Edit tour

Windows Analysis Report
build.exe

Overview

General Information

Sample name:	build.exe
Analysis ID:	1454159
MD5:	05eecfc1820ab3273409323601a71f23
SHA1:	5076d5c3a1aa6f2ffcc299f803d0dd01b33d6dd7
SHA256:	4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
Tags:	exe
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Quasar RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

build.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\build.exe" MD5: 05EECFC1820AB3273409323601A71F23)

csc.exe (PID: 4924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Host:Port": "OuB3'!fy.", "InstallName": "0vRva!b|>", "MutexName": "`H]\"':q", "StartupKey": "}p(3k<Y?Zi1BM", "Tag": "UnW))[Q>", "ServerSignature": "[{+'*", "ServerCertificate": "@ETksT"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ea04:$a1: GetKeyloggerLogsResponse 0x3e165:$a2: DoDownloadAndExecute 0x50614:$a3: http://api.ipify.org/ 0x4e11d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f46b:$a5: " /sc ONLOGON /tr "
00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df21:$s1: DoUploadAndExecute 0x3e165:$s2: DoDownloadAndExecute 0x3dce6:$s3: DoShellExecute 0x3e11d:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4ee2a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ea3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33dc9:$class: Core.MouseKeyHook.WinApi
00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ea04:$a1: GetKeyloggerLogsResponse 0x3e165:$a2: DoDownloadAndExecute 0x50614:$a3: http://api.ipify.org/ 0x4e11d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f46b:$a5: " /sc ONLOGON /tr "
00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df21:$s1: DoUploadAndExecute 0x3e165:$s2: DoDownloadAndExecute 0x3dce6:$s3: DoShellExecute 0x3e11d:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4ee2a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ea3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33dc9:$class: Core.MouseKeyHook.WinApi
00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3f39e:$a1: GetKeyloggerLogsResponse 0x3eaff:$a2: DoDownloadAndExecute 0x50fae:$a3: http://api.ipify.org/ 0x4eab7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4fe05:$a5: " /sc ONLOGON /tr "
00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e8bb:$s1: DoUploadAndExecute 0x3eaff:$s2: DoDownloadAndExecute 0x3e680:$s3: DoShellExecute 0x3eab7:$s4: set_Processname 0x61be:$op1: 04 1E FE 02 04 16 FE 01 60 0x60e2:$op2: 00 17 03 1F 20 17 19 15 28 0x6b48:$op3: 00 04 03 69 91 1B 40 0x7398:$op3: 00 04 03 69 91 1B 40
00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f7c4:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4f3d8:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x34763:$class: Core.MouseKeyHook.WinApi
Process Memory Space: build.exe PID: 5776	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: csc.exe PID: 4924	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.csc.exe.720000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
3.2.csc.exe.720000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.csc.exe.720000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
3.2.csc.exe.720000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
3.2.csc.exe.720000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
3.2.csc.exe.720000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
3.2.csc.exe.720000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
3.2.csc.exe.720000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
3.2.csc.exe.720000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
3.2.csc.exe.720000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
3.2.csc.exe.720000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
3.2.csc.exe.720000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.2.build.exe.64179a.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.build.exe.64179a.1.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ce04:$a1: GetKeyloggerLogsResponse 0x3c565:$a2: DoDownloadAndExecute 0x4ea14:$a3: http://api.ipify.org/ 0x4c51d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4d86b:$a5: " /sc ONLOGON /tr "
0.2.build.exe.64179a.1.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3c321:$s1: DoUploadAndExecute 0x3c565:$s2: DoDownloadAndExecute 0x3c0e6:$s3: DoShellExecute 0x3c51d:$s4: set_Processname 0x3c24:$op1: 04 1E FE 02 04 16 FE 01 60 0x3b48:$op2: 00 17 03 1F 20 17 19 15 28 0x45ae:$op3: 00 04 03 69 91 1B 40 0x4dfe:$op3: 00 04 03 69 91 1B 40
0.2.build.exe.64179a.1.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ce04:$x1: GetKeyloggerLogsResponse 0x3d044:$s1: DoShellExecuteResponse 0x3c9b3:$s2: GetPasswordsResponse 0x3cf17:$s3: GetStartupItemsResponse 0x3c335:$s5: RunHidden 0x3c353:$s5: RunHidden 0x3c361:$s5: RunHidden 0x3c375:$s5: RunHidden
0.2.build.exe.64179a.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4d831:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4da67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.build.exe.64179a.1.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ce04:$x3: GetKeyloggerLogsResponse 0x3c05c:$x4: GetKeyloggerLogs 0x3c334:$s1: <RunHidden>k__BackingField 0x3cfcc:$s2: set_SystemInfos 0x3c35d:$s3: set_RunHidden 0x3be90:$s4: set_RemotePath 0x3022a:$s7: xClient.Core.ReverseProxy.Packets
0.2.build.exe.64179a.1.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2e7c0:$x4: xClient.Properties.Resources.resources 0x2e681:$s4: Client.exe 0x3c35d:$s7: set_RunHidden
0.2.build.exe.64179a.1.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4f81b:$x2: Process already elevated. 0x384d7:$x4: get_encryptedPassword 0x3c565:$x5: DoDownloadAndExecute
0.2.build.exe.64179a.1.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4d22a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ce3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x321c9:$class: Core.MouseKeyHook.WinApi
0.2.build.exe.64179a.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4d0ee:$f1: FileZilla\recentservers.xml 0x4d12e:$f2: FileZilla\sitemanager.xml 0x4d162:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4c6d9:$b1: Chrome\User Data\ 0x4c73d:$b1: Chrome\User Data\ 0x4cad0:$b2: Mozilla\Firefox\Profiles 0x4cea4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x51714:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4cf34:$b4: Opera Software\Opera Stable\Login Data 0x4cfe4:$b5: YandexBrowser\User Data\ 0x4d056:$b5: YandexBrowser\User Data\ 0x4c884:$s4: logins.json 0x4c8d0:$s4: logins.json 0x4cbbe:$s4: logins.json 0x4c3ee:$a1: username_value 0x4c40c:$a2: password_value 0x384af:$a3: encryptedUsername 0x384c5:$a3: encryptedUsername 0x385fb:$a3: encryptedUsername 0x384db:$a4: encryptedPassword 0x384f1:$a4: encryptedPassword
0.2.build.exe.64179a.1.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ce04:$s1: GetKeyloggerLogsResponse 0x3c05c:$s2: GetKeyloggerLogs 0x4bcbe:$s3: />Log created on 0x4ce3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4c51d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4feee:$s6: grabber_ 0x4ff0a:$s6: grabber_ 0x3122a:$s7: <virtualKeyCode> 0x3c334:$s8: <RunHidden>k__BackingField 0x3125c:$s9: <keyboardHookStruct> 0x34605:$s10: add_OnHotKeysDown 0x34657:$s10: add_OnHotKeysDown 0x4e87c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x4ef39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.2.build.exe.fc0000.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.build.exe.fc0000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.build.exe.fc0000.2.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
0.2.build.exe.fc0000.2.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
0.2.build.exe.fc0000.2.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
0.2.build.exe.fc0000.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.build.exe.fc0000.2.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
0.2.build.exe.fc0000.2.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
0.2.build.exe.fc0000.2.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
0.2.build.exe.fc0000.2.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
0.2.build.exe.fc0000.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
0.2.build.exe.fc0000.2.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.2.build.exe.64179a.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.build.exe.64179a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.build.exe.64179a.1.raw.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
0.2.build.exe.64179a.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
0.2.build.exe.64179a.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
0.2.build.exe.64179a.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.build.exe.64179a.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
0.2.build.exe.64179a.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
0.2.build.exe.64179a.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
0.2.build.exe.64179a.1.raw.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
0.2.build.exe.64179a.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
0.2.build.exe.64179a.1.raw.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.2.build.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.build.exe.400000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x276f9e:$a1: GetKeyloggerLogsResponse 0x2766ff:$a2: DoDownloadAndExecute 0x288bae:$a3: http://api.ipify.org/ 0x2866b7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x287a05:$a5: " /sc ONLOGON /tr "
0.2.build.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x2764bb:$s1: DoUploadAndExecute 0x2766ff:$s2: DoDownloadAndExecute 0x276280:$s3: DoShellExecute 0x2766b7:$s4: set_Processname 0x23ddbe:$op1: 04 1E FE 02 04 16 FE 01 60 0x23dce2:$op2: 00 17 03 1F 20 17 19 15 28 0x23e748:$op3: 00 04 03 69 91 1B 40 0x23ef98:$op3: 00 04 03 69 91 1B 40
0.2.build.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x276f9e:$x1: GetKeyloggerLogsResponse 0x2771de:$s1: DoShellExecuteResponse 0x276b4d:$s2: GetPasswordsResponse 0x2770b1:$s3: GetStartupItemsResponse 0x2764cf:$s5: RunHidden 0x2764ed:$s5: RunHidden 0x2764fb:$s5: RunHidden 0x27650f:$s5: RunHidden
0.2.build.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x2879cb:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x287c01:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.build.exe.400000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2873c4:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x286fd8:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x26c363:$class: Core.MouseKeyHook.WinApi
0.2.build.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x287288:$f1: FileZilla\recentservers.xml 0x2872c8:$f2: FileZilla\sitemanager.xml 0x2872fc:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x286873:$b1: Chrome\User Data\ 0x2868d7:$b1: Chrome\User Data\ 0x286c6a:$b2: Mozilla\Firefox\Profiles 0x28703e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x28b8ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2870ce:$b4: Opera Software\Opera Stable\Login Data 0x28717e:$b5: YandexBrowser\User Data\ 0x2871f0:$b5: YandexBrowser\User Data\ 0x286a1e:$s4: logins.json 0x286a6a:$s4: logins.json 0x286d58:$s4: logins.json 0x286588:$a1: username_value 0x2865a6:$a2: password_value 0x272649:$a3: encryptedUsername 0x27265f:$a3: encryptedUsername 0x272795:$a3: encryptedUsername 0x272675:$a4: encryptedPassword 0x27268b:$a4: encryptedPassword
0.2.build.exe.400000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x276f9e:$s1: GetKeyloggerLogsResponse 0x2761f6:$s2: GetKeyloggerLogs 0x285e58:$s3: />Log created on 0x286fd8:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x2866b7:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x28a088:$s6: grabber_ 0x28a0a4:$s6: grabber_ 0x26b3c4:$s7: <virtualKeyCode> 0x2764ce:$s8: <RunHidden>k__BackingField 0x26b3f6:$s9: <keyboardHookStruct> 0x26e79f:$s10: add_OnHotKeysDown 0x26e7f1:$s10: add_OnHotKeysDown 0x288a16:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x2890d3:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 50 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.csc.exe.720000.0.unpack

Malware Configuration Extractor: Quasar {"Host:Port": "OuB3'!fy.", "InstallName": "0vRva!b|>", "MutexName": "`H]\"':q", "StartupKey": "}p(3k<Y?Zi1BM", "Tag": "UnW))[Q>", "ServerSignature": "[{+'*", "ServerCertificate": "@ETksT"}

Multi AV Scanner detection for submitted file

Source: build.exe

ReversingLabs: Detection: 16%

Yara detected Quasar RAT

Source: Yara match	File source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 4924, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: build.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: build.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Sources\foobar2000-desktop-1.6.x\foobar2000\Release\foobar2000.pdb source: build.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: OuB3'!fy.

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 64.42.179.59:62604

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: roblox.airdns.org

Source: build.exe, build.exe, 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: build.exe	String found in binary or memory: http://forums.foobar2000.org/
Source: build.exe, build.exe, 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: build.exe	String found in binary or memory: http://help.foobar2000.org/
Source: build.exe	String found in binary or memory: http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file
Source: csc.exe, 00000003.00000002.4552710355.0000000006FC9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4552710355.0000000006FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: build.exe, build.exe, 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4552710355.0000000006F84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: csc.exe, 00000003.00000002.4552710355.0000000006FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: build.exe	String found in binary or memory: http://schemas.microsof
Source: csc.exe, 00000003.00000002.4552710355.0000000006FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Replaygain
Source: build.exe	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet
Source: build.exe	String found in binary or memory: http://www.foobar2000.org/FAQ.html
Source: build.exe	String found in binary or memory: http://www.foobar2000.org/FAQ.htmlCould
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/download
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/license
Source: build.exe	String found in binary or memory: https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 4924, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_0041715A NtQueryDefaultLocale,		0_2_0041715A
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_004175F9 NtQueryDefaultLocale,		0_2_004175F9

Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_004070F4	0_2_004070F4
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_0041CD00	0_2_0041CD00
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_0052D910	0_2_0052D910
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_0041D257	0_2_0041D257
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_00401ECD	0_2_00401ECD
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_0041CABA	0_2_0041CABA
Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_00407302	0_2_00407302
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06C0A550	3_2_06C0A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06C09C80	3_2_06C09C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06C09938	3_2_06C09938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0B01C1F4	3_2_0B01C1F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0B01D9C8	3_2_0B01D9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0B0D4C08	3_2_0B0D4C08

Source: build.exe	Binary or memory string: OriginalFilename vs build.exe
Source: build.exe, 00000000.00000003.2245234460.000000000126E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs build.exe
Source: build.exe, 00000000.00000003.2245196148.000000000126C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs build.exe
Source: build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs build.exe
Source: build.exe, 00000000.00000000.2088429488.00000000006A5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefoobar2000.exeN vs build.exe
Source: build.exe, 00000000.00000002.2406369807.000000000101A000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs build.exe
Source: build.exe, 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefoobar2000.exeN vs build.exe
Source: build.exe	Binary or memory string: OriginalFilenamefoobar2000.exeN vs build.exe

Source: build.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: 0.2.build.exe.64179a.1.raw.unpack, ----.cs

Base64 encoded string: 'wUl/f9Z9c0HJkgn0LkR3tgx0jNemZdZZXwtrjN37gTmQDAxJ4eNPr2zJxD5FzUY1jQK6EfZUz8L7LpT8o9WAQw==', 'vVjY5ZJ6o3UiZAcBxrVNLmrSiaHSFpdrImDrkV5LGLuTGeXI8KiLiDnHeoQPgWKXayXFoAm9/HPYQx9jgdEuUw==', 'NloEf4TXdEEtCAPA23YG77hR2gBZhlUN5TMEkM69F+Eyq9b1haRauu4n35RqUTobX693FMns3mIxEX0yOeSzgQ==', 'XdMKS0zmM2HqG9GB1xiQOPNEdup7dD0JGElTLtP+P7K5Dnyc0uQgFoqEeNn8lfszXBTQHP8SNtp2QEKv5Cc6pyOM0UMg6xlul+IBxcQoqFA=', '/M1VhpGWTx0I8npMFdssAo9WCr99LhMb3S5IME+AIGA7a506KCvXiQj+jZ6MhEim1zeP2ZJxzqpHwOWk66wdXQ==', 'prnH13WVqb4TCDeg4YtKiDyngbILmcdacqg0YSiDr2WBGmyAGWjNA3LD2I6nE9qzXt7sbFGVZ7vpLp6yHEghoA=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Roaming\Logs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_DT5aFgoH5h6bbtKq7Q
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL

Source: build.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\build.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build.exe

ReversingLabs: Detection: 16%

Source: build.exe	String found in binary or memory: /add <list-of-files> - appends the specified files to the current playlist instead of replacing the playlist content and playing them immediately
Source: build.exe	String found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
Source: build.exe	String found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
Source: build.exe	String found in binary or memory: " /add "%1"
Source: build.exe	String found in binary or memory: @" "addplaynow.icoicons\generic.icoSoftware\Classesfoobar2000.url.foobar2000.SOFTWARE\Classes\CLSID\{511D48AF-9E45-4CB8-8F02-9C1BE4BC3CF8}\InprocServer32/LegacyDisable{511D48AF-9E45-4CB8-8F02-9C1BE4BC3CF8}CommandDirectory\shellex\ContextMenuHandlers\Fb2kShellExtPlay in foobar2000" "%1"Enqueue in foobar2000" /add "%1"AudioCD\shell\play\commandbckupAudioCDAudioCDbckupAudioCDOverflow
Source: build.exe	String found in binary or memory: /stop
Source: build.exe	String found in binary or memory: /stop
Source: build.exe	String found in binary or memory: /install
Source: build.exe	String found in binary or memory: AMultiple wildcard levels not supported.*/immediate/add/playnow/help/?ErrorUnknown commandline parameter: /playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/nogui/noresume/quiet/safe/install/command:/playlist_command:/playing_command:/context_command:
Source: build.exe	String found in binary or memory: AMultiple wildcard levels not supported.*/immediate/add/playnow/help/?ErrorUnknown commandline parameter: /playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/nogui/noresume/quiet/safe/install/command:/playlist_command:/playing_command:/context_command:
Source: build.exe	String found in binary or memory: AMultiple wildcard levels not supported.*/immediate/add/playnow/help/?ErrorUnknown commandline parameter: /playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/nogui/noresume/quiet/safe/install/command:/playlist_command:/playing_command:/context_command:
Source: build.exe	String found in binary or memory: AMultiple wildcard levels not supported.*/immediate/add/playnow/help/?ErrorUnknown commandline parameter: /playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/nogui/noresume/quiet/safe/install/command:/playlist_command:/playing_command:/context_command:
Source: build.exe	String found in binary or memory: Do you want to continue?\| files\|Error writing playlist (Load Playlist%path_sort%Scanning for dead items...Rename playlist: "Select destination folderCould not save playlist to "FPLOpen...Replaces current playlist with specified file(s), then starts playback.Add files...Add folder...Add location...Adds specified file(s) to the current playlist.Adds contents of the specified folder to the current playlist.Adds the specified URL to the current playlist.New playlistLoad playlist...Save playlist...Previous playlistNext playlistRemove playlistRename playlistSave all playlists...Creates a new, empty playlist.Creates a new playlist from the specified file.Saves the current playlist to the specified file.Switches to the previous playlist.Switches to the next playlist.Removes the current playlist.Renames the current playlist.Saves all loaded playlists to files in the specified folder.VolumeMuteIncreases playback volume.Decreases playback volume.Mutes or unmutes playback. dBSet to - dB.Set playback volume to -StopPlay or pauseNextPreviousRandomStops playback.Pauses or unpauses playback.Starts playback.Starts, pauses or unpauses playback.Starts playing the next track from the current playlist.Starts playing the previous track from the current playlist.Starts playing a random track from the current playlist.Stop after currentPlayback follows cursorCursor follows playbackStops playback after currently played item.Toggles playback-follows-cursor mode.Toggles cursor-follows-playback mode.OrderSets playback order to "UndoRedoReverts the last operation.Repeats the last reverted operation.ClearSelect allClears the list.Selects all list items.Remove duplicatesRemove dead itemsRemoves duplicate items from the list.Removes dead items from the list.RemoveCropRemoves the selected items from the list.Crops the list to the selected items.1 second5 seconds10 seconds30 seconds1 minute2 minutes5 minutes10 minutesSeekBack by Ahead by Seeks back by Seeks ahead by ActivateHideActivate or hideShow now playingShow now playing in playlistActivates foobar2000 window.Hides foobar2000 window.Activates or hides foobar2000 window.Displays information about currently playing track.Focuses the playlist display on the currently playing track.Always on TopToggles always-on-top mode.Save as playlist...Saves playlist file containing specified items.ConfigureRescan foldersRescans folders specified in your Media Library configuration to update Media Library with newly added files as well as remove references to files that have been deleted.Opens the Media Library Preferences page.SearchSearches for items matching specified pattern.Remove now playing track from playlistRemoves the now playing track from its playlist.y
Source: build.exe	String found in binary or memory: /addcomponent
Source: build.exe	String found in binary or memory: No updatable components present.Checking for UpdatesNameVersionModule UTC)About Component maintenance failureInstall Componentfoobar2000 components\|foo_.zip;.fb2k-componentAnother instance of this component already exists in your foobar2000 application folder; you need to remove it manually before you can update this component automatically.": Could not load component "(unknown - please apply changes to load)Component removal failureComponents/addcomponentCheck for updated componentsChecks for updated versions of installed components.

Source: unknown	Process created: C:\Users\user\Desktop\build.exe "C:\Users\user\Desktop\build.exe"
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: build.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: build.exe

Static file information: File size 3124224 > 1048576

Source: build.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b2a00

Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: build.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: build.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: build.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Sources\foobar2000-desktop-1.6.x\foobar2000\Release\foobar2000.pdb source: build.exe

Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: build.exe

Static PE information: real checksum: 0x2536d9 should be: 0x308742

Source: build.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\build.exe	Code function: 0_2_00593E24 push eax; ret	0_2_00593E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06C097C7 pushad ; retf	3_2_06C097C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06C0F938 pushfd ; retf 0006h	3_2_06C0F952

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6AF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_00427A40 rdtsc

0_2_00427A40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 614			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 9193			Jump to behavior

Source: C:\Users\user\Desktop\build.exe

API coverage: 3.2 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5632	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5632	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 2120	Thread sleep count: 614 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 2120	Thread sleep count: 9193 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5632	Thread sleep count: 41 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: csc.exe, 00000003.00000002.4551386328.0000000005071000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_00427A40 rdtsc

0_2_00427A40

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_00592412 mov esi, dword ptr fs:[00000030h]

0_2_00592412

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_0059247E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_0059247E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\build.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 720000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\build.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 720000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\build.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 720000			Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 8EE008			Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_00592716 cpuid

0_2_00592716

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 0_2_00593435 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00593435

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 4924, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_DT5aFgoH5h6bbtKq7Q

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: 3.2.csc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 4924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	112 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
build.exe	16%	ReversingLabs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file	0%	Avira URL Cloud	safe
https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	0%	Avira URL Cloud	safe
http://freegeoip.net/xml/	0%	Avira URL Cloud	safe
OuB3'!fy.	0%	Avira URL Cloud	safe
http://www.foobar2000.org/FAQ.htmlCould	0%	Avira URL Cloud	safe
http://www.foobar2000.org/FAQ.html	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:	0%	Avira URL Cloud	safe
http://ip-api.com/json/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	0%	Avira URL Cloud	safe
https://www.foobar2000.org/license	0%	Avira URL Cloud	safe
http://forums.foobar2000.org/	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://api.ipify.org/	0%	Avira URL Cloud	safe
http://help.foobar2000.org/	0%	Avira URL Cloud	safe
https://www.foobar2000.org/download	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	0%	Avira URL Cloud	safe
http://schemas.microsof	0%	Avira URL Cloud	safe
https://www.foobar2000.org/	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		unknown
roblox.airdns.org	64.42.179.59	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
OuB3'!fy.	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file	build.exe	false	Avira URL Cloud: safe	unknown
http://freegeoip.net/xml/	build.exe, build.exe, 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	build.exe	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	build.exe	false	Avira URL Cloud: safe	unknown
http://www.foobar2000.org/FAQ.htmlCould	build.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:	build.exe	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	csc.exe, 00000003.00000002.4552710355.0000000006FDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foobar2000.org/FAQ.html	build.exe	false	Avira URL Cloud: safe	unknown
http://forums.foobar2000.org/	build.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/license	build.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com	csc.exe, 00000003.00000002.4552710355.0000000006FC9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4552710355.0000000006FDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org/	build.exe, build.exe, 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, build.exe, 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.4552710355.0000000006FC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.foobar2000.org/download	build.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	build.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/	build.exe	false	Avira URL Cloud: safe	unknown
http://schemas.microsof	build.exe	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	build.exe	false	Avira URL Cloud: safe	unknown
http://help.foobar2000.org/	build.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
64.42.179.59	roblox.airdns.org	United States		63018	DEDICATEDUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454159
Start date and time:	2024-06-09 00:57:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	build.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 49 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: build.exe

Simulations

Behavior and APIs

Time	Type	Description
18:58:29	API Interceptor	10502644x Sleep call for process: csc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ac#U03c2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	US00061Q0904081THBKK.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	US00061Q0904081THBKK.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEDICATEDUS	Replace.exe	Get hash	malicious	Unknown	Browse	74.201.73.52
	x1b5bmJgLm.elf	Get hash	malicious	Unknown	Browse	200.220.163.225
	0FnrrE8B6Y.elf	Get hash	malicious	Mirai	Browse	168.81.61.232
	D2M15lCoQK.elf	Get hash	malicious	Mirai	Browse	45.74.57.45
	CGlwOBF2cH.elf	Get hash	malicious	Unknown	Browse	45.74.57.32
	SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll	Get hash	malicious	CobaltStrike	Browse	64.42.181.227
	VlkShT2TjD.elf	Get hash	malicious	Gafgyt	Browse	172.83.131.72
	Enrollment PO, from United Way of the Midlands.eml	Get hash	malicious	Unknown	Browse	216.105.168.10
	9Dcya2QOaQ.elf	Get hash	malicious	Mirai	Browse	14.1.28.237
	file.exe	Get hash	malicious	Glupteba, GuLoader, Socks5Systemz, Stealc	Browse	74.201.73.52
TUT-ASUS	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ac#U03c2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	US00061Q0904081THBKK.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	data
Category:	modified
Size (bytes):	224
Entropy (8bit):	7.0000643526969695
Encrypted:	false
SSDEEP:	3:IU7ypXNBONYLh5v3XXGUmDjgnhtHCcjRJl8c1Rz32ABfVv2XrX2MQvpFTjtBAxun:IU2yYLbHWUMgvb91llJVuX6pWxun
MD5:	EE237B2B8C0B798C319F9A5F03E264B7
SHA1:	BBDA400AF206972C9A190D9416E6C03E46D2B11B
SHA-256:	DE1671284457B2E9253BCB6BC3F8276C1ADFC9A5F3E1EBBB5AFDB0C475BB28B0
SHA-512:	FE94D648C3ECE17C5C9C15D0F60B926615ACF4D5D6066FAE1630DAB70F93505D040830641808C763E58F71CB847E841C4F403F2ABA598C24562C0D560D366B63
Malicious:	false
Reputation:	low
Preview:	.81d....4.h...c.p..o....a..a.....1....p.Wp..e.D.e...Y..6..3I...a...Y......<mooYA...........E....H.Z.L.....5^/.kI..q.d8 ..!..K...=}.B2mi.\|.^.aU.R_~,..\|.q.:..~.SWc.o...N..2\|..CbI.GmF..../.. ..'+....L...J.Jde3....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.828488553975669
TrID:	Win32 Executable (generic) a (10002005/4) 98.95% foobar 2000 generic component (102126/2) 1.01% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	build.exe
File size:	3'124'224 bytes
MD5:	05eecfc1820ab3273409323601a71f23
SHA1:	5076d5c3a1aa6f2ffcc299f803d0dd01b33d6dd7
SHA256:	4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
SHA512:	81d10658aaf6d6341b929dcdb1eccd97dd752b7cbe7b497ed85b88a03ea540a2de6b24ae98ace353e861d1ea7ad181449e332dec26b075c4684c7286cc167a00
SSDEEP:	49152:rBT0kcpBrQvDFw/Wb/Zy8kIvLSXkbPvEZNLlUHDZQ:rdcf8i/2/Zy8kIO10Q
TLSH:	F5E5C012BB92C26DC39134B0996DA76BE265DFF82B224AC377C43D0E56368D32533E54
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........j.l...?...?...?.s.?...?.d.?...?.~.>...?.~.>...?.~.>...?.W.?...?.~.>...?S+.?...?.~.>...?.c.>...?.c.>...?.c.>...?.c.>...?...?...

File Icon


Icon Hash:	334de0b2926d330e

Static PE Info

General

Entrypoint:	0x592fb7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x60DF6267 [Fri Jul 2 19:00:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d9ca0b2979f53d063e2f67bf794d871e

Entrypoint Preview

Instruction
call 00007F78914D2C1Bh
jmp 00007F78914D25CFh
cmp ecx, dword ptr [0060600Ch]
jne 00007F78914D2753h
ret
jmp 00007F78914D2D41h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F7891350378h
push 006005CCh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F78914D2E61h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F789134E3FBh
push 00600520h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F78914D2E44h
int3
push ebp
mov ebp, esp
and dword ptr [0060F640h], 00000000h
sub esp, 24h
or dword ptr [00606010h], 01h
push 0000000Ah
call dword ptr [005B4270h]
test eax, eax
je 00007F78914D28FFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x201d84	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23a000	0xc9e4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x259000	0x1fb5c	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1d618c	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1d6200	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1b55d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b4000	0xa10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x201bdc	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b3000	0x1b2a00	e8593eff3ee99ade21f0b8832eb981f5	False	0.5174803844909405	data	6.619740105993806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b4000	0x52000	0x51c00	40e1f3f3f2d14d150e601d15d4be2d94	False	0.36135201643730885	data	5.133578148682718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x206000	0x11000	0x9600	9240840389beee6c50171ef330772096	False	0.3370052083333333	DOS executable (block device driver \277DN\346@\273)	4.809660508586643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x217000	0x23000	0x22c00	241f50e9d164772437fd3eebd88a3edb	False	0.16984459307553956	data	5.38723924085817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x23a000	0xc9e4c	0xca000	476a260b582dabb4c1f23a5c3221535a	False	0.5772777595142327	data	7.22780749407607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x23b490	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b494	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b498	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b49c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4a0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4a4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4a8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4ac	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4b0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4b4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4b8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4bc	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4c0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4c4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4c8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4cc	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4d0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4d4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4d8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4dc	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4e0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4e4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4e8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4ec	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4f0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x23b4f4	0x2	data	English	United States	5.0
PNG	0x23b4f8	0x779	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.3319393622582331
PNG	0x23bc74	0x788	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.33454356846473027
PNG	0x23c3fc	0x5366	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004215456674472
RT_BITMAP	0x241764	0x57036	PC bitmap, Windows 3.x format, 44904 x 2 x 46, image size 356810, cbSize 356406, bits offset 54			0.6731031464116766
RT_ICON	0x29879c	0xb340	PC bitmap, Windows 3.x format, 6690 x 2 x 44, image size 46230, cbSize 45888, bits offset 54			0.48579149232914925
RT_ICON	0x2a3adc	0x78f1	PC bitmap, Windows 3.x format, 4215 x 2 x 35, image size 31486, cbSize 30961, bits offset 54			0.4694938793966603
RT_ICON	0x2ab3d0	0xce87	PC bitmap, Windows 3.x format, 6654 x 2 x 53, image size 53264, cbSize 52871, bits offset 54			0.5121711335136464
RT_ICON	0x2b8258	0x3487b	PC bitmap, Windows 3.x format, 27743 x 2 x 44, image size 215498, cbSize 215163, bits offset 54			0.5007645366536068
RT_ICON	0x2ecad4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.33630393996247654
RT_ICON	0x2edb7c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.29319526627218934
RT_ICON	0x2ef5e4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.258298755186722
RT_ICON	0x2f1b8c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.20896315540859708
RT_ICON	0x2f5db4	0x5cd2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9988216480094269
RT_ICON	0x2fba88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5301418439716312
RT_ICON	0x2fbef0	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.4511627906976744
RT_ICON	0x2fc5a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.41270491803278686
RT_ICON	0x2fcf30	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.2956989247311828
RT_DIALOG	0x2fd218	0x502	data	English	United States	0.3962558502340094
RT_DIALOG	0x2fd71c	0x1e8	data	English	United States	0.5368852459016393
RT_DIALOG	0x2fd904	0x318	data	English	United States	0.4696969696969697
RT_DIALOG	0x2fdc1c	0x188	data	English	United States	0.5586734693877551
RT_DIALOG	0x2fdda4	0x1e8	data	English	United States	0.5430327868852459
RT_DIALOG	0x2fdf8c	0x6a0	data	English	United States	0.3938679245283019
RT_DIALOG	0x2fe62c	0x278	data	English	United States	0.44936708860759494
RT_DIALOG	0x2fe8a4	0xc8	data	English	United States	0.675
RT_DIALOG	0x2fe96c	0x4d2	data	English	United States	0.3987034035656402
RT_DIALOG	0x2fee40	0x2b0	data	English	United States	0.4738372093023256
RT_DIALOG	0x2ff0f0	0xd0	data	English	United States	0.6586538461538461
RT_DIALOG	0x2ff1c0	0x124	data	English	United States	0.589041095890411
RT_DIALOG	0x2ff2e4	0x30e	data	English	United States	0.4322250639386189
RT_DIALOG	0x2ff5f4	0x174	data	English	United States	0.5698924731182796
RT_DIALOG	0x2ff768	0x220	data	English	United States	0.48713235294117646
RT_DIALOG	0x2ff988	0x2d2	data	English	United States	0.4695290858725762
RT_DIALOG	0x2ffc5c	0xec	data	English	United States	0.673728813559322
RT_DIALOG	0x2ffd48	0x1e0	data	English	United States	0.5229166666666667
RT_DIALOG	0x2fff28	0x1b0	data	English	United States	0.5532407407407407
RT_DIALOG	0x3000d8	0x1a4	data	English	United States	0.5333333333333333
RT_DIALOG	0x30027c	0x100	data	English	United States	0.62890625
RT_DIALOG	0x30037c	0x60	data	English	United States	0.7291666666666666
RT_DIALOG	0x3003dc	0x4ac	data	English	United States	0.3804347826086957
RT_DIALOG	0x300888	0x326	data	English	United States	0.4640198511166253
RT_DIALOG	0x300bb0	0x1f8	data	English	United States	0.5496031746031746
RT_DIALOG	0x300da8	0xe0	data	English	United States	0.6607142857142857
RT_DIALOG	0x300e88	0x136	data	English	United States	0.6129032258064516
RT_DIALOG	0x300fc0	0x1c4	data	English	United States	0.5575221238938053
RT_DIALOG	0x301184	0x104	data	English	United States	0.573076923076923
RT_DIALOG	0x301288	0xaa	data	English	United States	0.7411764705882353
RT_DIALOG	0x301334	0x1f4	data	English	United States	0.49
RT_DIALOG	0x301528	0x12c	data	English	United States	0.5966666666666667
RT_DIALOG	0x301654	0x40	data	English	United States	0.765625
RT_DIALOG	0x301694	0x228	data	English	United States	0.519927536231884
RT_DIALOG	0x3018bc	0xa4	data	English	United States	0.6707317073170732
RT_DIALOG	0x301960	0xb8	data	English	United States	0.6739130434782609
RT_DIALOG	0x301a18	0x228	data	English	United States	0.5018115942028986
RT_DIALOG	0x301c40	0xa8	data	English	United States	0.6607142857142857
RT_DIALOG	0x301ce8	0x11c	data	English	United States	0.5845070422535211
RT_DIALOG	0x301e04	0x1c8	data	English	United States	0.4868421052631579
RT_DIALOG	0x301fcc	0x32c	data	English	United States	0.45566502463054187
RT_DIALOG	0x3022f8	0x90	data	English	United States	0.6944444444444444
RT_DIALOG	0x302388	0xc6	data	English	United States	0.6919191919191919
RT_DIALOG	0x302450	0x224	data	English	United States	0.5547445255474452
RT_DIALOG	0x302674	0x224	data	English	United States	0.5602189781021898
RT_DIALOG	0x302898	0x120	data	English	United States	0.5972222222222222
RT_DIALOG	0x3029b8	0x5d8	data	English	United States	0.4177807486631016
RT_DIALOG	0x302f90	0x17e	data	English	United States	0.5837696335078534
RT_DIALOG	0x303110	0x19e	data	English	United States	0.5193236714975845
RT_DIALOG	0x3032b0	0x1e0	data	English	United States	0.51875
RT_DIALOG	0x303490	0x3fc	data	English	United States	0.43823529411764706
RT_DIALOG	0x30388c	0x6e	data	English	United States	0.7181818181818181
RT_DIALOG	0x3038fc	0x7c	data	English	United States	0.7338709677419355
RT_DIALOG	0x303978	0xe4	data	English	United States	0.6754385964912281
RT_ACCELERATOR	0x303a5c	0x20	data	English	United States	0.96875
RT_ACCELERATOR	0x303a7c	0x18	data	English	United States	1.2083333333333333
RT_ACCELERATOR	0x303a94	0x28	data	English	United States	0.95
RT_GROUP_ICON	0x303abc	0x76	data	English	United States	0.7457627118644068
RT_GROUP_ICON	0x303b34	0x14	data	English	United States	1.25
RT_VERSION	0x303b48	0x304	data	English	United States	0.4481865284974093

Imports

DLL	Import
SHLWAPI.dll	SHDeleteKeyW, SHAutoComplete, StrCmpLogicalW
KERNEL32.dll	CancelIo, ReadDirectoryChangesW, GetFileInformationByHandle, GetOverlappedResult, LoadLibraryW, GetCurrentProcessId, SetErrorMode, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, CreateMutexW, FindResourceExW, SetThreadPriority, GetCurrentThread, GlobalFree, SystemTimeToFileTime, LocalFileTimeToFileTime, GetVersion, SetThreadExecutionState, ResumeThread, GetLocaleInfoW, GetNumberFormatW, DecodePointer, GlobalSize, SetLastError, FindResourceW, TryEnterCriticalSection, EnterCriticalSection, LoadResource, LockResource, SizeofResource, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, SetEndOfFile, GetFileTime, FlushFileBuffers, FindFirstFileW, GetNativeSystemInfo, lstrlenW, GetCommandLineW, GlobalAlloc, GlobalLock, GlobalUnlock, MultiByteToWideChar, ReadFile, WriteFile, DuplicateHandle, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetThreadPriority, GetFileSize, SetFilePointer, SetFileTime, FileTimeToLocalFileTime, DeleteFileW, RemoveDirectoryW, GetFileAttributesW, MoveFileExW, GetFileAttributesExW, FindNextFileW, FindClose, GetExitCodeThread, CopyFileW, Sleep, GetTickCount64, VirtualQuery, VirtualProtect, GetSystemInfo, DosDateTimeToFileTime, InitOnceComplete, InitOnceBeginInitialize, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, LoadLibraryExA, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, FreeLibrary, IsDebuggerPresent, SetDllDirectoryW, OutputDebugStringW, WideCharToMultiByte, CreateEventW, WaitForMultipleObjects, SetEvent, ResetEvent, QueryPerformanceFrequency, QueryPerformanceCounter, MulDiv, CloseHandle, WaitForSingleObject, GetModuleHandleW, GetProcAddress, GetTickCount, InitializeCriticalSection, InitializeCriticalSectionEx, GetLastError, DeleteCriticalSection, RaiseException, GetCurrentThreadId, GetVersionExW, LeaveCriticalSection
USER32.dll	CreateDialogParamW, SetWindowLongW, BeginPaint, GetClipboardData, IsCharAlphaW, IsClipboardFormatAvailable, CharLowerW, UnregisterClassW, DestroyWindow, ShowWindow, GetDlgItem, SetLayeredWindowAttributes, PtInRect, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, EmptyClipboard, GetDlgCtrlID, DestroyAcceleratorTable, LoadAcceleratorsW, MoveWindow, IsChild, SetForegroundWindow, GetFocus, GetWindowPlacement, IsIconic, EnumThreadWindows, IsWindowVisible, CopyRect, MonitorFromRect, DrawTextExW, GetWindow, MonitorFromWindow, LoadIconW, TranslateAcceleratorW, RegisterClipboardFormatW, wsprintfW, AllowSetForegroundWindow, EnumWindows, GetClassNameW, SetActiveWindow, CheckMenuRadioItem, GetMenuItemCount, RegisterShellHookWindow, DeregisterShellHookWindow, CharUpperW, GetComboBoxInfo, AdjustWindowRect, DrawEdge, SetClipboardData, CloseClipboard, OpenClipboard, NotifyWinEvent, RedrawWindow, TrackMouseEvent, IsRectEmpty, InflateRect, FrameRect, UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, GetNextDlgTabItem, InvalidateRgn, SystemParametersInfoW, ScrollWindowEx, SetScrollPos, UpdateWindow, SetScrollInfo, SetRectEmpty, SetGestureConfig, CloseGestureInfoHandle, GetGestureInfo, MapDialogRect, IsZoomed, DrawTextW, FillRect, ReleaseCapture, GetCursorPos, SetMenuItemInfoW, GetMenuItemInfoW, GetDC, GetClientRect, RegisterWindowMessageW, RegisterClassW, DispatchMessageW, TranslateMessage, PostQuitMessage, GetMessageW, MsgWaitForMultipleObjects, PeekMessageW, IsDialogMessageW, GetWindowThreadProcessId, WindowFromPoint, MapVirtualKeyW, SendDlgItemMessageW, SetDlgItemTextW, GetSystemMetrics, OffsetRect, UnregisterHotKey, RegisterHotKey, TrackPopupMenuEx, SetMenuDefaultItem, EndPaint, IntersectRect, MapWindowPoints, EnumChildWindows, MessageBeep, InvalidateRect, DialogBoxParamW, EndDialog, GetMenu, AdjustWindowRectEx, GetWindowRect, MessageBoxW, GetActiveWindow, GetScrollInfo, SetCursor, LoadImageW, DestroyMenu, GetMonitorInfoW, MonitorFromPoint, DrawIconEx, CreatePopupMenu, TrackPopupMenu, AppendMenuW, DestroyIcon, GetMessagePos, LoadCursorW, GetClassInfoExW, RegisterClassExW, CreateWindowExW, CallWindowProcW, ClientToScreen, ScreenToClient, SetFocus, SetWindowTextW, KillTimer, SetTimer, GetKeyState, EnableWindow, SetWindowPos, DefWindowProcW, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, SetCapture, PostMessageW, IsWindowEnabled, GetParent, DrawFrameControl, GetSysColor, ReleaseDC, GetWindowDC, SendMessageW
ADVAPI32.dll	RegEnumKeyExW, RegSetValueExW, RegCloseKey, RegOpenKeyW, RegCreateKeyW, RegDeleteValueW, RegQueryInfoKeyW, RegEnumValueW, RegCreateKeyExW, CryptGetHashParam, CryptVerifySignatureW, CryptHashData, CryptCreateHash, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, CryptImportKey, CryptAcquireContextW, RegOpenKeyExW, RegQueryValueExW
SHELL32.dll	ShellExecuteW, DragAcceptFiles, DragFinish, SHOpenFolderAndSelectItems, SHGetDesktopFolder, ShellExecuteExW, SHGetFolderPathW
ole32.dll	CoTaskMemAlloc, CoCreateGuid, PropVariantClear, ReleaseStgMedium, CoTaskMemFree, CoUninitialize, CoInitialize, CLSIDFromString, OleInitialize, CreateStreamOnHGlobal, RegisterDragDrop, RevokeDragDrop, DoDragDrop, OleGetClipboard, OleSetClipboard, CoCreateInstance, OleUninitialize

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2024 00:58:30.427321911 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 00:58:30.432347059 CEST	80	49707	208.95.112.1	192.168.2.6
Jun 9, 2024 00:58:30.432549953 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 00:58:30.432910919 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 00:58:30.437844038 CEST	80	49707	208.95.112.1	192.168.2.6
Jun 9, 2024 00:58:31.023138046 CEST	80	49707	208.95.112.1	192.168.2.6
Jun 9, 2024 00:58:31.233716011 CEST	80	49707	208.95.112.1	192.168.2.6
Jun 9, 2024 00:58:31.233820915 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 00:58:31.672353983 CEST	49708	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:31.677300930 CEST	62604	49708	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:31.677433968 CEST	49708	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:40.150311947 CEST	62604	49708	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:40.151092052 CEST	49708	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:40.161585093 CEST	49708	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:40.166524887 CEST	62604	49708	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:45.707062006 CEST	49709	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:45.715641975 CEST	62604	49709	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:45.715759993 CEST	49709	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:54.196542025 CEST	62604	49709	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:54.196785927 CEST	49709	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:54.196850061 CEST	49709	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:54.201728106 CEST	62604	49709	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:59.988590956 CEST	49711	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:58:59.993664980 CEST	62604	49711	64.42.179.59	192.168.2.6
Jun 9, 2024 00:58:59.993810892 CEST	49711	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:08.469892979 CEST	62604	49711	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:08.469988108 CEST	49711	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:08.470751047 CEST	49711	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:08.475684881 CEST	62604	49711	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:08.623506069 CEST	80	49707	208.95.112.1	192.168.2.6
Jun 9, 2024 00:59:08.623640060 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 00:59:14.035347939 CEST	49712	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:14.040432930 CEST	62604	49712	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:14.040549040 CEST	49712	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:22.514908075 CEST	62604	49712	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:22.515017986 CEST	49712	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:22.515206099 CEST	49712	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:22.520121098 CEST	62604	49712	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:28.003921032 CEST	49713	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:28.009838104 CEST	62604	49713	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:28.009921074 CEST	49713	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:36.489104986 CEST	62604	49713	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:36.489192963 CEST	49713	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:36.489918947 CEST	49713	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:36.494761944 CEST	62604	49713	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:42.035345078 CEST	49714	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:42.040621042 CEST	62604	49714	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:42.040719032 CEST	49714	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:50.535265923 CEST	62604	49714	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:50.537774086 CEST	49714	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:50.538180113 CEST	49714	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:50.543044090 CEST	62604	49714	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:55.988579988 CEST	49715	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 00:59:55.993824005 CEST	62604	49715	64.42.179.59	192.168.2.6
Jun 9, 2024 00:59:55.993911982 CEST	49715	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:04.489880085 CEST	62604	49715	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:04.490051985 CEST	49715	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:04.496280909 CEST	49715	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:04.501244068 CEST	62604	49715	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:10.019515038 CEST	49716	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:10.024465084 CEST	62604	49716	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:10.024665117 CEST	49716	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:11.036283016 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:11.346847057 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:11.956284046 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:13.159379959 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:15.565612078 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:18.510658026 CEST	62604	49716	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:18.512162924 CEST	49716	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:18.516267061 CEST	49716	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:18.521145105 CEST	62604	49716	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:20.378350019 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:24.254399061 CEST	49717	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:24.259490967 CEST	62604	49717	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:24.259571075 CEST	49717	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:29.987469912 CEST	49707	80	192.168.2.6	208.95.112.1
Jun 9, 2024 01:00:32.737643957 CEST	62604	49717	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:32.737772942 CEST	49717	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:32.741714001 CEST	49717	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:32.746525049 CEST	62604	49717	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:38.410337925 CEST	49718	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:38.415189981 CEST	62604	49718	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:38.417798042 CEST	49718	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:46.921688080 CEST	62604	49718	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:46.922116995 CEST	49718	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:46.922331095 CEST	49718	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:46.927139997 CEST	62604	49718	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:52.222918987 CEST	49719	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:00:52.228003025 CEST	62604	49719	64.42.179.59	192.168.2.6
Jun 9, 2024 01:00:52.228082895 CEST	49719	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:00.707787037 CEST	62604	49719	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:00.707891941 CEST	49719	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:00.709724903 CEST	49719	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:00.714672089 CEST	62604	49719	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:06.145164967 CEST	49720	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:06.150197983 CEST	62604	49720	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:06.150293112 CEST	49720	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:14.624651909 CEST	62604	49720	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:14.624886990 CEST	49720	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:14.625068903 CEST	49720	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:14.629863024 CEST	62604	49720	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:20.191739082 CEST	49721	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:20.196882963 CEST	62604	49721	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:20.196993113 CEST	49721	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:28.669207096 CEST	62604	49721	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:28.669435978 CEST	49721	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:28.670027018 CEST	49721	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:28.674875975 CEST	62604	49721	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:34.045419931 CEST	49722	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:34.050563097 CEST	62604	49722	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:34.050676107 CEST	49722	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:42.524682045 CEST	62604	49722	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:42.527949095 CEST	49722	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:42.532143116 CEST	49722	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:42.536956072 CEST	62604	49722	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:48.082185030 CEST	49723	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:48.087420940 CEST	62604	49723	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:48.087496996 CEST	49723	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:56.593508959 CEST	62604	49723	64.42.179.59	192.168.2.6
Jun 9, 2024 01:01:56.593802929 CEST	49723	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:56.601223946 CEST	49723	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:01:56.606745005 CEST	62604	49723	64.42.179.59	192.168.2.6
Jun 9, 2024 01:02:01.926012993 CEST	49724	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:02:01.930937052 CEST	62604	49724	64.42.179.59	192.168.2.6
Jun 9, 2024 01:02:01.931015968 CEST	49724	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:02:10.423391104 CEST	62604	49724	64.42.179.59	192.168.2.6
Jun 9, 2024 01:02:10.423799038 CEST	49724	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:02:10.424019098 CEST	49724	62604	192.168.2.6	64.42.179.59
Jun 9, 2024 01:02:10.428894997 CEST	62604	49724	64.42.179.59	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2024 00:58:30.413016081 CEST	58991	53	192.168.2.6	1.1.1.1
Jun 9, 2024 00:58:30.420564890 CEST	53	58991	1.1.1.1	192.168.2.6
Jun 9, 2024 00:58:31.567081928 CEST	49344	53	192.168.2.6	1.1.1.1
Jun 9, 2024 00:58:31.665853977 CEST	53	49344	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 9, 2024 00:58:30.413016081 CEST	192.168.2.6	1.1.1.1	0x9973	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jun 9, 2024 00:58:31.567081928 CEST	192.168.2.6	1.1.1.1	0xa0c7	Standard query (0)	roblox.airdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 9, 2024 00:58:30.420564890 CEST	1.1.1.1	192.168.2.6	0x9973	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jun 9, 2024 00:58:31.665853977 CEST	1.1.1.1	192.168.2.6	0xa0c7	No error (0)	roblox.airdns.org		64.42.179.59	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	208.95.112.1	80	4924	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
Jun 9, 2024 00:58:30.432910919 CEST	144	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Jun 9, 2024 00:58:31.023138046 CEST	468	IN	HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 22:58:30 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}
Jun 9, 2024 00:58:31.233716011 CEST	468	IN	HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 22:58:30 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

Target ID:	0
Start time:	18:57:55
Start date:	08/06/2024
Path:	C:\Users\user\Desktop\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\build.exe"
Imagebase:	0x400000
File size:	3'124'224 bytes
MD5 hash:	05EECFC1820AB3273409323601A71F23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000002.2406369807.0000000000FC2000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:58:26
Start date:	08/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xc90000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000003.00000002.4550205864.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	573
Total number of Limit Nodes:	0

Executed Functions

Function 0041CABA Relevance: 42.3, APIs: 1, Strings: 23, Instructions: 298
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

o, xrefs: 0041CACB
W, xrefs: 0041CB11
x, xrefs: 0041EF9D
d, xrefs: 0041CAD9
i, xrefs: 0041CAE7
b, xrefs: 0041CAEE
r, xrefs: 0041EFB9
e, xrefs: 0041EFCE
r, xrefs: 0041CAF5
a, xrefs: 0041CAFC
a, xrefs: 0041CAD2
o, xrefs: 0041EFC0
r, xrefs: 0041CB03
t, xrefs: 0041EFAB
y, xrefs: 0041CB0A
L, xrefs: 0041CAC4
c, xrefs: 0041EFC7
P, xrefs: 0041EFB2
s, xrefs: 0041EFDC
E, xrefs: 0041EF96
L, xrefs: 0041CAE0
s, xrefs: 0041EFD5
i, xrefs: 0041EFA4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 25ceb620cde84b9a6f9aae2053d098413eef51a21165765ed1d1780b96466641
Instruction ID: 96e07906f0b69665a99d788711513d70affac305f80943359574ecec95edf81e
Opcode Fuzzy Hash: 25ceb620cde84b9a6f9aae2053d098413eef51a21165765ed1d1780b96466641
Instruction Fuzzy Hash: 85C108B1C082689EF720CA24DC84BEABB74EB91304F1481FAD84D56681D77D5FC59F62

Function 0041CD00 Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 549
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

_S, xrefs: 0041D6C5
x, xrefs: 0041EF9D
r, xrefs: 0041EFB9
e, xrefs: 0041EFCE
W, xrefs: 0041D666
o, xrefs: 0041EFC0
t, xrefs: 0041EFAB
c, xrefs: 0041EFC7
P, xrefs: 0041EFB2
s, xrefs: 0041EFDC
S, xrefs: 0041D306
E, xrefs: 0041EF96
s, xrefs: 0041EFD5
i, xrefs: 0041EFA4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$S$W$_S$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3000879820
Opcode ID: a571f0c90d2804b6c4b6a94c3c8824fd73f5f93a1ceecb7862db087940158e4a
Instruction ID: 884b98e7c8a569db0c5dd9b21bdebe68354a6858b6c49b710d0825530fee468d
Opcode Fuzzy Hash: a571f0c90d2804b6c4b6a94c3c8824fd73f5f93a1ceecb7862db087940158e4a
Instruction Fuzzy Hash: 0632B0B1D046689BEB24CB14DC90BEABBB5EB85304F1481FAD80D66381D7399EC2CF55

Function 0041D257 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

_S, xrefs: 0041D6C5
x, xrefs: 0041EF9D
r, xrefs: 0041EFB9
e, xrefs: 0041EFCE
W, xrefs: 0041D666
o, xrefs: 0041EFC0
t, xrefs: 0041EFAB
c, xrefs: 0041EFC7
P, xrefs: 0041EFB2
s, xrefs: 0041EFDC
S, xrefs: 0041D306
E, xrefs: 0041EF96
s, xrefs: 0041EFD5
i, xrefs: 0041EFA4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$S$W$_S$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3000879820
Opcode ID: 4c95bf7e24adb1db337edbd5686769632907e5f9b1fa7965824d33e121b4d76c
Instruction ID: d158561e8fbb367ccf9def83134a1f9f02d01e5a30f4799e541c6d94b93b0aa4
Opcode Fuzzy Hash: 4c95bf7e24adb1db337edbd5686769632907e5f9b1fa7965824d33e121b4d76c
Instruction Fuzzy Hash: 5381FBF1D086689FE7208A64DC44BEA7BB4EB81314F1480FBD84D56241D77D9EC68B92

Function 004070F4 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1873d2e98772a56a1f3f50abdc1a30725eabaefc76c8d9e6bd4245df3509a6a5
Instruction ID: 7044fe5ad64ec624e05532b87b8b60acdd503ca618109fa90a8a530f8245d850
Opcode Fuzzy Hash: 1873d2e98772a56a1f3f50abdc1a30725eabaefc76c8d9e6bd4245df3509a6a5
Instruction Fuzzy Hash: 83B16CB1E096688FEB24CB14CD90AEAB7B5FF95314F1441FAD40D67281D6386E82CF46

Function 0041715A Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 9e16f5c70233000f8796cb9847f4fe9ff4f8a1996f646a2b5f2b0288281738fc
Instruction ID: 1476018a360be73aa8c090b949e9f603223c4eaf32c2674842341c04bba03150
Opcode Fuzzy Hash: 9e16f5c70233000f8796cb9847f4fe9ff4f8a1996f646a2b5f2b0288281738fc
Instruction Fuzzy Hash: 119128B5D056298FEB25CB14CC90BEABBB5BB84305F2481EAD40DA7785D6389EC1CF44

Function 00407302 Relevance: 1.6, APIs: 1, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c344707cfbab93dcc97d1c11e4f3f2b1d6c2ec5e440ddba98dd8b3829dc6d8af
Instruction ID: c42c5b1f42dffbf49fc5b76768434c5c7e43c850f319e5ac3534525e9833c05b
Opcode Fuzzy Hash: c344707cfbab93dcc97d1c11e4f3f2b1d6c2ec5e440ddba98dd8b3829dc6d8af
Instruction Fuzzy Hash: 0C31E6B2D185145BF7188A11DC5AAF77778EB80310F1481BFD90E672C0DA7D6A828E52

Function 004175F9 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105654f194b1627633bd327a17a53a427163800dc8890f4475b953e3d5da5d0b
Instruction ID: 7436e0e746358629e4f8e39342140078f633d27b8fe66c8979fcf4bf99a85519
Opcode Fuzzy Hash: 105654f194b1627633bd327a17a53a427163800dc8890f4475b953e3d5da5d0b
Instruction Fuzzy Hash: A7312671A086694BDB21CA2ACCD0BFF7BB5BF85305F2480EAC54D96612D6389EC18F04

Function 004066DB Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

B4GA, xrefs: 0041D98B
o, xrefs: 0041EFC0
t, xrefs: 0041EFAB
x, xrefs: 0041EF9D
c, xrefs: 0041EFC7
r, xrefs: 0041EFB9
P, xrefs: 0041EFB2
s, xrefs: 0041EFDC
E, xrefs: 0041EF96
e, xrefs: 0041EFCE
s, xrefs: 0041EFD5
i, xrefs: 0041EFA4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: B4GA$E$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3409965509
Opcode ID: 045d9014f80a99a546df6506c6ee09ec708b008df3bde6707462fbf6d299fbac
Instruction ID: 7c2c2f91dbc6670ca05046b9be9ead0856f4a96fe15c102968989db437ed7b02
Opcode Fuzzy Hash: 045d9014f80a99a546df6506c6ee09ec708b008df3bde6707462fbf6d299fbac
Instruction Fuzzy Hash: D47105B1D086688BE720CA14CC947FB7BB4EB42305F1481FAC84D66641D63D9EC68F92

Function 0041D991 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

o, xrefs: 0041EFC0
t, xrefs: 0041EFAB
x, xrefs: 0041EF9D
c, xrefs: 0041EFC7
r, xrefs: 0041EFB9
P, xrefs: 0041EFB2
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
E, xrefs: 0041EF96
s, xrefs: 0041EFD5
i, xrefs: 0041EFA4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3128998556
Opcode ID: db82872b34bc3d4f552e77ac304a2551a86206f802105a463868d0a939822a0a
Instruction ID: 6a63ad6f5d7440d5b6abbd82c09b1e506eb7b05f559da2c88fcd2854066f675e
Opcode Fuzzy Hash: db82872b34bc3d4f552e77ac304a2551a86206f802105a463868d0a939822a0a
Instruction Fuzzy Hash: D741ECB1D086689FFB20C624CC547EA7BF4EB41304F1481EBD88D66681D67D5EC58F51

Function 0041FFB3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Strings

JMCL, xrefs: 00420223
, xrefs: 004203AA

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: $JMCL
API String ID: 621844428-1225520770
Opcode ID: dd48e54cf680fd271e0dab93154a7b8b0d676f741f1781182f2fb917eeab6552
Instruction ID: 1f1a233c4ea98c28e290184e1d0bc566697d54f42b4a2dd98467d57f08cf4de7
Opcode Fuzzy Hash: dd48e54cf680fd271e0dab93154a7b8b0d676f741f1781182f2fb917eeab6552
Instruction Fuzzy Hash: 64C15CB5E042288BEB24CF14DD90AEAB7B6FB88300F1481EAD90DA7341D7795ED18F55

Function 0041F810 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8a0ea8293272a5dce6b18dde29f5876ea0fd1f41c4ae5e383ca135e33276650e
Instruction ID: 41c0bda98abb6affdce0bfdaad6be249c0a48bc92da71cafe1fd5a24dbf5fdb0
Opcode Fuzzy Hash: 8a0ea8293272a5dce6b18dde29f5876ea0fd1f41c4ae5e383ca135e33276650e
Instruction Fuzzy Hash: 1B9179B4E09228CFEB25CB14CC90BEAB776BF84305F1481EAC84D67251D6396ED6CE45

Function 0041FCCF Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b391bec8c69c6ea0c80c362058d44944aa2b1426c5d4457fbb903709eddb4fc6
Instruction ID: 22430cc608b4b46f28f225414a516fc4dcb0ea27b6d590589a9f11856cb9d482
Opcode Fuzzy Hash: b391bec8c69c6ea0c80c362058d44944aa2b1426c5d4457fbb903709eddb4fc6
Instruction Fuzzy Hash: 8E71AFF6D101259FE7248B10EC44BFAB7B5EB88310F1081FAD90EA6741E6785EC68E55

Function 0041FEA9 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c24bf6d99de0f2a3c11adbcb63d99e7db27727c7d3cd9f5913e1953949dac405
Instruction ID: 468ef1287cf3862ee6a732311484bf04ea925a2ccc64149078e9a72c15c0f2ec
Opcode Fuzzy Hash: c24bf6d99de0f2a3c11adbcb63d99e7db27727c7d3cd9f5913e1953949dac405
Instruction Fuzzy Hash: F661BDF1D102298BEB248B10DC847FAB3B5FB84311F1081EAE90DA6281E7785EC6CF55

Function 00407150 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e85c90ef5863dd61c7a654771148e6924bd2c10f9f9041b8bfcfa50669615557
Instruction ID: 998609d879f4d36cde1debd14f82a78290edc987e1c20507e84fc6d065adc7b9
Opcode Fuzzy Hash: e85c90ef5863dd61c7a654771148e6924bd2c10f9f9041b8bfcfa50669615557
Instruction Fuzzy Hash: 9A31F6B2D082545BF7188B11DC59AEB7B78EB81310F1441FFD90E67280D63D6AC6CE52

Function 004076BB Relevance: 1.6, APIs: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9c2b22a18ebb58a2560ddd336db8cb0d0dfd2afaa7fc5d569bcc842e142561c6
Instruction ID: 932dec28702412b53e9c094fda6d120bcd460c0735ecd7e166b51138a84fedff
Opcode Fuzzy Hash: 9c2b22a18ebb58a2560ddd336db8cb0d0dfd2afaa7fc5d569bcc842e142561c6
Instruction Fuzzy Hash: 0121F0B1E086949BE7248B24ED90AEAB774FF85340F1442FBD509672C1D6392A82CF47

Function 00407002 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 91cad57a516e2f4c361eacc58a156d573613a8a0f31843566538594da25e37eb
Instruction ID: b91199c152535c76d48c2b5e435d673f220464ab319cc39e82abbb88fa2171cb
Opcode Fuzzy Hash: 91cad57a516e2f4c361eacc58a156d573613a8a0f31843566538594da25e37eb
Instruction Fuzzy Hash: 5921ACB2D1C5609BE3144B65DC48AEB7B78EF41340F0002FBD9095B083C2396A86CF93

Function 0041FBE1 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ab4ead3101172d02aac48522461da7bc08d1452eec5aebfae6fa96207dd12a1a
Instruction ID: 5bc159319ebb743867fb39de3f8c748a28a03fbd673abd2d44e4042212212909
Opcode Fuzzy Hash: ab4ead3101172d02aac48522461da7bc08d1452eec5aebfae6fa96207dd12a1a
Instruction Fuzzy Hash: CC115CF3E041485BF3105624DD45AFF7738DBC1314F1881BBE84986540E5BC9ACB8A97

Function 0040702C Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f6bc614bc64cf056d1a09f5f2bfde908a2a7db6986d7a22e2c0509103412b2f7
Instruction ID: 3c0158fd909a129efc1a5eb41b99e6176bf6047d08ad53226ee2bae0628576df
Opcode Fuzzy Hash: f6bc614bc64cf056d1a09f5f2bfde908a2a7db6986d7a22e2c0509103412b2f7
Instruction Fuzzy Hash: B51176B3E081A05BE3104765EC48EE7BB38EB81310F0442FBD90D67181D6396EC68B93

Function 00406C07 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5731e0e6edc125a2e43a085edf6b776cfc2c4dacd2189dfd6081b11495611bc1
Instruction ID: 9a8444cee67629d71a130239ee861f54f37e657be2337cb6b038551eb8c7450a
Opcode Fuzzy Hash: 5731e0e6edc125a2e43a085edf6b776cfc2c4dacd2189dfd6081b11495611bc1
Instruction Fuzzy Hash: 68114CB2E086405BF3148B21ED55EE77778FB81350F1482FFD50957181D6396A86CB53

Function 004202B2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 72de2b23a5a7004e1340f99e268a21924275a9173d8350a07b602b65527988a2
Instruction ID: e29210356c8ac607a074c4d3a0003b51328783218ad205ebd55b70756ab56305
Opcode Fuzzy Hash: 72de2b23a5a7004e1340f99e268a21924275a9173d8350a07b602b65527988a2
Instruction Fuzzy Hash: 5611B4B1E041658BDB24CA14EC947EE7AF5BB80300F6402EAC85E56286C7BC1FC18F46

Function 0040776A Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d53b0c6e95c7fd54e9a925cc6874bffe05f596334bc776d4928f5b1e923c50d3
Instruction ID: 8855314161c604dab32c9539a428904a4b839c8b04b57f9093ab9272a71fba34
Opcode Fuzzy Hash: d53b0c6e95c7fd54e9a925cc6874bffe05f596334bc776d4928f5b1e923c50d3
Instruction Fuzzy Hash: 8C0149B1E041806BE3248B61DD54EEBBB7CEF80340F0441FFE20957081C635AA86CF52

Non-executed Functions

Function 00592412 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0059232E,00000000,00000000,005924C6,00000000,?,?,00000000), ref: 00592414
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00000000), ref: 0059243B
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00592442
InitializeSListHead.KERNEL32(00000000,?,?,00000000), ref: 0059244F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000), ref: 00592464
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0059246B

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 3894063a3a1850843fd365663f4c6672044bb0c88c45ff6ffa0b2371db1e62f6
Instruction ID: 61f176fd1efc5cde42d9c2f14e34ec8f0a40e9ad8dd8b2ca48b28944697b3bbe
Opcode Fuzzy Hash: 3894063a3a1850843fd365663f4c6672044bb0c88c45ff6ffa0b2371db1e62f6
Instruction Fuzzy Hash: 11F0AF35640301AFEF619F79EC08B067AA8FFA8712F044428F999D3251DB309844DF50

Function 0059247E Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00424286,7622DFA0,00000000,?,?,00000000), ref: 00592483
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0059248A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000), ref: 005924D0
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 005924D7

Part of subcall function 0059231C: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,005924C6,00000000,?,?,00000000), ref: 00592340
Part of subcall function 0059231C: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00592347

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: bdd2e89f7cce13ad9cf521c904f958435d6724c992339c1e6157058012224566
Instruction ID: beaeba306d3fe39cc743fb89b0af5f6c944f9616c6a0800de3271866b45945a1
Opcode Fuzzy Hash: bdd2e89f7cce13ad9cf521c904f958435d6724c992339c1e6157058012224566
Instruction Fuzzy Hash: DFF0B4766447226BDF752BBC7C0C95B3E55BFE0B61B114928F41EDB185DE20D8409B60

Function 0052D910 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00592B09: EnterCriticalSection.KERNEL32(0060F61C,?,?,?,00525158,00616078,?,00000000,005A9CE1,000000FF,?,0042319D), ref: 00592B14
Part of subcall function 00592B09: LeaveCriticalSection.KERNEL32(0060F61C,?,00525158,00616078,?,00000000,005A9CE1,000000FF,?,0042319D), ref: 00592B51

__Init_thread_footer.LIBCMT ref: 0052DB0B

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave
String ID:
API String ID: 3960375172-0
Opcode ID: ab4d270cbbb53534f8c92a4f8be60fff7eba6527090ddf4d4e5d3127723f146c
Instruction ID: 5d6fafc3de38fa83bbede26ecfe44ae733c6c434a7af38891c4b54fb711eb241
Opcode Fuzzy Hash: ab4d270cbbb53534f8c92a4f8be60fff7eba6527090ddf4d4e5d3127723f146c
Instruction Fuzzy Hash: 857109715009714BD70CCE28E8726F57BA2BB86301F4E827FEB5386AD1C679E652CB50

Function 00592716 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0059301F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: dedb4b6ba5bd9499249da44ea6a8597d948c84de17c93b5f33b2e2852dcf6df9
Instruction ID: 7bb6667c9af65f534ab51a75e90a60d57ffd640f6537029fd7c0a6b1cddf6e49
Opcode Fuzzy Hash: dedb4b6ba5bd9499249da44ea6a8597d948c84de17c93b5f33b2e2852dcf6df9
Instruction Fuzzy Hash: A561D471A40609DFDF24CF54D9857AEBFF5FB04310F14852AE816EB2A0D775AA40CB90

Function 00401ECD Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b1f2d940cc2a15b99bd33e8a4f4fa5933c9faf2ed567310e30107212ecc8de
Instruction ID: 2d25ff128d068f76006ad27daf84b356ad2c56a7a6956572dcec0643ae5f8720
Opcode Fuzzy Hash: 66b1f2d940cc2a15b99bd33e8a4f4fa5933c9faf2ed567310e30107212ecc8de
Instruction Fuzzy Hash: C26106B2C041159FFB1CCA24DE56AEEB779EB90300F1482FED90DA6284D6B85FC18E45

Function 00427A40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed25064e58b13f409ae6224364f1636c299320528e1d594b0044869da24cb299
Instruction ID: b7e3b764450d4a7df2afc685ccfb6effe7e2e3bb59e6dbdaf1d74b26299d9b3e
Opcode Fuzzy Hash: ed25064e58b13f409ae6224364f1636c299320528e1d594b0044869da24cb299
Instruction Fuzzy Hash: 2FE0D8B18002145B9200EB24AC094A77FD8EA45224F048679EC4CC3151F732E919C7C7

Function 00421F40 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 386COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00421F80
GetDlgItem.USER32(?,00000001), ref: 00421FC2
GetWindowRect.USER32(00000000,?), ref: 00421FD9
GetWindowLongW.USER32(?,000000F0), ref: 004220B5
CreateWindowExW.USER32(00000000,ScrollBar,005B5D98,54000014,00000000,00000000,80000000,80000000,?,00000000,00000000,00000000), ref: 004220EB
GetClientRect.USER32(?,?), ref: 00422100
GetWindowRect.USER32(00000000,?), ref: 00422112
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00422141
BeginDeferWindowPos.USER32(00000000), ref: 004221A6
GetDlgItem.USER32(00000000,?), ref: 0042229A
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000314), ref: 004222BE
GetClientRect.USER32(00000000,?), ref: 004222E2
GetWindowRect.USER32(00000000,?), ref: 004222F4
IsZoomed.USER32(00000000), ref: 00422301
DeferWindowPos.USER32(?,00000000,00000000,?,?,00000000,00000000,-00000355), ref: 0042233C
EndDeferWindowPos.USER32(00000000), ref: 00422343
EndDeferWindowPos.USER32(?), ref: 0042235A
GetWindowLongW.USER32(?,000000F0), ref: 004223AC
GetWindowLongW.USER32(?,000000EC), ref: 004223B7
MapDialogRect.USER32(?,?), ref: 004223EE
AdjustWindowRectEx.USER32(?,?,00000000,?), ref: 00422403
MapDialogRect.USER32(?,00000000), ref: 0042244D
AdjustWindowRectEx.USER32(?,?,00000000,?), ref: 00422462

Strings

ScrollBar, xrefs: 004220E4

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Window$Rect$Defer$ClientLong$AdjustDialogItem$BeginCreateZoomed
String ID: ScrollBar
API String ID: 376062766-3978720103
Opcode ID: 5876d8cce9d716d45ecffc8679df0715509107c4c30f3f23e34ab5b04b4a616f
Instruction ID: e3a6938857b87d74d63ece223c9eab936984e1976c03630cfa8fdf1f6ee4a28b
Opcode Fuzzy Hash: 5876d8cce9d716d45ecffc8679df0715509107c4c30f3f23e34ab5b04b4a616f
Instruction Fuzzy Hash: C1F14771608701AFD720CF68D944B6ABBF4BF99304F048A1EF585A3660E775E894CF86

Function 00422860 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000001,000000EC), ref: 00422874
SetWindowLongW.USER32(00000001,000000EC,00000000), ref: 0042288F
SetWindowPos.USER32(00000001,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00600594,00000000,004227E1,?,?,00600594), ref: 004228A0

Part of subcall function 0054D118: __EH_prolog.LIBCMT ref: 0054D11D

GetDlgItem.USER32(00000001,00000435), ref: 004228AE
SetWindowLongW.USER32(?,000000FC,00000000), ref: 004228EC
GetWindowLongW.USER32(?,000000F0), ref: 004228FF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00422916
GetDlgItem.USER32(00000001,000003EC), ref: 00422939
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00422977
GetWindowLongW.USER32(?,000000F0), ref: 0042298A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004229A1
GetDlgItem.USER32(00000001,0000048D), ref: 00422A3E
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00422A58

Strings

= , xrefs: 00422A17

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Window$Long$Item$H_prologMessageSend
String ID: =
API String ID: 449355210-3048733930
Opcode ID: 00dbc9e9d13d928ce84c9130bf69b19c24ec69a3da25fb5464962becd9e0d513
Instruction ID: d14620618d2bcbfad0fa2956e50aecafd30e84ceab51e050cdf336f42f0c320b
Opcode Fuzzy Hash: 00dbc9e9d13d928ce84c9130bf69b19c24ec69a3da25fb5464962becd9e0d513
Instruction Fuzzy Hash: CD517DB0700612BFDB24AF34DD46B6ABEA4FF04310F10472AF469962E1DBB1E854DB94

Function 00592210 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00000000,?,005925AF,0060F5A4,00000000,00000000,?,00424299,?,004242D0,00000000,7622DFA0,00000000), ref: 00592222
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,00000000,?,005925AF,0060F5A4,00000000,00000000,?,00424299,?,004242D0,00000000,7622DFA0), ref: 00592237
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005922B3

Strings

AtlThunk_InitData, xrefs: 0059225F
AtlThunk_DataToCode, xrefs: 00592276
atlthunk.dll, xrefs: 00592232
AtlThunk_FreeData, xrefs: 0059228D
AtlThunk_AllocateData, xrefs: 00592248

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 52dbb56f5492687e1749eba3708075505bc99e9558a7a815b2fdf984e7c565f9
Instruction ID: ed2355cb290234cf0a7731ac0611f87c8fae2e72131cdd1956bd2e7d00dabef1
Opcode Fuzzy Hash: 52dbb56f5492687e1749eba3708075505bc99e9558a7a815b2fdf984e7c565f9
Instruction Fuzzy Hash: 5A0196395817017BCF26AF14AC0BFCA3F99BF22788F040470FC05A63D2E791AA19C5A5

Function 00591B20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00591B92
GetThreadPriority.KERNEL32(00000000), ref: 00591B99
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00591BC7
ResumeThread.KERNEL32(00000000), ref: 00591BCE
GetCurrentThread.KERNEL32 ref: 00591C10
GetThreadPriority.KERNEL32(00000000), ref: 00591C17

Strings

^QB, xrefs: 00591B20

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Thread$Priority$Current$Resume
String ID: ^QB
API String ID: 3552734753-2719061505
Opcode ID: 7f6c59f3951e32e3a4f9b91f87bc28aad2ca832e50b815342c61c3ec3102c33c
Instruction ID: 03d6b9e87ad54b36b64c078c781d29aeb48e9228a4f65d4f39ea40a867c40331
Opcode Fuzzy Hash: 7f6c59f3951e32e3a4f9b91f87bc28aad2ca832e50b815342c61c3ec3102c33c
Instruction Fuzzy Hash: EC31EE74A0121AEFCF14DFA4C848BAEBBB9FF44714F004259F812E3281DB74A944DBA4

Function 0059231C Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,005924C6,00000000,?,?,00000000), ref: 00592340
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00592347

Part of subcall function 00592412: IsProcessorFeaturePresent.KERNEL32(0000000C,0059232E,00000000,00000000,005924C6,00000000,?,?,00000000), ref: 00592414

InterlockedPopEntrySList.KERNEL32(00000000,00000000,00000000,005924C6,00000000,?,?,00000000), ref: 00592357
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00000000), ref: 0059237E
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00000000), ref: 00592392
InterlockedPopEntrySList.KERNEL32(00000000,?,?,00000000), ref: 005923A5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000), ref: 005923B8

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: a29c2ff020e0f5911fabb4ad7351b030c3f3b5123e20d623d3e08dec66a40b24
Instruction ID: 0df842aa626a0d04b8c36fb811008f0322823937be6daee0a24043841320a3f0
Opcode Fuzzy Hash: a29c2ff020e0f5911fabb4ad7351b030c3f3b5123e20d623d3e08dec66a40b24
Instruction Fuzzy Hash: E311C875640222BBEF311B68AC48F2B7E5DFB54741F150A30F905E6151DA64DC446FA4

Function 00424030 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

GetClassInfoExW.USER32(00000000,?,?), ref: 004240DE
GetClassInfoExW.USER32(?,00000030), ref: 004240F5
SetLastError.KERNEL32(00000000), ref: 00424146
GetClassInfoExW.USER32(00000008,00000030), ref: 00424157
GetLastError.KERNEL32 ref: 00424165

Strings

ATL:, xrefs: 00424106

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ClassInfo$ErrorLast
String ID: ATL:
API String ID: 859646241-4086939539
Opcode ID: 7ff8f0649ccba273d9a7199bff72008dec24084cb5dc7ad8e958f1b60299d01c
Instruction ID: 3fbaa0924727ec093c9642173100ef8c0ed775f7d3121582ae9b3222a726813d
Opcode Fuzzy Hash: 7ff8f0649ccba273d9a7199bff72008dec24084cb5dc7ad8e958f1b60299d01c
Instruction Fuzzy Hash: B851E071A002259FCB20DFA4ED49A7FB7B9FB90704F40062AE900A7251D738A965DF99

Function 00421AF0 Relevance: 9.1, APIs: 6, Instructions: 143threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,?,?,?,?,00421948), ref: 00421B0C

Part of subcall function 00424030: GetClassInfoExW.USER32(00000000,?,?), ref: 004240DE
Part of subcall function 00424030: GetClassInfoExW.USER32(?,00000030), ref: 004240F5
Part of subcall function 00424030: SetLastError.KERNEL32(00000000), ref: 00424146
Part of subcall function 00424030: GetClassInfoExW.USER32(00000008,00000030), ref: 00424157
Part of subcall function 00424030: GetLastError.KERNEL32 ref: 00424165

GetCurrentThreadId.KERNEL32 ref: 00421B56
EnterCriticalSection.KERNEL32(0060A298,?,?,?,?,?,00421948), ref: 00421B64
LeaveCriticalSection.KERNEL32(0060A298,?,?,?,?,?,00421948), ref: 00421B7D
CreateWindowExW.USER32(00000000,?,00000000,?,80000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00421BD2
SetLastError.KERNEL32(0000000E,C0000005,00000001,?,00000000,00000000,?,?,?,?,?,00421948), ref: 00421BF0

Part of subcall function 0059247E: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00424286,7622DFA0,00000000,?,?,00000000), ref: 00592483
Part of subcall function 0059247E: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0059248A

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: ErrorLast$ClassInfo$CriticalHeapSection$AllocCreateCurrentEnterLeaveProcessThreadWindow
String ID:
API String ID: 1532336298-0
Opcode ID: 85b29703ff24dd9c7e6f1ee9b48d73370df39c5e7b0ae424bdae414b49aacd2b
Instruction ID: ef3214eb57b59108e217f77367fe40e9033944a6d5afb27af945ac68c309a1c2
Opcode Fuzzy Hash: 85b29703ff24dd9c7e6f1ee9b48d73370df39c5e7b0ae424bdae414b49aacd2b
Instruction Fuzzy Hash: DA417C71344311AFD714DF68DC85B2BBBE9EB98710F00452EF646DB290DBB4E8048BA1

Function 00591960 Relevance: 9.0, APIs: 6, Instructions: 41threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0059196A
GetThreadPriority.KERNEL32(00000000), ref: 00591971
GetThreadPriority.KERNEL32(00580217), ref: 0059197C
SetThreadPriority.KERNEL32(00580217,00000000), ref: 0059198A
WaitForSingleObject.KERNEL32(00580217,000000FF), ref: 00591995
CloseHandle.KERNEL32(00580217), ref: 005919A3

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Thread$Priority$CloseCurrentHandleObjectSingleWait
String ID:
API String ID: 1718353164-0
Opcode ID: 73b32dfd8273e6295660c316631d924a610b0adb3fc8822fcb23d5032fc084f5
Instruction ID: 6f4a0c1e44ae4caed6706faa0e674f7cc049ea5f26ed3caede93d4ef78788e63
Opcode Fuzzy Hash: 73b32dfd8273e6295660c316631d924a610b0adb3fc8822fcb23d5032fc084f5
Instruction Fuzzy Hash: 60F03AB5100A13ABCF605BB8EE5D819FB69BF643617108725F036826F2DB31A865EF04

Function 00422A70 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000001,00000435), ref: 00422B2B
GetDlgItem.USER32(00000001,0000048D), ref: 00422BCF
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00422BDF
DestroyWindow.USER32(00000001), ref: 00422BFE

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: Item$DestroyMessageSendWindow
String ID:
API String ID: 3090131160-0
Opcode ID: ca2848b37b557aabb613ca1c7846c7075ea2733f794bd155616e8047f823f290
Instruction ID: 56018adc457ee554f330d9e31960027dff2f61ac07181aeb852c591fced9a5cf
Opcode Fuzzy Hash: ca2848b37b557aabb613ca1c7846c7075ea2733f794bd155616e8047f823f290
Instruction Fuzzy Hash: 635154B0A00248ABDB20DFA9D949B9EBFF4BF58314F144519E411BB291CBB86904CFA0

Function 00421A40 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000418,00000000,?), ref: 00421A73
SendMessageW.USER32(?), ref: 00421AA9
SendMessageW.USER32(?,00000412,00000000), ref: 00421AD4
SendMessageW.USER32(?,00000411,00000001,?), ref: 00421AE1

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e154f3616b20d02131f8ac69e930b8d754935b032ca4746cd1b7db9f1f45573e
Instruction ID: 056b8dc03bbacfd0d86dd61f933739a328027decfb519111fb1f3285849d17ed
Opcode Fuzzy Hash: e154f3616b20d02131f8ac69e930b8d754935b032ca4746cd1b7db9f1f45573e
Instruction Fuzzy Hash: 98116A71240304ABE7209F2ACD85F1BBBE8FB84B45F40892DF685965A1C7B1F908CB64

Function 00421920 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00421959
SendMessageW.USER32(?,00000411,00000000,?), ref: 00421971
SendMessageW.USER32(?,00000433,00000000,?), ref: 00421982
GetWindowRect.USER32(?,?), ref: 0042199F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend$RectWindow
String ID:
API String ID: 1944065686-0
Opcode ID: 7b2f938d5d4943be965eb0663962e518f7f26e6a711bc9cb0b5819c0799ef7b5
Instruction ID: 594fdfbadbf35a74eff55c0d0a36d92e90d8671c7fb2c7794805fcb4d06949e0
Opcode Fuzzy Hash: 7b2f938d5d4943be965eb0663962e518f7f26e6a711bc9cb0b5819c0799ef7b5
Instruction Fuzzy Hash: 8F112771B016247BDB219F29EC06F9BBB68EF21760F444316FD04662A1D770BA94CBD8

Function 00401922 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00421959
SendMessageW.USER32(?,00000411,00000000,?), ref: 00421971
SendMessageW.USER32(?,00000433,00000000,?), ref: 00421982
GetWindowRect.USER32(?,?), ref: 0042199F

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend$RectWindow
String ID:
API String ID: 1944065686-0
Opcode ID: 59de93ffc885d8b3cfd5118fbbd8d5450dd13599d371894dab07d54a46468e35
Instruction ID: 976cf0dfd2e6fdd224c174f1518e0448649e182263952f6c5103e505f245c106
Opcode Fuzzy Hash: 59de93ffc885d8b3cfd5118fbbd8d5450dd13599d371894dab07d54a46468e35
Instruction Fuzzy Hash: D2112770B01224BBDB218F29EC01B9AB764FF21710F444206FD0466161D770E994CBC8

Function 004E5510 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004E553C

Strings

%path_sort%, xrefs: 004E55FF
Dc[, xrefs: 004E5520

Memory Dump Source

Source File: 00000000.00000002.2405885846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2405871819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406019635.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406058766.0000000000606000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406076138.0000000000607000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406093349.000000000060F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.0000000000617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000061D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406109708.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406165226.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.0000000000699000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2406204157.00000000006A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_build.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID: %path_sort%$Dc[
API String ID: 2882836952-418770324
Opcode ID: 4da7f740f64944a77406cc8cf8fc37ffc635ebb709fc4d4f05e17eb5a452c0a7
Instruction ID: 80f9f5d8d4006964c7a56ff0b8deedac7b6fac6e158ca5e25abf240470f13d79
Opcode Fuzzy Hash: 4da7f740f64944a77406cc8cf8fc37ffc635ebb709fc4d4f05e17eb5a452c0a7
Instruction Fuzzy Hash: 0A41F334A016859FCB10DFA6D814BAEBBF2FF5530AF58419AD801A73A1DB35AC04CF54

Analysis Process: csc.exePID: 4924, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	98.8%
Signature Coverage:	0%
Total number of Nodes:	255
Total number of Limit Nodes:	22

Executed Functions

Function 0B013D32 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0B015816
GetCurrentThread.KERNEL32 ref: 0B015853
GetCurrentProcess.KERNEL32 ref: 0B015890
GetCurrentThreadId.KERNEL32 ref: 0B0158E9

Strings

sgm3, xrefs: 0B0157B4

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: sgm3
API String ID: 2063062207-2060810551
Opcode ID: d1afaab82545aa6243c33a62854654343d21da64b17d5cdc2327e76ff07ca513
Instruction ID: 8fe3a8fbc152971c75655ac15ba15bf37e9509787d24a880851be822f221108b
Opcode Fuzzy Hash: d1afaab82545aa6243c33a62854654343d21da64b17d5cdc2327e76ff07ca513
Instruction Fuzzy Hash: A35166B0D01349CFDB48DFAAD948BAEBBF1FF88304F248459E019AB260D7356944CB65

Function 0B013D3C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0B015816
GetCurrentThread.KERNEL32 ref: 0B015853
GetCurrentProcess.KERNEL32 ref: 0B015890
GetCurrentThreadId.KERNEL32 ref: 0B0158E9

Strings

sgm3, xrefs: 0B0157B4

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: sgm3
API String ID: 2063062207-2060810551
Opcode ID: b5b9766cb853c7a559fce69089b5e2d31a9b13981344528cb074b43ebbc3ec62
Instruction ID: 4c81ad60f46b7c6949d671556b404174b9fd4200bec0ab9e0197b2da55db15f9
Opcode Fuzzy Hash: b5b9766cb853c7a559fce69089b5e2d31a9b13981344528cb074b43ebbc3ec62
Instruction Fuzzy Hash: 225167B0D01249CFDB48DFAAD948BAEBBF1FF88304F208459E019B7260D7356944CB65

Function 0B01FA2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0B01FB4A

Strings

sgm3, xrefs: 0B01FA66
sgm3, xrefs: 0B01FA86

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: CreateWindow
String ID: sgm3$sgm3
API String ID: 716092398-4065736149
Opcode ID: c14b0b98bbe0eee34a665b67fee16fc612fe472f828e5400d69166ffde4f0183
Instruction ID: bfad588c3cfa4c92ea760e8dd504915f9b4a136e16767342af77d3c9fe572e4c
Opcode Fuzzy Hash: c14b0b98bbe0eee34a665b67fee16fc612fe472f828e5400d69166ffde4f0183
Instruction Fuzzy Hash: 1051CFB1D003499FDB18CF99C894ADEBBB5FF88310F64856AE819AB210D7749845CF90

Function 0B01FA38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0B01FB4A

Strings

sgm3, xrefs: 0B01FA66
sgm3, xrefs: 0B01FA86

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: CreateWindow
String ID: sgm3$sgm3
API String ID: 716092398-4065736149
Opcode ID: 8143808f39e5e87fdf7b3291248cd7176c30adbef042d60602f869f7161da499
Instruction ID: 95c96e4280371318049590998594ce8d9a0e62e405ec61327f8450416d566eb9
Opcode Fuzzy Hash: 8143808f39e5e87fdf7b3291248cd7176c30adbef042d60602f869f7161da499
Instruction Fuzzy Hash: CE41AEB1D00309DFDB18CF9AD884ADEBBF5BF88310F64852AE819AB210D7759845CF90

Function 06C0F928 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,06C0FC45), ref: 06C0FCC8

Strings

sgm3, xrefs: 06C0FC77
4'^, xrefs: 06C0F928

Memory Dump Source

Source File: 00000003.00000002.4551944966.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c00000_csc.jbxd

Similarity

API ID: DeleteFile
String ID: 4'^$sgm3
API String ID: 4033686569-1565655794
Opcode ID: 010647d2306859bd808af01c297179336c5965ffbb53e9f564d46028b4602d28
Instruction ID: 9fc047b4b752a4e3fc8e7cd6b7e8efdb1fa78954784c7c7478c03413c923eeb4
Opcode Fuzzy Hash: 010647d2306859bd808af01c297179336c5965ffbb53e9f564d46028b4602d28
Instruction Fuzzy Hash: DE2115B5C006599FDB24DF9AC5457AEFBB4EB48620F10812AD928A7240D378A944CFE5

Function 06C01978 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 06C033F1

Strings

sgm3, xrefs: 06C03374

Memory Dump Source

Source File: 00000003.00000002.4551944966.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c00000_csc.jbxd

Similarity

API ID: Create
String ID: sgm3
API String ID: 2289755597-2060810551
Opcode ID: f54db73f04c47679ba7fc7589bbb1a66e2f74fabad7fc92e7eba9bb32fce2061
Instruction ID: 42fd4ce2fcba19843c1ddc0de77dfb18e0cadf73bf6e924e80dfe31b50638c27
Opcode Fuzzy Hash: f54db73f04c47679ba7fc7589bbb1a66e2f74fabad7fc92e7eba9bb32fce2061
Instruction Fuzzy Hash: 4841BFB0C0075DDFEB64DFAAC844B9EBBB5BF48704F20806AD409AB251DB756945CFA0

Function 06C03334 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 06C033F1

Strings

sgm3, xrefs: 06C03374

Memory Dump Source

Source File: 00000003.00000002.4551944966.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c00000_csc.jbxd

Similarity

API ID: Create
String ID: sgm3
API String ID: 2289755597-2060810551
Opcode ID: c61af44a6f308b94ee4994cdb613649ddcb4b73ce16ba4a891acd8f274863cef
Instruction ID: 2605f9def5520374e33e3fb331d6bf0d230a9e2b58abb5a7a2268281d9ac817b
Opcode Fuzzy Hash: c61af44a6f308b94ee4994cdb613649ddcb4b73ce16ba4a891acd8f274863cef
Instruction Fuzzy Hash: F441DEB4C0075DCFEB64CFA9C844B9EBBB5BF48304F20846AD409AB255DB756946CFA0

Function 0B0D2460 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0B0D2521

Strings

sgm3, xrefs: 0B0D2477

Memory Dump Source

Source File: 00000003.00000002.4554098680.000000000B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B0D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d0000_csc.jbxd

Similarity

API ID: CallProcWindow
String ID: sgm3
API String ID: 2714655100-2060810551
Opcode ID: ed1c93bbecd188931e185c6b02fa77fd4acfc49dbcd7fcb6ed90084288e730c1
Instruction ID: fd242d3128f8c1ab44b616babb8352d8438e94c082c790f6e24765de2b770474
Opcode Fuzzy Hash: ed1c93bbecd188931e185c6b02fa77fd4acfc49dbcd7fcb6ed90084288e730c1
Instruction Fuzzy Hash: C64117B5900309CFDB58CF99C448AAABBF5FB88314F24C499D519AB365D374A841CFA0

Function 0B013C84 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,0B0140D5,00000000,00000000), ref: 0B0141E8

Strings

sgm3, xrefs: 0B014172

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: HookWindows
String ID: sgm3
API String ID: 2559412058-2060810551
Opcode ID: daea425f755fd6d2d11baa1e86dd7e046ddef3f5857acf2f7823bfbf2e64541b
Instruction ID: d1b3c92f7c8829cc0ef236393edbe58800172ce643374569482dac2be272c9f9
Opcode Fuzzy Hash: daea425f755fd6d2d11baa1e86dd7e046ddef3f5857acf2f7823bfbf2e64541b
Instruction Fuzzy Hash: 7A2124B5D002099FDB18DFA9C844AAEBBF5FB88310F108429E915A7360D775A904CFA1

Function 0B014152 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,0B0140D5,00000000,00000000), ref: 0B0141E8

Strings

sgm3, xrefs: 0B014172

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: HookWindows
String ID: sgm3
API String ID: 2559412058-2060810551
Opcode ID: 3240e5a79a62e8898c5295567c4e6bbafcc8797b96f6e3a8ef1d3b6e0717ad3c
Instruction ID: 257b81b4f76183c34710f88ca2c03c9e8dc10de4103fef09540e167a29ad06e6
Opcode Fuzzy Hash: 3240e5a79a62e8898c5295567c4e6bbafcc8797b96f6e3a8ef1d3b6e0717ad3c
Instruction Fuzzy Hash: 9F2135B5D00209DFDB14DFA9C884A9EBBF4FF88310F10842AD519A7360C7759904CFA1

Function 0B0159D9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0B015A67

Strings

sgm3, xrefs: 0B0159FF

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: DuplicateHandle
String ID: sgm3
API String ID: 3793708945-2060810551
Opcode ID: 50e9aa1d8fdf8d99973192f522b2d6708ab6c919389aec9854f18d87c5f58d6d
Instruction ID: 1189fea68053483efb2661e9637e47b816b803d7e3853cba2a63169c2d92dc67
Opcode Fuzzy Hash: 50e9aa1d8fdf8d99973192f522b2d6708ab6c919389aec9854f18d87c5f58d6d
Instruction Fuzzy Hash: A021E4B5D01249EFDB14CFAAD884AEEBBF4FB48310F14845AE918A7310D375A954CFA4

Function 0B0159E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0B015A67

Strings

sgm3, xrefs: 0B0159FF

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: DuplicateHandle
String ID: sgm3
API String ID: 3793708945-2060810551
Opcode ID: 63a4ea6445af12fd7ddb8d0cfb7169d47a052e1337f8c0980edb0c74bbdc7d5b
Instruction ID: 09e5403d6da0e891ba94b860fc263cf756f065db4ff3fc28f0bdcadfe538ba13
Opcode Fuzzy Hash: 63a4ea6445af12fd7ddb8d0cfb7169d47a052e1337f8c0980edb0c74bbdc7d5b
Instruction Fuzzy Hash: E821E4B5D01208DFDB10CFAAD884ADEBBF4EB48310F14845AE918A7310D375A940CFA4

Function 06C0FC50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,06C0FC45), ref: 06C0FCC8

Strings

sgm3, xrefs: 06C0FC77

Memory Dump Source

Source File: 00000003.00000002.4551944966.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c00000_csc.jbxd

Similarity

API ID: DeleteFile
String ID: sgm3
API String ID: 4033686569-2060810551
Opcode ID: a102e6f5b4c9708129cb0b928fd13b8abb0fb726b3c7a2d60adffd5a8f121508
Instruction ID: 3ec9a08280801df903d54db945c071289cbc6dc4a490e75b372ccc9734940a36
Opcode Fuzzy Hash: a102e6f5b4c9708129cb0b928fd13b8abb0fb726b3c7a2d60adffd5a8f121508
Instruction Fuzzy Hash: A92135B1C00619DFDB24DFAAC445BEEFBB4EF48710F10812AD818A7250D338A941CFA4

Function 0B01D741 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0B01D5C1,00000800,00000000,00000000), ref: 0B01D7B2

Strings

sgm3, xrefs: 0B01D767

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: LibraryLoad
String ID: sgm3
API String ID: 1029625771-2060810551
Opcode ID: cdc0bd188cf979f7ca4dfa23c64c693f43c5440f8c39dcbba60d69679bb55294
Instruction ID: e8d96ae6d8a0bcf9e0b2760fc99498d3f4ae9589e7a5d1911b7601b6c5ef034a
Opcode Fuzzy Hash: cdc0bd188cf979f7ca4dfa23c64c693f43c5440f8c39dcbba60d69679bb55294
Instruction Fuzzy Hash: AD2117B6D002498FDB18CF9AD484ADEFBF5EB88320F10852AD569A7210C379A545CFA5

Function 0B01C398 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0B01D5C1,00000800,00000000,00000000), ref: 0B01D7B2

Strings

sgm3, xrefs: 0B01D767

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: LibraryLoad
String ID: sgm3
API String ID: 1029625771-2060810551
Opcode ID: 833c7869c705b89ea87fdfbc090274a98ec10a79f885ecb298944132c5be25a7
Instruction ID: e412f3e307115753b3cd39b47c2e2b07ce660324a7fcfa6bcbe7075e9a989248
Opcode Fuzzy Hash: 833c7869c705b89ea87fdfbc090274a98ec10a79f885ecb298944132c5be25a7
Instruction Fuzzy Hash: F31114B6D002098FDB18CF9AC444A9EFBF4EB88720F10852AD529A7200D379A544CFA4

Function 0B01D4B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0B01D526

Strings

sgm3, xrefs: 0B01D4DF

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: HandleModule
String ID: sgm3
API String ID: 4139908857-2060810551
Opcode ID: 9e4106aae8072351d6efaf467afdaf80ac6ed770eb9945fcdfc7a3117693d0d0
Instruction ID: fb4d812e16ef48087432a42f3ee210cd4aa46f6222bec29efc26702f03e2ad58
Opcode Fuzzy Hash: 9e4106aae8072351d6efaf467afdaf80ac6ed770eb9945fcdfc7a3117693d0d0
Instruction Fuzzy Hash: E31112B5C00249CFDB14CF9AD444ADEFBF0AB88324F14856AD459A7211C379A506CFA1

Function 0B01D4C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0B01D526

Strings

sgm3, xrefs: 0B01D4DF

Memory Dump Source

Source File: 00000003.00000002.4553929644.000000000B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b010000_csc.jbxd

Similarity

API ID: HandleModule
String ID: sgm3
API String ID: 4139908857-2060810551
Opcode ID: 053e4ff0cf6cc4aac3efd1ca4b8001d952d24961b2bbf9f65dc2d863b3b44529
Instruction ID: 1b23eb53d458f83dad58ef6cd4a6d934b67c2170c1509771151720198bad2417
Opcode Fuzzy Hash: 053e4ff0cf6cc4aac3efd1ca4b8001d952d24961b2bbf9f65dc2d863b3b44529
Instruction Fuzzy Hash: CD110FB6C002498FDB14DF9AD444A9EFBF4AB88324F10896AD428A7210C379A545CFA5

Function 0B0D3AB8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0B0D4A45

Strings

sgm3, xrefs: 0B0D4A0A

Memory Dump Source

Source File: 00000003.00000002.4554098680.000000000B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B0D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d0000_csc.jbxd

Similarity

API ID: Initialize
String ID: sgm3
API String ID: 2538663250-2060810551
Opcode ID: a189ba4bcf9ea16a9c588dfa2a602a0b7e9c5fb07fb6857dd29c6ade94a6ae40
Instruction ID: 8250a1bbe8d4d33a95cafec16f80dbf2a84b8ec2ba0ab31acdfba0d3a8a5eb67
Opcode Fuzzy Hash: a189ba4bcf9ea16a9c588dfa2a602a0b7e9c5fb07fb6857dd29c6ade94a6ae40
Instruction Fuzzy Hash: 2D1133B5900348CFCB20DF9AD448B9EBBF8EB48220F208459D519A7340C378A944CFA9

Function 0B0D49EA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0B0D4A45

Strings

sgm3, xrefs: 0B0D4A0A

Memory Dump Source

Source File: 00000003.00000002.4554098680.000000000B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B0D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d0000_csc.jbxd

Similarity

API ID: Initialize
String ID: sgm3
API String ID: 2538663250-2060810551
Opcode ID: 9616d5eec8d8f5b990b2733bb72be05e1796452c73e341488a3663b45fdd7d99
Instruction ID: 7fb9cac0181ca7b817075791909b5af95d104d994a4e31275cc7f4129cdf60a0
Opcode Fuzzy Hash: 9616d5eec8d8f5b990b2733bb72be05e1796452c73e341488a3663b45fdd7d99
Instruction Fuzzy Hash: 9B1100B59003488FDB20DFAAD488BDEBFF4EB49320F24845AD558A7350C379A544CFA5

Function 0ABC0048 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

?, xrefs: 0ABC00AF

Memory Dump Source

Source File: 00000003.00000002.4553857696.000000000ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abc0000_csc.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 6c7c677365a8aae2d18569e1f3331debfde3ef89f08851e3bcb066f102c37351
Instruction ID: 72084dd4d998ff3df1d028d537de55d84bbca8371910fd43e49ee029507deb12
Opcode Fuzzy Hash: 6c7c677365a8aae2d18569e1f3331debfde3ef89f08851e3bcb066f102c37351
Instruction Fuzzy Hash: 3FF18030B00209DFEB15EBA5C844A6EBBB6FF88300F148069E5569B396EB35DD41DF51

Function 06C0FC28 Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,06C0FC45), ref: 06C0FCC8

Memory Dump Source

Source File: 00000003.00000002.4551944966.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c00000_csc.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9fc646e9a0e942bb070a08f8d1ab493d38b2400b3d732d21865eec5d80b149f4
Instruction ID: a3059362f746f7e331249100acedac19f95531d5ec894f9e84a580101bf4c3b2
Opcode Fuzzy Hash: 9fc646e9a0e942bb070a08f8d1ab493d38b2400b3d732d21865eec5d80b149f4
Instruction Fuzzy Hash: 8811E1B2C05215CFDB24DF95D4563AEBBB0EF44310F11414AC819A7681D7389A84CBE1

Function 0ABC0000 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

?, xrefs: 0ABC00AF

Memory Dump Source

Source File: 00000003.00000002.4553857696.000000000ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abc0000_csc.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 6f78c92dc620a1eeef2829b192609f2585c7e071f9a273d80a68d00f1b5b3629
Instruction ID: 0ec3f13aa43a3dd343664514e7b9d7757d99bf43e050295987c3abb473402628
Opcode Fuzzy Hash: 6f78c92dc620a1eeef2829b192609f2585c7e071f9a273d80a68d00f1b5b3629
Instruction Fuzzy Hash: 26912630B00706DFEB15EB69C850B6EBBB6FF85304F1441AAD502DB3A2EA75DD019B52

Function 00C8D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4550916468.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed183769561532f713d372b201ba981d8fbcb7953c3f6a08a5db7f2a986cc15
Instruction ID: 00d38276fe12b3bbbc111d50fefcb4fd33465dc55988b3f75c9721bdfca7d698
Opcode Fuzzy Hash: 9ed183769561532f713d372b201ba981d8fbcb7953c3f6a08a5db7f2a986cc15
Instruction Fuzzy Hash: 712128B2504204EFDB05EF14D9C0B16BF65FB9831CF20816EE90A4B296C336D956CBA6

Function 00C8D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4550916468.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5635e2036c07ac125025df4f5cafcf0a5e17f1d2d888aa980619a2358c8c9c
Instruction ID: ce2685d2f2356b5e29169c8f044de5860140bf5c22400cce023bc674e507a0c0
Opcode Fuzzy Hash: 4b5635e2036c07ac125025df4f5cafcf0a5e17f1d2d888aa980619a2358c8c9c
Instruction Fuzzy Hash: D6212572504204EFDB04EF14D9C0B26BF65FBD4328F20C569E90A4B296C336E856CBA5

Function 04FBD208 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4551168758.0000000004FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4fbd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82952b7a7f259f99a5f4596f464f1e3f9e735ff8b7a0cdd951cdea626875a256
Instruction ID: a9d5d63ac345a3aa68fafd9b524dde02f6d1a7263c44fa10d0c72522b271d38c
Opcode Fuzzy Hash: 82952b7a7f259f99a5f4596f464f1e3f9e735ff8b7a0cdd951cdea626875a256
Instruction Fuzzy Hash: BA217972A00284DFEB04DF15D5C4B55BB65FB85314F20C5ADE9894B242C377E407CBA2

Function 00C8D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4550916468.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4163f8a738b895e3a03195f577c6e99c6dcd9217d130c51c8e43b8f667961e3
Instruction ID: 01fb4e2fbcecab0dc712a36c86fbf9bd936ad5444c67239f98a59f078f415fa0
Opcode Fuzzy Hash: c4163f8a738b895e3a03195f577c6e99c6dcd9217d130c51c8e43b8f667961e3
Instruction Fuzzy Hash: C011E6B6504240DFCB15DF14D5C4B16BF71FB94318F24C6AADC0A4B256C33AD956CBA1

Function 00C8D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4550916468.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4163f8a738b895e3a03195f577c6e99c6dcd9217d130c51c8e43b8f667961e3
Instruction ID: 713854eecbc6a136cd88094eb00e20115e7603fd34202f6cbdd0e44ab9bda6de
Opcode Fuzzy Hash: c4163f8a738b895e3a03195f577c6e99c6dcd9217d130c51c8e43b8f667961e3
Instruction Fuzzy Hash: DA112672404240DFCB05DF00D5C0B16BF72FB94324F24C5A9D8090B656C33AE956CBA1

Function 04FBD203 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4551168758.0000000004FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4fbd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266c387f8ae13a1d97c860eeb2b613950a144f769af30e4a24cccb1e8c5eac3e
Instruction ID: 1b2de0f1417621fb1c2bf6c85597e5a435bf17b582682d384502bc251bec2e24
Opcode Fuzzy Hash: 266c387f8ae13a1d97c860eeb2b613950a144f769af30e4a24cccb1e8c5eac3e
Instruction Fuzzy Hash: 7811DD75904284CFDB05CF10D5C4B55BFA1FB85314F28C6AEDC494B256C33AE40ACBA2

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report build.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Logs\06-08-2024

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
build.exe

Function 0041CABA Relevance: 42.3, APIs: 1, Strings: 23, Instructions: 298
memoryCOMMON

Function 0041CD00 Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 549
memoryCOMMON

Function 0041D257 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233
memoryCOMMON

Function 004070F4 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Function 0041715A Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Function 00407302 Relevance: 1.6, APIs: 1, Instructions: 110
memoryCOMMON

Function 004066DB Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193
memoryCOMMON

Function 0041D991 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120
memoryCOMMON

Function 0041FFB3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285
COMMON

Function 0041F810 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Function 0041FCCF Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 00407150 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Function 004076BB Relevance: 1.6, APIs: 1, Instructions: 77
memoryCOMMON

Function 00407002 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 0041FBE1 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON