135
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.359672605.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff859080000_shitgame.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: 178a02fecc53f2bda403d818e64003bd99697d0bbab0c6e2f37e49a8a407041c
                                      • Instruction ID: 36cd54e74a401cc200eb7a62f5e66ba6c5b576ea389a3d273c245ed3456c4e02
                                      • Opcode Fuzzy Hash: 178a02fecc53f2bda403d818e64003bd99697d0bbab0c6e2f37e49a8a407041c
                                      • Instruction Fuzzy Hash: 7C41363190CB988FDB19DF6C98496E97FF0EF66320F0842AFC049D7592DB24A849C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF859082299 Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 138 7ff859082299-7ff859082308 143 7ff85908230a-7ff85908230f 138->143 144 7ff859082312-7ff859082344 DeleteFileW 138->144 143->144 145 7ff85908234c-7ff85908237a 144->145 146 7ff859082346 144->146 146->145
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.359672605.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff859080000_shitgame.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: a7d09b6844744b811c71e7ddaa03da825e37a2776662a2a7630d4cfad91b4574
                                      • Instruction ID: 3cdf9d3132d4550322efe5113af9f51152bd6a8d9b2cf428d53213c8691e81e6
                                      • Opcode Fuzzy Hash: a7d09b6844744b811c71e7ddaa03da825e37a2776662a2a7630d4cfad91b4574
                                      • Instruction Fuzzy Hash: 0731EF3190CB9C8FDB19DF5C88496E9BBF0EF66321F04426BD049D3692DB24A846CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:11.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:6
                                      Total number of Limit Nodes:0
                                      execution_graph 10866 7ff8590821bd 10867 7ff8590821c3 DeleteFileW 10866->10867 10869 7ff859082346 10867->10869 10874 7ff859082255 10875 7ff859082261 DeleteFileW 10874->10875 10877 7ff859082346 10875->10877

                                      Executed Functions

                                      Function 00007FF85908D9D0 Relevance: 1.8, Instructions: 1784COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b332475e504e1fc12e50777a1deabc3c7f960d8a3d5fd93b12f97a636fd1c434
                                      • Instruction ID: 84d3bc8ee74699d83d118574e28f4358eb827093b6a6b96ec9449dc02e92c6c4
                                      • Opcode Fuzzy Hash: b332475e504e1fc12e50777a1deabc3c7f960d8a3d5fd93b12f97a636fd1c434
                                      • Instruction Fuzzy Hash: 1DD28F30A18A598FDF98EF18C485BA977F2FF98750F1545A9C44ED7292CB34E886CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF859091ED2 Relevance: .8, Instructions: 780COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 790 7ff859091ed2-7ff859091ee2 792 7ff859091ee8-7ff859091ee9 790->792 793 7ff8590921cb-7ff8590921f5 790->793 794 7ff859091eeb-7ff859091f10 792->794 800 7ff8590921f7 793->800 801 7ff859092189-7ff859092191 793->801 806 7ff859091f12-7ff859091f37 794->806 803 7ff859092258-7ff8590922a8 800->803 804 7ff8590921f9-7ff85909221a 800->804 807 7ff859092198-7ff85909219d 801->807 824 7ff859092851-7ff859092863 803->824 825 7ff8590922ae-7ff8590922c0 803->825 815 7ff859092221-7ff859092241 call 7ff8590872b8 804->815 819 7ff859091f44-7ff859091f48 806->819 820 7ff859091f39-7ff859091f42 806->820 808 7ff8590921bc-7ff8590921ca 807->808 809 7ff85909219f-7ff8590921b4 807->809 809->808 818 7ff8590921b6-7ff8590921b9 809->818 835 7ff859092243-7ff859092248 815->835 836 7ff859092249-7ff859092257 815->836 818->808 823 7ff859091f4f-7ff859091f53 819->823 820->823 827 7ff859091f55-7ff859091f5b call 7ff859087230 823->827 828 7ff859091f6b-7ff859091f6f 823->828 825->824 834 7ff8590922c6-7ff8590922ff 825->834 837 7ff859091f60-7ff859091f64 827->837 832 7ff859091f71-7ff859091f98 call 7ff859086f70 828->832 833 7ff859091f9e-7ff859091fa2 828->833 832->815 832->833 833->808 839 7ff859091fa8-7ff859091fad 833->839 834->824 850 7ff859092305-7ff859092346 834->850 835->836 836->803 837->828 839->808 842 7ff859091fb3-7ff859091fbd 839->842 845 7ff85909200b-7ff859092010 842->845 846 7ff859091fbf-7ff859091fd1 842->846 845->807 848 7ff859092016-7ff859092020 845->848 846->845 851 7ff859091fd3-7ff859091ffe 846->851 848->807 854 7ff859092026-7ff85909212c 848->854 862 7ff8590923f8-7ff859092467 850->862 863 7ff85909234c-7ff859092364 850->863 851->845 861 7ff859092000-7ff859092004 851->861 854->807 861->845 884 7ff859092469-7ff859092491 call 7ff859087238 862->884 885 7ff8590924ae-7ff8590924d1 862->885 868 7ff85909236a-7ff85909238a 863->868 869 7ff8590923ec-7ff8590923f2 863->869 868->869 878 7ff85909238c-7ff85909239e 868->878 869->862 869->863 878->869 886 7ff8590923a0-7ff8590923c8 call 7ff859086bb8 878->886 884->885 898 7ff859092493-7ff8590924ac call 7ff859087238 884->898 892 7ff8590925c7-7ff8590925d3 885->892 893 7ff8590924d7-7ff8590924ff 885->893 886->869 907 7ff8590923ca-7ff8590923e8 call 7ff85908d620 886->907 892->824 896 7ff8590925d9-7ff8590925ee 892->896 909 7ff859092505-7ff859092520 call 7ff859086bb8 893->909 910 7ff8590925bb-7ff8590925c1 893->910 898->885 907->869 909->910 919 7ff859092526-7ff859092538 909->919 910->892 910->893 919->910 922 7ff85909253e-7ff85909258b 919->922 922->910 928 7ff85909258d-7ff8590925b8 call 7ff85908d620 922->928 928->910
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7513c9d7b13b8027ceb44610d5cd02d65e3d555c7447f3ae8d258a13efd60e6
                                      • Instruction ID: 6d507348bdb1dcd51e7bedce7ee701c66e955d994be084b43bdbdd020755f300
                                      • Opcode Fuzzy Hash: e7513c9d7b13b8027ceb44610d5cd02d65e3d555c7447f3ae8d258a13efd60e6
                                      • Instruction Fuzzy Hash: 5B326C30B189498FEF98EF2C9458A7933D2FF99361B0545B9E44EC72A2DF24EC468741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF85908E47F Relevance: .6, Instructions: 565COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f656732250351c34dc27e8848dfca3608481653a422315e2d399f34d1b16dc09
                                      • Instruction ID: 88383906ac78420c7749f467e0cd7b0f5df167333c95447e4cfd7cb1f1d99369
                                      • Opcode Fuzzy Hash: f656732250351c34dc27e8848dfca3608481653a422315e2d399f34d1b16dc09
                                      • Instruction Fuzzy Hash: 50125E30B18A598FEBA8EE18C485779B3E2FF98751F1545BAD44ED3291CF34E8858B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF859082255 Relevance: 1.6, APIs: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 378 7ff859082255-7ff85908225f 379 7ff8590822a1-7ff859082308 378->379 380 7ff859082261-7ff859082292 378->380 387 7ff85908230a-7ff85908230f 379->387 388 7ff859082312-7ff859082344 DeleteFileW 379->388 380->379 387->388 389 7ff85908234c-7ff85908237a 388->389 390 7ff859082346 388->390 390->389
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: 72a2d9187c8ae0d439385e46807daf32e3bfd75768a7533e9619a1e1445c0886
                                      • Instruction ID: d8c916fc9409864312615f12da08fd6f569a8637336db17170b815f472c1be12
                                      • Opcode Fuzzy Hash: 72a2d9187c8ae0d439385e46807daf32e3bfd75768a7533e9619a1e1445c0886
                                      • Instruction Fuzzy Hash: 3B41363190CA988FDB19DF6C98496F97FF0EF66320F0842AFD049D7592DB24A849C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF859082299 Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 392 7ff859082299-7ff859082308 397 7ff85908230a-7ff85908230f 392->397 398 7ff859082312-7ff859082344 DeleteFileW 392->398 397->398 399 7ff85908234c-7ff85908237a 398->399 400 7ff859082346 398->400 400->399
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: a7d09b6844744b811c71e7ddaa03da825e37a2776662a2a7630d4cfad91b4574
                                      • Instruction ID: 3cdf9d3132d4550322efe5113af9f51152bd6a8d9b2cf428d53213c8691e81e6
                                      • Opcode Fuzzy Hash: a7d09b6844744b811c71e7ddaa03da825e37a2776662a2a7630d4cfad91b4574
                                      • Instruction Fuzzy Hash: 0731EF3190CB9C8FDB19DF5C88496E9BBF0EF66321F04426BD049D3692DB24A846CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FF85908C42F Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: +^_^
                                      • API String ID: 0-2142765521
                                      • Opcode ID: bf3727869e6da196ec0e1ee8b4cba0b6940893819ce9485e57b373c17dd5c849
                                      • Instruction ID: d8703abd67c6476fa5d69c9ac19c525a20261d3ed5551d68d542305bf1fc3b3a
                                      • Opcode Fuzzy Hash: bf3727869e6da196ec0e1ee8b4cba0b6940893819ce9485e57b373c17dd5c849
                                      • Instruction Fuzzy Hash: AF029E30A1CA858FDB58EE2CD445576B7E1FF953A0F15497DE48AC3292DF34E8428B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF85909326D Relevance: .7, Instructions: 712COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3a4373597b7892b894422a6bbbb827a8c41b49d43fad5a87d4894ae32842c1
                                      • Instruction ID: 3d6110c3e4ab38c5839ff93b89944b131e647e9a625ec80e525827b703b999df
                                      • Opcode Fuzzy Hash: dd3a4373597b7892b894422a6bbbb827a8c41b49d43fad5a87d4894ae32842c1
                                      • Instruction Fuzzy Hash: E9321930A08A498FEB98EB2CC498B7577E2FF99750F1445B9E44DC72A2DF34E8458B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF859086060 Relevance: .6, Instructions: 600COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.387082314.00007FF859080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF859080000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff859080000_taskmgr.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a863238dd16032db5d1ae50b1d1561f5fc61e12cb831bb6cbe9d8610ee2ee775
                                      • Instruction ID: 98c7b00683e7646e450a3fed2589d5da2a263e4d0bc661d1d77e3dbdc8cd2ff0
                                      • Opcode Fuzzy Hash: a863238dd16032db5d1ae50b1d1561f5fc61e12cb831bb6cbe9d8610ee2ee775
                                      • Instruction Fuzzy Hash: FB126830A08A498FEB98EF2C8459B7577E2FF99350F1444B9E44DC72A2DF34E8468B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%