Edit tour

Windows Analysis Report
2ktrFR0W3v.exe

Overview

General Information

Sample name:2ktrFR0W3v.exe
renamed because original name is a hash value
Original sample name:2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5.exe
Analysis ID:1531023
MD5:387b657fab27ddabb59998479ce069db
SHA1:94e8062fdbeba343f328ef8d155c274a69fec39e
SHA256:2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
Tags:24-152-39-227exeuser-JAMESWT_MHT
Infos:

Detection

Clipboard Hijacker, Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 2ktrFR0W3v.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\2ktrFR0W3v.exe" MD5: 387B657FAB27DDABB59998479CE069DB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
2ktrFR0W3v.exeJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
    2ktrFR0W3v.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
      2ktrFR0W3v.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        2ktrFR0W3v.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          2ktrFR0W3v.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
              00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0xef9cb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    • 0xf13aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    Click to see the 6 entries
                    SourceRuleDescriptionAuthorStrings
                    0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpackJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
                      0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                        0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                            0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                              Click to see the 39 entries
                              No Sigma rule has matched
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-10T19:18:54.374248+020020363831A Network Trojan was detected192.168.2.1049701208.95.112.180TCP

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: 2ktrFR0W3v.exeAvira: detected
                              Source: 2ktrFR0W3v.exeReversingLabs: Detection: 78%
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Source: 2ktrFR0W3v.exeJoe Sandbox ML: detected

                              Exploits

                              barindex
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              Source: 2ktrFR0W3v.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 2ktrFR0W3v.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: D:\addexclusion\obj\Release\addexclusion.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\MEMORYU\MEMORYU\obj\Debug\MEMORYU.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\CreateVenomUser\obj\Release\Create.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\CreateVenomUser\Uac-Executor\obj\Release\CU.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdbLd source: 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                              Source: 2ktrFR0W3v.exeBinary or memory string: autorun.inf
                              Source: 2ktrFR0W3v.exeBinary or memory string: [autorun]

                              Networking

                              barindex
                              Source: Network trafficSuricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.10:49701 -> 208.95.112.1:80
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: global trafficTCP traffic: 192.168.2.10:49707 -> 24.152.39.227:4782
                              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                              Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                              Source: unknownDNS query: name: ip-api.com
                              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownTCP traffic detected without corresponding DNS query: 24.152.39.227
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: ip-api.com
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://127.0.0.1:4040/api
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://127.0.0.1:4040/api/tunnels
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://91.134.207.16/update/ngrok.exe
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://91.134.207.16/update/ngrok.exe9set
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://api.ipify.org/
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://freegeoip.net/xml/
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://geocoder.ca/?locate=
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                              Source: 2ktrFR0W3v.exeString found in binary or memory: http://ip-api.com/json/
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com0
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comd
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: 2ktrFR0W3v.exeString found in binary or memory: https://geocoder.ca/?locate=
                              Source: 2ktrFR0W3v.exeString found in binary or memory: https://google.com
                              Source: 2ktrFR0W3v.exeString found in binary or memory: https://whatismyipaddress.com/update-location9internetexplorer.application

                              E-Banking Fraud

                              barindex
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

                              System Summary

                              barindex
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: Detects known downloader agent Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                              Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_017CA0A00_2_017CA0A0
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_017CA9700_2_017CA970
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_06AC94980_2_06AC9498
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_06AC2B980_2_06AC2B98
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_06AC03600_2_06AC0360
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2563248535.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCreate.exe@ vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCU.exe& vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDecryptor.exeV vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMEMORYU.exe0 vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaddexclusion.exe: vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1301045873.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVenombin.exe2 vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameCreate.exe@ vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameCU.exe& vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameDecryptor.exeV vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameMEMORYU.exe0 vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameaddexclusion.exe: vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeBinary or memory string: OriginalFilenameVenombin.exe2 vs 2ktrFR0W3v.exe
                              Source: 2ktrFR0W3v.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                              Source: 2ktrFR0W3v.exe, type: SAMPLEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                              Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                              Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                              Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                              Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                              Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 2ktrFR0W3v.exe, .csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, ------.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, ------.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, -X---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, -X---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, -X---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, -X---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, ---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, ---.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 2ktrFR0W3v.exe, -.csBase64 encoded string: 'jQKEuhmBrDwki54AxZBI2qrUSFOJVRp5qZLwAPWv4RpzCZvtThzUxR6l5RVF97EA9Q3DycD1x/11389WbiRsTA==', 'Hc9PXkSY+teoK00Hn3TfOND14SHqES7GKjtT7fDiA7AEYnUGSgtHtw9bgL52xoeUXU7WkfVfh9Y7AK2d67bybA7+ZoONoYIaREcS6a8gvFQ=', 'Y95mgSQoWH6ARq4UWEd3jv72QV9/01xSZNRyN85Lhcr/825cfPLYou31DI7hq9JxGLOpX+ne4DBXsuTT9g4xWod85ciXp9pg3CXzthfEtV8=', 'pnmp7UAQ1YMJE9Zi+rilrNXGujsQa+fnXD0P7MWmax7bqKNp1Ij+kvqkJ+MXKUqaC0GFyvCYxravUEo5yc932A==', 'tEYQwaUwrcJDTTg5c2zkx0edhr9O7EQl1FSdTpEoB+rgX7iFoGbS+RlO6foYa40IOxTUy5kjO+QgnAs3eiuKeA=='
                              Source: 2ktrFR0W3v.exe, .csBase64 encoded string: 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs='
                              Source: 2ktrFR0W3v.exe, ------.csBase64 encoded string: 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWOIBuAy8A0Wwd+/Qk37BK9+i+wk5JxbXVR1Q4uTQlCe8YIpuyZyOCxjKf80gClzOhA=='
                              Source: 2ktrFR0W3v.exe, -X---.csBase64 encoded string: 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZIngFw97hGp88lGESFOmRFuKhpfKiXJ68fR8c2qmRDFmW6gVmRTHFcQssKadf3pZEr2v8L2T+wRzxQiZ65fHHpVsRjD6R+BXea7ZKc/WE7moQ==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEK1FHtY11RA+WKgpz8WlU6Uuwd54dHpyIPwGYkuAD9Fxg==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEK1FHtY11RA+WKgpz8WlU6UjHmYfbPuly+0KRBbK1rkYw==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZIngFw97hGp88lGESFOmRFuKhpfKiXJ68fR8c2qmRDFmZ2Ycy3e30jKppX/E7xkEib4/z67tZKoEYv83p/4+zBVVzKA5GBNJVAQeNlU2D356g==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIYvjDZa9XYE0+7rxNT6T+fjdAnjNI0zvODtDqjZNkCtlpSP03+0Q42bABNh30ix+w=', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufBXH6ygZHRLMSEsYfY0zx/zb1BUKgiM1jQi0uo9uE/PzA==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIV2sXOWTgN+Pcj462ljl3Oel4j7/mHDp79pNiFrTs78w==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEKpND3C57oKLuSoz2v0dV0bH4OpoapDChUYkbYYFnLcWg==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIiZVQ0kG2wUYnLtVlMfGzyoXu9rYGMvy2WPGxRHvbNuw==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufBRxadFEongss8PG/bC9lI1', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufAW7GCW9GjpuWcfklYXAs6CiBoXBbf1Lv3a+mDn1iQPmA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEKqQ+j67oBoT2z2qfHg14RFRfwf2L/5ZuZCOISZ7KrAzA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufADkY5vVIkbqyYOLhgaSgMtVkD80S5IvRbSbZvE8djdGw==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIkWi3sLUNRh0Us6PpUJTJU/MlGxIz2bPjpalNjhg2ZIcexmyTaTR06cglMzpKyszA=', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufC1uEKwOfFncL3zY4OSoglTCShqS22/MD5ofOX6HxfFjA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'NKOPmTypVXOBw8M4exFGSq4eGiXmVqCKtyAJ1+pZppYCTgTeoOlr8xo
                              Source: 2ktrFR0W3v.exe, -X---.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, -X---.csSecurity API names: File.GetAccessControl
                              Source: 2ktrFR0W3v.exe, -X---.csSecurity API names: File.SetAccessControl
                              Source: 2ktrFR0W3v.exe, -X---.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ---.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ---.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, -6---.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, -6---.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ---.csSecurity API names: File.GetAccessControl
                              Source: 2ktrFR0W3v.exe, ---.csSecurity API names: File.SetAccessControl
                              Source: 2ktrFR0W3v.exe, ---.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, u--.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, u--.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 2ktrFR0W3v.exe, ---2-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 2ktrFR0W3v.exe, ---2-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@1/0@1/2
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMutant created: NULL
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMutant created: \Sessions\1\BaseNamedObjects\JlYM51eW4iZoFyLa2X
                              Source: 2ktrFR0W3v.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 2ktrFR0W3v.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 2ktrFR0W3v.exeReversingLabs: Detection: 78%
                              Source: 2ktrFR0W3v.exeString found in binary or memory: /add?command completed successfully.C/c net localgroup administrators sSoftware\Microsoft\Windows\CurrentVersion\Policies\System
                              Source: 2ktrFR0W3v.exeString found in binary or memory: /addC/c net localgroup administrators eabcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZsSoftware\Microsoft\Windows\CurrentVersion\Policies\System
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: 2ktrFR0W3v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: 2ktrFR0W3v.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: 2ktrFR0W3v.exeStatic file information: File size 1085952 > 1048576
                              Source: 2ktrFR0W3v.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x108200
                              Source: 2ktrFR0W3v.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: D:\addexclusion\obj\Release\addexclusion.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\MEMORYU\MEMORYU\obj\Debug\MEMORYU.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\CreateVenomUser\obj\Release\Create.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\CreateVenomUser\Uac-Executor\obj\Release\CU.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdb source: 2ktrFR0W3v.exe
                              Source: Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdbLd source: 2ktrFR0W3v.exe

                              Data Obfuscation

                              barindex
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _29AF_F031_E881_F8D7_EE13_2559 System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _29AF_F031_E881_F8D7_EE13_2559
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _24EB_E22B_0319_FFFD_E4D7_E30A System.Reflection.Assembly.Load(byte[])
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _0C73_2495_20EB_02D2_0CDA_22FD_F00F_1374 System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _0C73_2495_20EB_02D2_0CDA_22FD_F00F_1374
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _2715_F7FE_E551_E74D System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, .cs.Net Code: _E74A System.Reflection.Assembly.Load(byte[])
                              Source: 2ktrFR0W3v.exe, ------.cs.Net Code: _28ED_294D_A705_FFFD_2FAB_FFFD_E748 System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _FFFD System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _FFFD
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _E96B_058F_2D6E System.Reflection.Assembly.Load(byte[])
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _FFFD_F092_F71F_A7D5_0B78_A499 System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _FFFD_F092_F71F_A7D5_0B78_A499
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _E999_F687_FFFD_209D System.AppDomain.Load(byte[])
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _F22C_25F1_F26F_2A13_ED2F_E2C6_1B35 System.Reflection.Assembly.Load(byte[])
                              Source: 2ktrFR0W3v.exe, ---.cs.Net Code: _1071_0983_EE16_0AD9 System.Reflection.Assembly.Load(byte[])
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_017CA094 pushad ; retf 0_2_017CA095
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_017C6DF0 pushfd ; ret 0_2_017C6DF1
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeCode function: 0_2_06AC7193 push es; ret 0_2_06AC71A0

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
                              Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
                              Source: 2ktrFR0W3v.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: 2ktrFR0W3v.exeString found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
                              Source: 2ktrFR0W3v.exeString found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeFile opened: C:\Users\user\Desktop\2ktrFR0W3v.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              Source: 2ktrFR0W3v.exeBinary or memory string: SBIEDLL.DLL
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMemory allocated: 17C0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMemory allocated: 1820000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exe TID: 7252Thread sleep time: -42500s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeLast function: Thread delayed
                              Source: 2ktrFR0W3v.exeBinary or memory string: vmware
                              Source: 2ktrFR0W3v.exe, 00000000.00000002.2563511197.00000000014F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              Source: 2ktrFR0W3v.exe, ----.csReference to suspicious API methods: ReadProcessMemory(processInformation._2F84_0C7D_FFFD_270E, num3 + 4 + 4, ref buffer, 4, ref bytesRead)
                              Source: 2ktrFR0W3v.exe, ----.csReference to suspicious API methods: VirtualAllocEx(processInformation._2F84_0C7D_FFFD_270E, num2, length, 12288, 64)
                              Source: 2ktrFR0W3v.exe, ----.csReference to suspicious API methods: WriteProcessMemory(processInformation._2F84_0C7D_FFFD_270E, num4, data, bufferSize, ref bytesRead)
                              Source: 2ktrFR0W3v.exeBinary or memory string: Shell_TrayWnd
                              Source: 2ktrFR0W3v.exeBinary or memory string: Progman
                              Source: 2ktrFR0W3v.exeBinary or memory string: Shell_traywnd
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Users\user\Desktop\2ktrFR0W3v.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\2ktrFR0W3v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Source: 2ktrFR0W3v.exe, -X---.cs.Net Code: _F705_2689_EC88_FFFD_211E_ED67

                              Stealing of Sensitive Information

                              barindex
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Source: Yara matchFile source: 2ktrFR0W3v.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR
                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media
                              2
                              Command and Scripting Interpreter
                              1
                              DLL Side-Loading
                              1
                              Process Injection
                              2
                              Virtualization/Sandbox Evasion
                              OS Credential Dumping11
                              Security Software Discovery
                              Remote Services11
                              Archive Collected Data
                              1
                              Encrypted Channel
                              Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Native API
                              Boot or Logon Initialization Scripts1
                              DLL Side-Loading
                              11
                              Disable or Modify Tools
                              LSASS Memory2
                              Virtualization/Sandbox Evasion
                              Remote Desktop ProtocolData from Removable Media1
                              Non-Standard Port
                              Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                              Process Injection
                              Security Account Manager1
                              Process Discovery
                              SMB/Windows Admin SharesData from Network Shared Drive1
                              Ingress Tool Transfer
                              Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Deobfuscate/Decode Files or Information
                              NTDS1
                              Peripheral Device Discovery
                              Distributed Component Object ModelInput Capture2
                              Non-Application Layer Protocol
                              Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              Hidden Files and Directories
                              LSA Secrets1
                              System Network Configuration Discovery
                              SSHKeylogging12
                              Application Layer Protocol
                              Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Hidden Users
                              Cached Domain Credentials12
                              System Information Discovery
                              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                              Obfuscated Files or Information
                              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Software Packing
                              Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              DLL Side-Loading
                              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531023 Sample: 2ktrFR0W3v.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 10 ip-api.com 2->10 16 Suricata IDS alerts for network traffic 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 14 other signatures 2->22 6 2ktrFR0W3v.exe 15 2 2->6         started        signatures3 process4 dnsIp5 12 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 6->12 14 24.152.39.227, 4782, 49707, 49865 MasterDaWebBR unknown 6->14 24 Contains functionality to hide user accounts 6->24 26 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->26 signatures6

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand
                              SourceDetectionScannerLabelLink
                              2ktrFR0W3v.exe79%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                              2ktrFR0W3v.exe100%AviraTR/Dropper.MSIL.Gen
                              2ktrFR0W3v.exe100%Joe Sandbox ML
                              No Antivirus matches
                              No Antivirus matches
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              http://ip-api.com0%URL Reputationsafe
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                              Download Network PCAP: filteredfull

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ip-api.com
                              208.95.112.1
                              truetrue
                                unknown
                                NameMaliciousAntivirus DetectionReputation
                                http://ip-api.com/json/true
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://schemas.datacontract.org/2004/07/d2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    http://freegeoip.net/xml/2ktrFR0W3v.exefalse
                                      unknown
                                      http://91.134.207.16/update/ngrok.exe9set2ktrFR0W3v.exefalse
                                        unknown
                                        http://schemas.datacontract.org/2004/07/2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          http://127.0.0.1:4040/api/tunnels2ktrFR0W3v.exefalse
                                            unknown
                                            http://ip-api.com2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://ip-api.comd2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              unknown
                                              http://geocoder.ca/?locate=2ktrFR0W3v.exefalse
                                                unknown
                                                http://api.ipify.org/2ktrFR0W3v.exefalse
                                                  unknown
                                                  http://ip-api.com02ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://geocoder.ca/?locate=2ktrFR0W3v.exefalse
                                                      unknown
                                                      https://google.com2ktrFR0W3v.exefalse
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://127.0.0.1:4040/api2ktrFR0W3v.exefalse
                                                          unknown
                                                          http://91.134.207.16/update/ngrok.exe2ktrFR0W3v.exefalse
                                                            unknown
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            208.95.112.1
                                                            ip-api.comUnited States
                                                            53334TUT-ASUStrue
                                                            24.152.39.227
                                                            unknownunknown
                                                            270564MasterDaWebBRfalse
                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1531023
                                                            Start date and time:2024-10-10 19:17:56 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 4m 57s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:6
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:2ktrFR0W3v.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@1/0@1/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 19
                                                            • Number of non-executed functions: 3
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            • VT rate limit hit for: 2ktrFR0W3v.exe
                                                            No simulations
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            208.95.112.1Vessel_Doc_OCN2613132.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            YyhAkj09dy.exeGet hashmaliciousAgentTeslaBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            OC8657434657864534233647586865432214253465.exeGet hashmaliciousAgentTeslaBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            24.152.39.227DZNtmwlTFY.exeGet hashmaliciousNjratBrowse
                                                              j84mNh4z90.exeGet hashmaliciousNjratBrowse
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ip-api.comVessel_Doc_OCN2613132.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                FMAudit.Installer_9652_1238001249.exeGet hashmaliciousUnknownBrowse
                                                                • 51.77.64.70
                                                                YyhAkj09dy.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • 208.95.112.1
                                                                OC8657434657864534233647586865432214253465.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                TUT-ASUSVessel_Doc_OCN2613132.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                YyhAkj09dy.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • 208.95.112.1
                                                                OC8657434657864534233647586865432214253465.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                MasterDaWebBRDZNtmwlTFY.exeGet hashmaliciousNjratBrowse
                                                                • 24.152.39.227
                                                                j84mNh4z90.exeGet hashmaliciousNjratBrowse
                                                                • 24.152.39.227
                                                                xtuHcaTJtwiA.exeGet hashmaliciousRemcosBrowse
                                                                • 24.152.37.147
                                                                zfT2dBXgtH.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                SYYMW2Y7m2.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                982Zv8zorr.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                UNNMigWUIb.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                LkU2WboNWf.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                pcOvs6rp0L.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 24.152.39.205
                                                                SJ2n4ybn.exeGet hashmaliciousXWormBrowse
                                                                • 24.152.38.50
                                                                No context
                                                                No context
                                                                No created / dropped files found
                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.475653306737083
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:2ktrFR0W3v.exe
                                                                File size:1'085'952 bytes
                                                                MD5:387b657fab27ddabb59998479ce069db
                                                                SHA1:94e8062fdbeba343f328ef8d155c274a69fec39e
                                                                SHA256:2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
                                                                SHA512:4764b13353784cc02171abc07a0c3eac7a0cea961f72a94cf40e8ab8445a7d358bbde5cdd6b34939cd2c29062a07136c1f1443efa27e4ff79ff3e9ec1a3b3ba6
                                                                SSDEEP:12288:1snj1ynkc1ZzBvtrZHFjMKY2aVTYTTu2NQ1fOHGeelg367PAt69Ubp:1aynkc1ZzBvtrZHFjMKY2j0eelOt6Mp
                                                                TLSH:69352914EBF855A5F06E7F36747198050B38BE03653DD74B2B96A1980E2A390CCB2F67
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D`..............0.................. ........@.. ....................................`................................
                                                                Icon Hash:90cececece8e8eb0
                                                                Entrypoint:0x50a0be
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6044CEC3 [Sun Mar 7 13:01:55 2021 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10a06c0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000xa93.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x1080c40x108200b7150de50819339d8b14fe9e007d28e8False0.45610044220302887data6.480201798743704IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x10c0000xa930xc009735d0e95b3beccb615bd49d09414dd6False0.3587239583333333data4.659291469160852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x10e0000xc0x2002fe6efad514b32bb64aa10e4fc5a1b90False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x10c0a00x31cdata0.4334170854271357
                                                                RT_MANIFEST0x10c3bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265
                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Download Network PCAP: filteredfull

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-10T19:18:54.374248+02002036383ET MALWARE Common RAT Connectivity Check Observed1192.168.2.1049701208.95.112.180TCP
                                                                • Total Packets: 26
                                                                • 4782 undefined
                                                                • 80 (HTTP)
                                                                • 53 (DNS)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 10, 2024 19:18:53.844782114 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:18:53.849638939 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:18:53.849734068 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:18:53.850563049 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:18:53.855355978 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:18:54.329224110 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:18:54.374248028 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:18:54.784275055 CEST497074782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:18:54.789366007 CEST47824970724.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:18:54.789436102 CEST497074782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:16.146114111 CEST47824970724.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:16.146212101 CEST497074782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:16.147996902 CEST497074782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:16.152942896 CEST47824970724.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:21.515331030 CEST498654782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:21.520777941 CEST47824986524.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:21.520895958 CEST498654782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:27.266098022 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:19:27.266175985 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:19:27.266606092 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:19:27.266648054 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:19:42.898406982 CEST47824986524.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:42.898514032 CEST498654782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:42.899435043 CEST498654782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:42.904236078 CEST47824986524.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:48.218672991 CEST499734782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:19:48.225497007 CEST47824997324.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:19:48.225577116 CEST499734782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:09.603828907 CEST47824997324.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:09.603980064 CEST499734782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:09.604811907 CEST499734782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:09.609771013 CEST47824997324.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:14.890794039 CEST499744782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:14.895812035 CEST47824997424.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:14.895909071 CEST499744782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:34.359788895 CEST4970180192.168.2.10208.95.112.1
                                                                Oct 10, 2024 19:20:34.367058039 CEST8049701208.95.112.1192.168.2.10
                                                                Oct 10, 2024 19:20:36.274414062 CEST47824997424.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:36.274522066 CEST499744782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:36.275655031 CEST499744782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:36.280441046 CEST47824997424.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:41.437082052 CEST499754782192.168.2.1024.152.39.227
                                                                Oct 10, 2024 19:20:41.543972015 CEST47824997524.152.39.227192.168.2.10
                                                                Oct 10, 2024 19:20:41.544096947 CEST499754782192.168.2.1024.152.39.227
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 10, 2024 19:18:53.830842972 CEST6001153192.168.2.101.1.1.1
                                                                Oct 10, 2024 19:18:53.838212013 CEST53600111.1.1.1192.168.2.10
                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 10, 2024 19:18:53.830842972 CEST192.168.2.101.1.1.10xfaa8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 10, 2024 19:18:53.838212013 CEST1.1.1.1192.168.2.100xfaa8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                • ip-api.com
                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049701208.95.112.1807232C:\Users\user\Desktop\2ktrFR0W3v.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 10, 2024 19:18:53.850563049 CEST144OUTGET /json/ HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                                                Host: ip-api.com
                                                                Connection: Keep-Alive
                                                                Oct 10, 2024 19:18:54.329224110 CEST482INHTTP/1.1 200 OK
                                                                Date: Thu, 10 Oct 2024 17:18:53 GMT
                                                                Content-Type: application/json; charset=utf-8
                                                                Content-Length: 305
                                                                Access-Control-Allow-Origin: *
                                                                X-Ttl: 60
                                                                X-Rl: 44
                                                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                                                050100s020406080100

                                                                Click to jump to process

                                                                050100s0.00102030MB

                                                                Click to jump to process

                                                                • File
                                                                • Registry
                                                                • Network

                                                                Click to dive into process behavior distribution

                                                                Target ID:0
                                                                Start time:13:18:51
                                                                Start date:10/10/2024
                                                                Path:C:\Users\user\Desktop\2ktrFR0W3v.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\2ktrFR0W3v.exe"
                                                                Imagebase:0xd90000
                                                                File size:1'085'952 bytes
                                                                MD5 hash:387B657FAB27DDABB59998479CE069DB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:false
                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                Execution Graph

                                                                Execution Coverage

                                                                Dynamic/Packed Code Coverage

                                                                Signature Coverage

                                                                Execution Coverage:10.9%
                                                                Dynamic/Decrypted Code Coverage:96.7%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:92
                                                                Total number of Limit Nodes:6
                                                                Show Legend
                                                                Hide Nodes/Edges
                                                                execution_graph 24352 6ac21f8 24354 6ac2229 24352->24354 24355 6ac2274 24352->24355 24353 6ac2235 24354->24353 24358 6ac2470 24354->24358 24361 6ac2461 24354->24361 24359 6ac247a 24358->24359 24364 6ac24b0 24358->24364 24359->24355 24363 6ac24b0 GetModuleHandleW 24361->24363 24362 6ac247a 24362->24355 24363->24362 24365 6ac24f4 24364->24365 24366 6ac24d1 24364->24366 24365->24359 24366->24365 24367 6ac26f8 GetModuleHandleW 24366->24367 24368 6ac2725 24367->24368 24368->24359 24443 17c0848 24444 17c0852 24443->24444 24446 17c21a0 24443->24446 24447 17c21c5 24446->24447 24451 17c22b0 24447->24451 24455 17c22a1 24447->24455 24452 17c22d7 24451->24452 24454 17c23b4 24452->24454 24459 17c1984 24452->24459 24457 17c22b0 24455->24457 24456 17c23b4 24456->24456 24457->24456 24458 17c1984 CreateActCtxA 24457->24458 24458->24456 24460 17c3340 CreateActCtxA 24459->24460 24462 17c3403 24460->24462 24369 6ac8f00 24370 6ac8f28 24369->24370 24373 6ac8f54 24369->24373 24371 6ac8f31 24370->24371 24374 6ac8384 24370->24374 24375 6ac838f 24374->24375 24377 6ac924b 24375->24377 24378 6ac83a0 24375->24378 24377->24373 24379 6ac9280 OleInitialize 24378->24379 24380 6ac92e4 24379->24380 24380->24377 24463 6ac4690 24464 6ac46f8 CreateWindowExW 24463->24464 24466 6ac47b4 24464->24466 24381 147d128 24382 147d140 24381->24382 24383 147d19a 24382->24383 24388 6ac1b1c 24382->24388 24396 6ac4837 24382->24396 24400 6ac5599 24382->24400 24408 6ac4848 24382->24408 24389 6ac1b27 24388->24389 24390 6ac5609 24389->24390 24392 6ac55f9 24389->24392 24393 6ac5607 24390->24393 24422 6ac1c44 24390->24422 24412 6ac5730 24392->24412 24417 6ac5721 24392->24417 24397 6ac4848 24396->24397 24398 6ac1b1c CallWindowProcW 24397->24398 24399 6ac488f 24398->24399 24399->24383 24402 6ac55a8 24400->24402 24401 6ac5609 24403 6ac1c44 CallWindowProcW 24401->24403 24405 6ac5607 24401->24405 24402->24401 24404 6ac55f9 24402->24404 24403->24405 24406 6ac5730 CallWindowProcW 24404->24406 24407 6ac5721 CallWindowProcW 24404->24407 24406->24405 24407->24405 24409 6ac486e 24408->24409 24410 6ac1b1c CallWindowProcW 24409->24410 24411 6ac488f 24410->24411 24411->24383 24414 6ac5744 24412->24414 24413 6ac57d0 24413->24393 24426 6ac57d7 24414->24426 24431 6ac57e8 24414->24431 24419 6ac5730 24417->24419 24418 6ac57d0 24418->24393 24420 6ac57e8 CallWindowProcW 24419->24420 24421 6ac57d7 CallWindowProcW 24419->24421 24420->24418 24421->24418 24423 6ac1c4f 24422->24423 24424 6ac6cea CallWindowProcW 24423->24424 24425 6ac6c99 24423->24425 24424->24425 24425->24393 24427 6ac57e8 24426->24427 24430 6ac57f9 24427->24430 24435 6ac6bc9 24427->24435 24439 6ac6c2b 24427->24439 24430->24413 24432 6ac57f9 24431->24432 24433 6ac6bc9 CallWindowProcW 24431->24433 24434 6ac6c2b CallWindowProcW 24431->24434 24432->24413 24433->24432 24434->24432 24436 6ac6bd2 24435->24436 24437 6ac1c44 CallWindowProcW 24436->24437 24438 6ac6c3a 24437->24438 24438->24430 24440 6ac6c35 24439->24440 24441 6ac1c44 CallWindowProcW 24440->24441 24442 6ac6c3a 24441->24442 24442->24430

                                                                Executed Functions

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 29 17ca0a0-17ca106 31 17ca108-17ca113 29->31 32 17ca150-17ca152 29->32 31->32 33 17ca115-17ca121 31->33 34 17ca154-17ca16d 32->34 35 17ca144-17ca14e 33->35 36 17ca123-17ca12d 33->36 41 17ca16f-17ca17b 34->41 42 17ca1b9-17ca1bb 34->42 35->34 37 17ca12f 36->37 38 17ca131-17ca140 36->38 37->38 38->38 40 17ca142 38->40 40->35 41->42 43 17ca17d-17ca189 41->43 44 17ca1bd-17ca215 42->44 45 17ca1ac-17ca1b7 43->45 46 17ca18b-17ca195 43->46 53 17ca25f-17ca261 44->53 54 17ca217-17ca222 44->54 45->44 47 17ca199-17ca1a8 46->47 48 17ca197 46->48 47->47 50 17ca1aa 47->50 48->47 50->45 55 17ca263-17ca27b 53->55 54->53 56 17ca224-17ca230 54->56 63 17ca27d-17ca288 55->63 64 17ca2c5-17ca2c7 55->64 57 17ca232-17ca23c 56->57 58 17ca253-17ca25d 56->58 59 17ca23e 57->59 60 17ca240-17ca24f 57->60 58->55 59->60 60->60 62 17ca251 60->62 62->58 63->64 66 17ca28a-17ca296 63->66 65 17ca2c9-17ca31a 64->65 74 17ca320-17ca32e 65->74 67 17ca298-17ca2a2 66->67 68 17ca2b9-17ca2c3 66->68 70 17ca2a4 67->70 71 17ca2a6-17ca2b5 67->71 68->65 70->71 71->71 72 17ca2b7 71->72 72->68 75 17ca337-17ca397 74->75 76 17ca330-17ca336 74->76 83 17ca399-17ca39d 75->83 84 17ca3a7-17ca3ab 75->84 76->75 83->84 85 17ca39f 83->85 86 17ca3ad-17ca3b1 84->86 87 17ca3bb-17ca3bf 84->87 85->84 86->87 88 17ca3b3 86->88 89 17ca3cf-17ca3d3 87->89 90 17ca3c1-17ca3c5 87->90 88->87 91 17ca3d5-17ca3d9 89->91 92 17ca3e3-17ca3e7 89->92 90->89 93 17ca3c7-17ca3ca call 17c75fc 90->93 91->92 94 17ca3db-17ca3de call 17c75fc 91->94 95 17ca3e9-17ca3ed 92->95 96 17ca3f7-17ca3fb 92->96 93->89 94->92 95->96 99 17ca3ef-17ca3f2 call 17c75fc 95->99 100 17ca3fd-17ca401 96->100 101 17ca40b-17ca40f 96->101 99->96 100->101 103 17ca403 100->103 104 17ca41f 101->104 105 17ca411-17ca415 101->105 103->101 107 17ca420 104->107 105->104 106 17ca417 105->106 106->104 107->107
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 7~$7~$\Vdm
                                                                • API String ID: 0-1733167323
                                                                • Opcode ID: d5d93b7035782608adf1cef466875ad486c63279bdc674ef7dca2d472b688f7f
                                                                • Instruction ID: 5c72ed65366f78d5e3a5c2d6e3b28132668dd9838e703b574574dafe491add43
                                                                • Opcode Fuzzy Hash: d5d93b7035782608adf1cef466875ad486c63279bdc674ef7dca2d472b688f7f
                                                                • Instruction Fuzzy Hash: 99B15A70E0021D8FDB10CFA9D8957AEFBF2BF88B15F14812DD815A7294EB749842CB81

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 317 17ca970-17ca9d6 319 17ca9d8-17ca9e3 317->319 320 17caa20-17caa22 317->320 319->320 322 17ca9e5-17ca9f1 319->322 321 17caa24-17caa3d 320->321 328 17caa3f-17caa4b 321->328 329 17caa89-17caa8b 321->329 323 17caa14-17caa1e 322->323 324 17ca9f3-17ca9fd 322->324 323->321 326 17ca9ff 324->326 327 17caa01-17caa10 324->327 326->327 327->327 330 17caa12 327->330 328->329 331 17caa4d-17caa59 328->331 332 17caa8d-17caaa5 329->332 330->323 333 17caa7c-17caa87 331->333 334 17caa5b-17caa65 331->334 339 17caaef-17caaf1 332->339 340 17caaa7-17caab2 332->340 333->332 335 17caa69-17caa78 334->335 336 17caa67 334->336 335->335 338 17caa7a 335->338 336->335 338->333 341 17caaf3-17cab0b 339->341 340->339 342 17caab4-17caac0 340->342 349 17cab0d-17cab18 341->349 350 17cab55-17cab57 341->350 343 17caac2-17caacc 342->343 344 17caae3-17caaed 342->344 345 17caace 343->345 346 17caad0-17caadf 343->346 344->341 345->346 346->346 348 17caae1 346->348 348->344 349->350 352 17cab1a-17cab26 349->352 351 17cab59-17cabcc 350->351 361 17cabd2-17cabe0 351->361 353 17cab28-17cab32 352->353 354 17cab49-17cab53 352->354 356 17cab34 353->356 357 17cab36-17cab45 353->357 354->351 356->357 357->357 358 17cab47 357->358 358->354 362 17cabe9-17cac49 361->362 363 17cabe2-17cabe8 361->363 370 17cac59-17cac5d 362->370 371 17cac4b-17cac4f 362->371 363->362 373 17cac6d-17cac71 370->373 374 17cac5f-17cac63 370->374 371->370 372 17cac51 371->372 372->370 376 17cac81-17cac85 373->376 377 17cac73-17cac77 373->377 374->373 375 17cac65 374->375 375->373 379 17cac95-17cac99 376->379 380 17cac87-17cac8b 376->380 377->376 378 17cac79 377->378 378->376 382 17caca9-17cacad 379->382 383 17cac9b-17cac9f 379->383 380->379 381 17cac8d 380->381 381->379 385 17cacbd 382->385 386 17cacaf-17cacb3 382->386 383->382 384 17caca1-17caca4 call 17c75fc 383->384 384->382 389 17cacbe 385->389 386->385 388 17cacb5-17cacb8 call 17c75fc 386->388 388->385 389->389
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 7~$7~
                                                                • API String ID: 0-2178700345
                                                                • Opcode ID: 3636dbe2fef845d05e52bdf81505b8f119b3e676380d3023465e7d6301f4ce68
                                                                • Instruction ID: 5d41cf9c803164c49109e6e3d2a561d10a7740cc959757fb631036ed05358d75
                                                                • Opcode Fuzzy Hash: 3636dbe2fef845d05e52bdf81505b8f119b3e676380d3023465e7d6301f4ce68
                                                                • Instruction Fuzzy Hash: 61B13A70E0020D8FDB24CFA9D9817AEFBF2BB48B15F14852DD815AB294EB749945CB81

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 6ac4685-6ac46f6 2 6ac46f8-6ac46fe 0->2 3 6ac4701-6ac4708 0->3 2->3 4 6ac470a-6ac4710 3->4 5 6ac4713-6ac474b 3->5 4->5 6 6ac4753-6ac47b2 CreateWindowExW 5->6 7 6ac47bb-6ac47f3 6->7 8 6ac47b4-6ac47ba 6->8 12 6ac47f5-6ac47f8 7->12 13 6ac4800 7->13 8->7 12->13 14 6ac4801 13->14 14->14
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AC47A2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID: 7~$7~
                                                                • API String ID: 716092398-2178700345
                                                                • Opcode ID: e52632ce4985d87c80afd494c80cc3cff4527a9d5c3ec245934110cded381440
                                                                • Instruction ID: 81f5ca88f4767b62c961f0c32ea9087d54b9099b3023587ebdabb9a7fd1d5f61
                                                                • Opcode Fuzzy Hash: e52632ce4985d87c80afd494c80cc3cff4527a9d5c3ec245934110cded381440
                                                                • Instruction Fuzzy Hash: 4051BFB5D10348AFDB14CFA9C894ADEBBF5BF49314F64812AE818AB210D7719845CF94

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 15 6ac4690-6ac46f6 16 6ac46f8-6ac46fe 15->16 17 6ac4701-6ac4708 15->17 16->17 18 6ac470a-6ac4710 17->18 19 6ac4713-6ac47b2 CreateWindowExW 17->19 18->19 21 6ac47bb-6ac47f3 19->21 22 6ac47b4-6ac47ba 19->22 26 6ac47f5-6ac47f8 21->26 27 6ac4800 21->27 22->21 26->27 28 6ac4801 27->28 28->28
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AC47A2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID: 7~$7~
                                                                • API String ID: 716092398-2178700345
                                                                • Opcode ID: 1f44b6c93a65b3637679abb37cfe26a6957e39275e48a545cfc76f4b25969ce6
                                                                • Instruction ID: 81eb73b2a4bd3a0c2560edc7fc7b8996f55a7af1584fa181d9ace5f49cb49b3d
                                                                • Opcode Fuzzy Hash: 1f44b6c93a65b3637679abb37cfe26a6957e39275e48a545cfc76f4b25969ce6
                                                                • Instruction Fuzzy Hash: D541CFB5D103489FDB14CF9AC894ADEBBF5FF48310F64812AE818AB250D771A845CF94

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 187 6ac24b0-6ac24cf 188 6ac24fb-6ac24ff 187->188 189 6ac24d1-6ac24de call 6ac193c 187->189 191 6ac2501-6ac250b 188->191 192 6ac2513-6ac2554 188->192 196 6ac24f4 189->196 197 6ac24e0 189->197 191->192 198 6ac2556-6ac255e 192->198 199 6ac2561-6ac256f 192->199 196->188 242 6ac24e6 call 6ac27ad 197->242 243 6ac24e6 call 6ac2758 197->243 244 6ac24e6 call 6ac2749 197->244 198->199 200 6ac2571-6ac2576 199->200 201 6ac2593-6ac2595 199->201 203 6ac2578-6ac257f call 6ac1948 200->203 204 6ac2581 200->204 206 6ac2598-6ac259f 201->206 202 6ac24ec-6ac24ee 202->196 205 6ac2630-6ac26f0 202->205 208 6ac2583-6ac2591 203->208 204->208 237 6ac26f8-6ac2723 GetModuleHandleW 205->237 238 6ac26f2-6ac26f5 205->238 209 6ac25ac-6ac25b3 206->209 210 6ac25a1-6ac25a9 206->210 208->206 211 6ac25b5-6ac25bd 209->211 212 6ac25c0-6ac25c9 209->212 210->209 211->212 217 6ac25cb-6ac25d3 212->217 218 6ac25d6-6ac25db 212->218 217->218 219 6ac25dd-6ac25e4 218->219 220 6ac25f9-6ac2606 218->220 219->220 222 6ac25e6-6ac25f6 call 6ac02f0 call 6ac1958 219->222 226 6ac2608-6ac2626 220->226 227 6ac2629-6ac262f 220->227 222->220 226->227 239 6ac272c-6ac2740 237->239 240 6ac2725-6ac272b 237->240 238->237 240->239 242->202 243->202 244->202
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06AC2716
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID: 7~
                                                                • API String ID: 4139908857-3133233787
                                                                • Opcode ID: caec9d76d4e04dd2f5e5ea30d20536ca9fef6b9c912b637fa511c4199ebb8c67
                                                                • Instruction ID: 2890a25d79ea7dfe11ab665c5aa691a832cbc573d197dfe7912253095433249c
                                                                • Opcode Fuzzy Hash: caec9d76d4e04dd2f5e5ea30d20536ca9fef6b9c912b637fa511c4199ebb8c67
                                                                • Instruction Fuzzy Hash: 2A818870A00B458FD764EF29D55079BBBF1FF88210F008A2ED48ADBA54D774E945CB91

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 245 17c3334-17c3339 246 17c335f 245->246 247 17c333b-17c335d 245->247 248 17c3360-17c3401 CreateActCtxA 246->248 247->246 250 17c340a-17c3464 248->250 251 17c3403-17c3409 248->251 258 17c3466-17c3469 250->258 259 17c3473-17c3477 250->259 251->250 258->259 260 17c3488 259->260 261 17c3479-17c3485 259->261 263 17c3489 260->263 261->260 263->263
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 017C33F1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID: 7~
                                                                • API String ID: 2289755597-3133233787
                                                                • Opcode ID: 9d80ceffbcc676d2ef84421da2d0bf7d5baa513790a80b8f72c8a83f7af30e6f
                                                                • Instruction ID: e5e076584684637433ed330a4019c2675debfc165a511f4f3e265d284e7837e2
                                                                • Opcode Fuzzy Hash: 9d80ceffbcc676d2ef84421da2d0bf7d5baa513790a80b8f72c8a83f7af30e6f
                                                                • Instruction Fuzzy Hash: 4C41CDB5C007188FEB25CFA9C844BDDBBB5BF49304F20816AD508AB251DB756946CF90

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 264 6ac1c44-6ac6c8c 268 6ac6d3c-6ac6d5c call 6ac1b1c 264->268 269 6ac6c92-6ac6c97 264->269 276 6ac6d5f-6ac6d6c 268->276 271 6ac6c99-6ac6cd0 269->271 272 6ac6cea-6ac6d22 CallWindowProcW 269->272 279 6ac6cd9-6ac6ce8 271->279 280 6ac6cd2-6ac6cd8 271->280 273 6ac6d2b-6ac6d3a 272->273 274 6ac6d24-6ac6d2a 272->274 273->276 274->273 279->276 280->279
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06AC6D11
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID: 7~
                                                                • API String ID: 2714655100-3133233787
                                                                • Opcode ID: a4527360122200b55066109ac0e63c647f083e4b62de3a3d7da8e1a1e63171ca
                                                                • Instruction ID: 37c2bca7b3df4521ef2dd1decb93432159efeca4b7bbea0ee4b284abd1d953fa
                                                                • Opcode Fuzzy Hash: a4527360122200b55066109ac0e63c647f083e4b62de3a3d7da8e1a1e63171ca
                                                                • Instruction Fuzzy Hash: 964128B4A003098FDB54DF99C848BAABBF5FB89324F24845DD519AB321D375A841CFA0

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 282 17c1984-17c3401 CreateActCtxA 285 17c340a-17c3464 282->285 286 17c3403-17c3409 282->286 293 17c3466-17c3469 285->293 294 17c3473-17c3477 285->294 286->285 293->294 295 17c3488 294->295 296 17c3479-17c3485 294->296 298 17c3489 295->298 296->295 298->298
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 017C33F1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID: 7~
                                                                • API String ID: 2289755597-3133233787
                                                                • Opcode ID: ea3393d91ba459a5f72cfe618b9631cfa2cf83689d114e4b60ec849ede0f50e2
                                                                • Instruction ID: 8ead83de3a20910af28e1cb9ebc184cb8984d68c3377534f64250b908a554148
                                                                • Opcode Fuzzy Hash: ea3393d91ba459a5f72cfe618b9631cfa2cf83689d114e4b60ec849ede0f50e2
                                                                • Instruction Fuzzy Hash: 4941BFB0C04718CBEB24CFA9C844B9DFBF5BF49704F20806AD508AB251DBB56986CF90

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 299 6ac9278-6ac927f 300 6ac9280-6ac92e2 OleInitialize 299->300 301 6ac92eb-6ac9308 300->301 302 6ac92e4-6ac92ea 300->302 302->301
                                                                APIs
                                                                • OleInitialize.OLE32(00000000), ref: 06AC92D5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: Initialize
                                                                • String ID: 7~
                                                                • API String ID: 2538663250-3133233787
                                                                • Opcode ID: 9c214e767a1aefc27b2427f4af3b14304b3a2c25a684d5230adaf4a6a39bb84c
                                                                • Instruction ID: e27bb4c59d1b71d1d84671245cfc664edc04a3a457eb10a1f928f423c6f17f38
                                                                • Opcode Fuzzy Hash: 9c214e767a1aefc27b2427f4af3b14304b3a2c25a684d5230adaf4a6a39bb84c
                                                                • Instruction Fuzzy Hash: 7B1145B5D003488FDB20DFAAC845BCFBBF8EB48324F248459E558A7640C375A540CFA9

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 305 6ac26b0-6ac26f0 306 6ac26f8-6ac2723 GetModuleHandleW 305->306 307 6ac26f2-6ac26f5 305->307 308 6ac272c-6ac2740 306->308 309 6ac2725-6ac272b 306->309 307->306 309->308
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06AC2716
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID: 7~
                                                                • API String ID: 4139908857-3133233787
                                                                • Opcode ID: 78ec4d7691cee2083dbbc4a90828e5c4d80cecab82e33a403e7be11cd3890b1f
                                                                • Instruction ID: f0326ae1b866117951265361750cf5314f9eec80d1d415b8dd305acd2b8201e8
                                                                • Opcode Fuzzy Hash: 78ec4d7691cee2083dbbc4a90828e5c4d80cecab82e33a403e7be11cd3890b1f
                                                                • Instruction Fuzzy Hash: C61113B5C003498FDB10DF9AC844BDEFBF4EF88224F10841AD828A7650D375A645CFA5

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 311 6ac83a0-6ac92e2 OleInitialize 313 6ac92eb-6ac9308 311->313 314 6ac92e4-6ac92ea 311->314 314->313
                                                                APIs
                                                                • OleInitialize.OLE32(00000000), ref: 06AC92D5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID: Initialize
                                                                • String ID: 7~
                                                                • API String ID: 2538663250-3133233787
                                                                • Opcode ID: ea9706387eb5a9ea88457720fa38af4ac4bd4b65d34da70f8c3b4d7dc45b6310
                                                                • Instruction ID: 5639d771e4ce8b99f74eaa0c25c308e70b1c5bd94e6dd24c638894c34990f190
                                                                • Opcode Fuzzy Hash: ea9706387eb5a9ea88457720fa38af4ac4bd4b65d34da70f8c3b4d7dc45b6310
                                                                • Instruction Fuzzy Hash: 981145B18003488FDB20DF9AC444BDFFBF8EB48324F20845AE558A7640C374A944CFA9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565740361.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ad0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?
                                                                • API String ID: 0-1684325040
                                                                • Opcode ID: 486ef6be344a278909758d38f876349f4ec59e1fd122b2434ad26776505cbcb0
                                                                • Instruction ID: 4ef4e1ee15dc062d501dfc17536d5cd096c2d9bac97963d7662e43292e245057
                                                                • Opcode Fuzzy Hash: 486ef6be344a278909758d38f876349f4ec59e1fd122b2434ad26776505cbcb0
                                                                • Instruction Fuzzy Hash: 6BF17D34B002099FEB58EF65C944BAEBBB2FF85710F148059E4069B3A1DB75DD82CB91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565740361.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ad0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?
                                                                • API String ID: 0-1684325040
                                                                • Opcode ID: b6919b515b9c2c4828313808c9682d0bb8869c3c91361bc4aa33a0aff029949b
                                                                • Instruction ID: dc2cb1a3f9a9f59445b1bc88d48e279996aae20c6ada31ac86e2265798291917
                                                                • Opcode Fuzzy Hash: b6919b515b9c2c4828313808c9682d0bb8869c3c91361bc4aa33a0aff029949b
                                                                • Instruction Fuzzy Hash: 8281DE30B007069FEB199F69C850BAEBBB2AF85304F148566D102EB3A2DBB59D41C791
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f434208047f17d47464e1e1b92d94dbdc80783ed657fdab04d923391bd4f3526
                                                                • Instruction ID: d72ece0e9fe6dfef63050c1b5b9d7ad3c7559141d27deb2dcd31d5ff241f8d7c
                                                                • Opcode Fuzzy Hash: f434208047f17d47464e1e1b92d94dbdc80783ed657fdab04d923391bd4f3526
                                                                • Instruction Fuzzy Hash: 41213371A00340DFDB05DF94D9C0B17BBA9FB8831CF20816AE8490B666C336D846CAA3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c07835138975ff65d663530579272a2a29a8a4b1f4a6e0aa4ab5cffd2a7644fb
                                                                • Instruction ID: 4f4c22ebf1535092fb0db2559084c3e5e544882316c4220839e1471463c58edd
                                                                • Opcode Fuzzy Hash: c07835138975ff65d663530579272a2a29a8a4b1f4a6e0aa4ab5cffd2a7644fb
                                                                • Instruction Fuzzy Hash: 30212B71A04240DFDB05DF54D9C0B67BB69FB84318F24C57AE9490B367C336E856C6A2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563395394.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_147d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4079488cbc26cb540b2c90fc17ca0ed9498e855701ebc7cbf24d76fd6a12b579
                                                                • Instruction ID: b53c03b158661d8d6077b082bdc4c019db9079e51fd8b703e26dd58d95f8ea46
                                                                • Opcode Fuzzy Hash: 4079488cbc26cb540b2c90fc17ca0ed9498e855701ebc7cbf24d76fd6a12b579
                                                                • Instruction Fuzzy Hash: 8F213771A04240DFEB05DF94E9C0B56BBA5FF84314F20C5AEE80A4B366C336D846CA61
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
                                                                • Instruction ID: 5872d40f2c19ec6c6d4769d705dc649bd804fdb14a27ddafacd0633f30ffeab9
                                                                • Opcode Fuzzy Hash: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
                                                                • Instruction Fuzzy Hash: 5211B176904280CFCB16CF54D5C4B16BF71FB88318F2486AAD9494B767C33AD456CBA2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
                                                                • Instruction ID: 5ac52160819dd1b7b8c00b9d0274450324ab146bfaeb1ace6603f153f9d9f1f3
                                                                • Opcode Fuzzy Hash: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
                                                                • Instruction Fuzzy Hash: 0711D276904240CFCB06CF44D5C4B56BF62FB84314F24C5AAD8490B666C336D856CBA2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2563395394.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_147d000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b1f3823a6d5e9a0021df617afa545df39c4bee3d684dcbd2680691be67a36db
                                                                • Instruction ID: a314f9548967f2324b149d4a435bb3d33f2a15d7a661aeba38685bc43273f1f2
                                                                • Opcode Fuzzy Hash: 1b1f3823a6d5e9a0021df617afa545df39c4bee3d684dcbd2680691be67a36db
                                                                • Instruction Fuzzy Hash: 5A11BE75904280CFDB06CF58D5C4B16BBA1FB84314F24C6AADC094B766C33AD40ACB61

                                                                Non-executed Functions

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 7~
                                                                • API String ID: 0-3133233787
                                                                • Opcode ID: f7a9c42b9b69940519bdf4a0f09fa56a1201cfd92c7f9b7cd7e6a4080582f456
                                                                • Instruction ID: 932b27aecf7c5f864e0aad6a130c50eda101bf89c44c59316c7de2d7a488b3cf
                                                                • Opcode Fuzzy Hash: f7a9c42b9b69940519bdf4a0f09fa56a1201cfd92c7f9b7cd7e6a4080582f456
                                                                • Instruction Fuzzy Hash: 68F13C30E00209CFEB54EFA9C944B9EBBF1FF48724F158159E409AF2A5DB74A945CB81
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69c5572e4e07ee729f16bff8730a29fce7d3e48b634bb1c111a3b3499d64ebab
                                                                • Instruction ID: b98e47b379c593481d6b3e15287421f3d5be360877736b3dcc425cf9f8684d60
                                                                • Opcode Fuzzy Hash: 69c5572e4e07ee729f16bff8730a29fce7d3e48b634bb1c111a3b3499d64ebab
                                                                • Instruction Fuzzy Hash: 8A5219B0500B09CFD710EF18F88C2A97BB1FB46328FA4C619D5695F2A8D7B4658ACF44
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3cdcf399c44fa40f7fec2077a9d306b1594af69f33afa2033cfa3de88599e27a
                                                                • Instruction ID: 7d0535d4a0d43fc3f161fbeb75ebd990a0cdf46052d3a4476a0211b64a54ccde
                                                                • Opcode Fuzzy Hash: 3cdcf399c44fa40f7fec2077a9d306b1594af69f33afa2033cfa3de88599e27a
                                                                • Instruction Fuzzy Hash: 6EA14B32F10209CFCF45EFA4C9849AEB7B2FF85310B15856AE915AB211DB71D956CB80