Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cclent.exe

Overview

General Information

Sample name:cclent.exe
Analysis ID:1574494
MD5:94222631ef1071a4f7ceb180cf8a4a5a
SHA1:786d8b2d8b931a9282ee54367d2dda501f1ca946
SHA256:a45b373b780f5b9fcf5c51473c69bbf0ed650f300523097602b35f5222bd122b
Tags:exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cclent.exe (PID: 3536 cmdline: "C:\Users\user\Desktop\cclent.exe" MD5: 94222631EF1071A4F7CEB180CF8A4A5A)
    • schtasks.exe (PID: 6628 cmdline: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Client.exe (PID: 2356 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 94222631EF1071A4F7CEB180CF8A4A5A)
      • schtasks.exe (PID: 6204 cmdline: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Client.exe (PID: 1132 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 94222631EF1071A4F7CEB180CF8A4A5A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "91.92.243.191:5401;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "fce41024-0e2f-475b-929b-e58a126341bd", "StartupKey": "vchost32", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "cplAZe2r6zHhQVWWWW+594pCKNb93AuPWeqyeID7mISh0ncH/bVd7qXOhdQSjMtQY3luB2C49F50dd4LD+AYgw0RSMzWTH97I0LYm9zTK7ebwtoaGWWCqgAh2iNeasLSnHhCsdPGLUfTJ9/eF4TFzbw7js+V2l2OYsGjTVG2ZMdyXEQlZLGd8OEHqtbY22O4lZpjRZEsGq4/dDaTqURJfd2+9tHOpDK63/ijPhbln3j/I1yAhOvmz87OCmj5ib55TWWwwyGE9OFG7u4E21VLrHid7tPrMuMMFzJV3vt9ERDITghYCH0kzwB0JQBRgfMc3ADhsgKbrE7CLnx5DCb9OQN+x24cHwcAUP9F3/tx+6tNy7cJ3IisJ2BAqgc/7Pm2tmbUFYRxjPpPJMruskNokNcVWI3Nh6KXFXoUllE21JzEVAmw4yMRFnx8NuCp1IZ6JHWGXAAYfH7cqn/Ddp/JDrtq3as8kBxA2LxF7pTFcoKFf5OYVdaSq6znfoIvnR25mZfML/DrxiXZYFpWl5oHwypiNbnJK77hy6nLTgHkVCcoZHP53XbemAR+O9cIuiARrmWThk7A8Y++BfGZrV+ERq7040L5oTYFL6FxkDynyoH9Hj8oCcNyj8PyQ20inQCjHRZMF7+xqB6JSyM3VOIYEfGMoKfTDhT9oppln1X6igs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMQT7HGXQVpQVQUIElqKJTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgwMTA1MDQxMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAphGIDUoeffWxDwY3Lt0tLJ++KNCgyPJVFLhJpmJyLe9BFly1VySFLhMN8TC8hwpRzG830xpkeEQUdA8/g63/u6eh7wKuSnHgaMf3fx4plpnarUMAt4C7csKsO9Z6AcHxek6ODhEwXmfpW6Ca4Xz4uNItoNfQm+sNhAWeFt1bAHVl9vstUUpCSLHE5ikSeX8180l+SjmKrwI/k/m1hsxbLpZKplKUe8G8C3IX+jxVzRcoQQ9kPxQ5fuAUpQnouPvdtihWUaB75XamN/nZqU1j0CTRH94pAQUYNrgERig9zSJ7HIm1TUPm4t+VGPljIfATLy1HQ218bIKKr2YkCx6XpKRddw4VkL3tXgk/xC3nTqGTim4utqP69CoHa1DTJitIvVhESEibu4+c1h8FiY/XiYSNlzB0QzlBt++J0VIXrb4A7MA1ICGR2S1DBKYooJF46gT13aso67S7b/c+L3l/Pz6A36T2qyVNb6mAKTSZtJIgeUliN42QcMGzessTkikDFiiWxoYz0Rjr+nmXV37U6y/LL2+5kQYosv63zeCoO1GYpYTY58uUDYkIXcj61nHu612xLdAym5p4AGg4oQSqOz8D1kaWyWZaM0nrAfRYaIZp9p1Uzv+Rdue5pudfcVdJ4kWON+hn1mA4eg5HUKqPEuORgz3+fc0jnV/9WxI6vhsCAwEAAaMyMDAwHQYDVR0OBBYEFErqrGEYC9gJJcaItp/FzRx9oeP1MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAIV14n6nzKul32rTDRdm737EUUSIodpAvBWReAR+iKeF/QeqSy8aNWjzgEocnNWjMHKBOHkD1ahO/GlURwdwY88buX98qY5+LuHR8P6xto2ecyPucZyjMOj1Ir8R089qAK3UKYKe9VSl9lAsJZ5eM0RE3bSEm6aBWLh5CowK3JATtlasuC2r4Jm8Jcmf1arIvO9u1tDPC6HrW40He+mLYKld5DrArC0YkT23SUISsER/Om6WuKiRqybyiBul/zTPKGUK8lxsEHFmou7rhn5ZxGAZ9ejVHe29B0gwKzp/4YcZO96a29jP86Uu5sV5ITMZKCg0A5RekXBqi3GoAxmeGAY+wVPqNNrEJxLkdXsJKk0jE+g9XPOmi6WSzPUn6Nnmh4halxL9Q0/NkEPBwfravoC3PV9OfHPAU4GuaYQNtPCw+8BvuWhS3oysebCje//jb1Qf/gKh/8+GGdJ5xOd1Sbmy7KqggCBSD9vb3CS/FFmKuRoOS9bZxgcQkT9lU9T5a7Ab6gphAZTvzhp/B6cE4mcwgHBjIkQxz+GtTzjez1mjVfpg6lD2K8McBso1Azisod3cKRC0nJ+Hjl6/TjmTBjFY33Lq3s++IWnwQuH/dITxrkeKSGNN0IdtzFsBTgLAfgbZlPI5nclpnrrm5C9QtPy5fIVPiocpoQYd2dxd60H8"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cclent.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    cclent.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      cclent.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ee9d:$x1: Quasar.Common.Messages
      • 0x29f1c6:$x1: Quasar.Common.Messages
      • 0x2ab812:$x4: Uninstalling... good bye :-(
      • 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      cclent.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadc4:$f1: FileZilla\recentservers.xml
      • 0x2aae04:$f2: FileZilla\sitemanager.xml
      • 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab092:$b1: Chrome\User Data\
      • 0x2ab0e8:$b1: Chrome\User Data\
      • 0x2ab3c0:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd418:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab614:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6ce:$b5: YandexBrowser\User Data\
      • 0x2ab73c:$b5: YandexBrowser\User Data\
      • 0x2ab410:$s4: logins.json
      • 0x2ab146:$a1: username_value
      • 0x2ab164:$a2: password_value
      • 0x2ab450:$a3: encryptedUsername
      • 0x2fd35c:$a3: encryptedUsername
      • 0x2ab474:$a4: encryptedPassword
      • 0x2fd37a:$a4: encryptedPassword
      • 0x2fd2f8:$a5: httpRealm
      cclent.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab8fc:$s3: Process already elevated.
      • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c58:$s5: GetKeyloggerLogsDirectory
      • 0x29e925:$s5: GetKeyloggerLogsDirectory
      • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SubDir\Client.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\SubDir\Client.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SubDir\Client.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28ee9d:$x1: Quasar.Common.Messages
          • 0x29f1c6:$x1: Quasar.Common.Messages
          • 0x2ab812:$x4: Uninstalling... good bye :-(
          • 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Users\user\AppData\Roaming\SubDir\Client.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadc4:$f1: FileZilla\recentservers.xml
          • 0x2aae04:$f2: FileZilla\sitemanager.xml
          • 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab092:$b1: Chrome\User Data\
          • 0x2ab0e8:$b1: Chrome\User Data\
          • 0x2ab3c0:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd418:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab614:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6ce:$b5: YandexBrowser\User Data\
          • 0x2ab73c:$b5: YandexBrowser\User Data\
          • 0x2ab410:$s4: logins.json
          • 0x2ab146:$a1: username_value
          • 0x2ab164:$a2: password_value
          • 0x2ab450:$a3: encryptedUsername
          • 0x2fd35c:$a3: encryptedUsername
          • 0x2ab474:$a4: encryptedPassword
          • 0x2fd37a:$a4: encryptedPassword
          • 0x2fd2f8:$a5: httpRealm
          C:\Users\user\AppData\Roaming\SubDir\Client.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab8fc:$s3: Process already elevated.
          • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c58:$s5: GetKeyloggerLogsDirectory
          • 0x29e925:$s5: GetKeyloggerLogsDirectory
          • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Process Memory Space: cclent.exe PID: 3536JoeSecurity_QuasarYara detected Quasar RATJoe Security
                  Process Memory Space: Client.exe PID: 2356JoeSecurity_QuasarYara detected Quasar RATJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.cclent.exe.3d0000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.cclent.exe.3d0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.cclent.exe.3d0000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28ee9d:$x1: Quasar.Common.Messages
                        • 0x29f1c6:$x1: Quasar.Common.Messages
                        • 0x2ab812:$x4: Uninstalling... good bye :-(
                        • 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.cclent.exe.3d0000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadc4:$f1: FileZilla\recentservers.xml
                        • 0x2aae04:$f2: FileZilla\sitemanager.xml
                        • 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab092:$b1: Chrome\User Data\
                        • 0x2ab0e8:$b1: Chrome\User Data\
                        • 0x2ab3c0:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd418:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab614:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6ce:$b5: YandexBrowser\User Data\
                        • 0x2ab73c:$b5: YandexBrowser\User Data\
                        • 0x2ab410:$s4: logins.json
                        • 0x2ab146:$a1: username_value
                        • 0x2ab164:$a2: password_value
                        • 0x2ab450:$a3: encryptedUsername
                        • 0x2fd35c:$a3: encryptedUsername
                        • 0x2ab474:$a4: encryptedPassword
                        • 0x2fd37a:$a4: encryptedPassword
                        • 0x2fd2f8:$a5: httpRealm
                        0.0.cclent.exe.3d0000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab8fc:$s3: Process already elevated.
                        • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c58:$s5: GetKeyloggerLogsDirectory
                        • 0x29e925:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 2356, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 6204, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\cclent.exe", ParentImage: C:\Users\user\Desktop\cclent.exe, ParentProcessId: 3536, ParentProcessName: cclent.exe, ProcessCommandLine: "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 6628, ProcessName: schtasks.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: cclent.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: cclent.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "91.92.243.191:5401;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "fce41024-0e2f-475b-929b-e58a126341bd", "StartupKey": "vchost32", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "cplAZe2r6zHhQVWWWW+594pCKNb93AuPWeqyeID7mISh0ncH/bVd7qXOhdQSjMtQY3luB2C49F50dd4LD+AYgw0RSMzWTH97I0LYm9zTK7ebwtoaGWWCqgAh2iNeasLSnHhCsdPGLUfTJ9/eF4TFzbw7js+V2l2OYsGjTVG2ZMdyXEQlZLGd8OEHqtbY22O4lZpjRZEsGq4/dDaTqURJfd2+9tHOpDK63/ijPhbln3j/I1yAhOvmz87OCmj5ib55TWWwwyGE9OFG7u4E21VLrHid7tPrMuMMFzJV3vt9ERDITghYCH0kzwB0JQBRgfMc3ADhsgKbrE7CLnx5DCb9OQN+x24cHwcAUP9F3/tx+6tNy7cJ3IisJ2BAqgc/7Pm2tmbUFYRxjPpPJMruskNokNcVWI3Nh6KXFXoUllE21JzEVAmw4yMRFnx8NuCp1IZ6JHWGXAAYfH7cqn/Ddp/JDrtq3as8kBxA2LxF7pTFcoKFf5OYVdaSq6znfoIvnR25mZfML/DrxiXZYFpWl5oHwypiNbnJK77hy6nLTgHkVCcoZHP53XbemAR+O9cIuiARrmWThk7A8Y++BfGZrV+ERq7040L5oTYFL6FxkDynyoH9Hj8oCcNyj8PyQ20inQCjHRZMF7+xqB6JSyM3VOIYEfGMoKfTDhT9oppln1X6igs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMQT7HGXQVpQVQUIElqKJTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgwMTA1MDQxMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAphGIDUoeffWxDwY3Lt0tLJ++KNCgyPJVFLhJpmJyLe9BFly1VySFLhMN8TC8hwpRzG830xpkeEQUdA8/g63/u6eh7wKuSnHgaMf3fx4plpnarUMAt4C7csKsO9Z6AcHxek6ODhEwXmfpW6Ca4Xz4uNItoNfQm+sNhAWeFt1bAHVl9vstUUpCSLHE5ikSeX8180l+SjmKrwI/k/m1hsxbLpZKplKUe8G8C3IX+jxVzRcoQQ9kPxQ5fuAUpQnouPvdtihWUaB75XamN/nZqU1j0CTRH94pAQUYNrgERig9zSJ7HIm1TUPm4t+VGPljIfATLy1HQ218bIKKr2YkCx6XpKRddw4VkL3tXgk/xC3nTqGTim4utqP69CoHa1DTJitIvVhESEibu4+c1h8FiY/XiYSNlzB0QzlBt++J0VIXrb4A7MA1ICGR2S1DBKYooJF46gT13aso67S7b/c+L3l/Pz6A36T2qyVNb6mAKTSZtJIgeUliN42QcMGzessTkikDFiiWxoYz0Rjr+nmXV37U6y/LL2+5kQYosv63zeCoO1GYpYTY58uUDYkIXcj61nHu612xLdAym5p4AGg4oQSqOz8D1kaWyWZaM0nrAfRYaIZp9p1Uzv+Rdue5pudfcVdJ4kWON+hn1mA4eg5HUKqPEuORgz3+fc0jnV/9WxI6vhsCAwEAAaMyMDAwHQYDVR0OBBYEFErqrGEYC9gJJcaItp/FzRx9oeP1MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAIV14n6nzKul32rTDRdm737EUUSIodpAvBWReAR+iKeF/QeqSy8aNWjzgEocnNWjMHKBOHkD1ahO/GlURwdwY88buX98qY5+LuHR8P6xto2ecyPucZyjMOj1Ir8R089qAK3UKYKe9VSl9lAsJZ5eM0RE3bSEm6aBWLh5CowK3JATtlasuC2r4Jm8Jcmf1arIvO9u1tDPC6HrW40He+mLYKld5DrArC0YkT23SUISsER/Om6WuKiRqybyiBul/zTPKGUK8lxsEHFmou7rhn5ZxGAZ9ejVHe29B0gwKzp/4YcZO96a29jP86Uu5sV5ITMZKCg0A5RekXBqi3GoAxmeGAY+wVPqNNrEJxLkdXsJKk0jE+g9XPOmi6WSzPUn6Nnmh4halxL9Q0/NkEPBwfravoC3PV9OfHPAU4GuaYQNtPCw+8BvuWhS3oysebCje//jb1Qf/gKh/8+GGdJ5xOd1Sbmy7KqggCBSD9vb3CS/FFmKuRoOS9bZxgcQkT9lU9T5a7Ab6gphAZTvzhp/B6cE4mcwgHBjIkQxz+GtTzjez1mjVfpg6lD2K8McBso1Azisod3cKRC0nJ+Hjl6/TjmTBjFY33Lq3s++IWnwQuH/dITxrkeKSGNN0IdtzFsBTgLAfgbZlPI5nclpnrrm5C9QtPy5fIVPiocpoQYd2dxd60H8"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeReversingLabs: Detection: 78%
                        Multi AV Scanner detection for submitted file
                        Source: cclent.exeReversingLabs: Detection: 78%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: cclent.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: cclent.exe PID: 3536, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: cclent.exeJoe Sandbox ML: detected
                        Source: cclent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: cclent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 91.92.243.191
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: cclent.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.6:49715 -> 91.92.243.191:5401
                        Source: Joe Sandbox ViewASN Name: THEZONEBG THEZONEBG
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.92.243.191
                        Source: cclent.exe, 00000000.00000002.2178033865.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: cclent.exe, Client.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: cclent.exe, Client.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: cclent.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: cclent.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: cclent.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: cclent.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: cclent.exe PID: 3536, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: cclent.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: cclent.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: cclent.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A78D414_2_00007FFD34A78D41
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A754B64_2_00007FFD34A754B6
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A761874_2_00007FFD34A76187
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A79AC44_2_00007FFD34A79AC4
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A7AAAD4_2_00007FFD34A7AAAD
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A710F24_2_00007FFD34A710F2
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A711FA4_2_00007FFD34A711FA
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A70DD14_2_00007FFD34A70DD1
                        Source: cclent.exe, 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs cclent.exe
                        Source: cclent.exeBinary or memory string: OriginalFilenameClient.exe. vs cclent.exe
                        Source: cclent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: cclent.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: cclent.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: cclent.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/3@0/1
                        Source: C:\Users\user\Desktop\cclent.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: \Sessions\1\BaseNamedObjects\Local\fce41024-0e2f-475b-929b-e58a126341bd
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2896:120:WilError_03
                        Source: cclent.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: cclent.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: cclent.exeReversingLabs: Detection: 78%
                        Source: cclent.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\cclent.exeFile read: C:\Users\user\Desktop\cclent.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\cclent.exe "C:\Users\user\Desktop\cclent.exe"
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mrmcorer.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: thumbcache.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: cclent.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: cclent.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: cclent.exeStatic file information: File size 3265536 > 1048576
                        Source: cclent.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
                        Source: cclent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\cclent.exeCode function: 0_2_00007FFD348100BD pushad ; iretd 0_2_00007FFD348100C1
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD3480752B push ebx; iretd 4_2_00007FFD3480756A
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD348000BD pushad ; iretd 4_2_00007FFD348000C1
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD3480D9F2 push eax; iretd 4_2_00007FFD3480DA11
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A754B6 push ecx; retf 4_2_00007FFD34A759DC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A75948 push ecx; retf 4_2_00007FFD34A759DC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FFD34A72E42 push eax; ret 4_2_00007FFD34A72FFC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 7_2_00007FFD348000BD pushad ; iretd 7_2_00007FFD348000C1
                        Source: C:\Users\user\Desktop\cclent.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\cclent.exeFile opened: C:\Users\user\Desktop\cclent.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeMemory allocated: 1A9A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1A810000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1AE70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 2645Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 7219Jump to behavior
                        Source: C:\Users\user\Desktop\cclent.exe TID: 4836Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2620Thread sleep count: 31 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2620Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6504Thread sleep count: 2645 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6504Thread sleep count: 7219 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 3192Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\cclent.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Client.exe, 00000004.00000002.3425375617.000000001B340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                        Source: C:\Users\user\Desktop\cclent.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeQueries volume information: C:\Users\user\Desktop\cclent.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\cclent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: cclent.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: cclent.exe PID: 3536, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: cclent.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.cclent.exe.3d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: cclent.exe PID: 3536, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 2356, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Masquerading                        		11
                        Input Capture                        		11
                        Security Software Discovery                        		Remote Services11
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory31
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        DLL Side-Loading                        		31
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        File and Directory Discovery                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets12
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574494 Sample: cclent.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 6 other signatures 2->38 8 cclent.exe 5 2->8         started        12 Client.exe 3 2->12         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\...\cclent.exe.log, CSV 8->28 dropped 40 Uses schtasks.exe or at.exe to add and modify task schedules 8->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->42 14 Client.exe 8 8->14         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 30 91.92.243.191, 49715, 49772, 49851 THEZONEBG Bulgaria 14->30 44 Antivirus detection for dropped file 14->44 46 Multi AV Scanner detection for dropped file 14->46 48 Machine Learning detection for dropped file 14->48 50 2 other signatures 14->50 20 schtasks.exe 1 14->20         started        22 conhost.exe 18->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        cclent.exe79%ReversingLabsByteCode-MSIL.Trojan.Perseus
                        cclent.exe100%AviraHEUR/AGEN.1307453
                        cclent.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe100%AviraHEUR/AGEN.1307453
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe79%ReversingLabsByteCode-MSIL.Trojan.Perseus

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        91.92.243.1910%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ax-0001.ax-msedge.net
                        		150.171.28.10
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          91.92.243.191true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/cclent.exe, Client.exe.0.drfalse
                            		high
                            https://stackoverflow.com/q/14436606/23354cclent.exe, Client.exe.0.drfalse
                              		high
                              https://stackoverflow.com/q/2152978/23354sCannotcclent.exe, Client.exe.0.drfalse
                                		high
                                https://ipwho.is/cclent.exe, Client.exe.0.drfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecclent.exe, 00000000.00000002.2178033865.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/11564914/23354;cclent.exe, Client.exe.0.drfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      91.92.243.191
                                      		unknownBulgaria
                                      		34368THEZONEBGtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1574494
                                      Start date and time:2024-12-13 11:29:13 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 47s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:24
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:cclent.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@10/3@0/1
                                      EGA Information:
                                      • Successful, ratio: 66.7%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 26
                                      • Number of non-executed functions: 3
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.231.128.67, 20.103.156.88, 13.107.246.63, 4.175.87.197, 150.171.28.10, 20.31.169.57
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target Client.exe, PID 1132 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: cclent.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      05:30:13API Interceptor2336992x Sleep call for process: Client.exe modified
                                      11:30:11Task SchedulerRun new task: vchost32 path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      91.92.243.191Ab4LNokSK4.exeGet hashmaliciousAsyncRAT, VenomRATBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ax-0001.ax-msedge.netRuntimeBroker.exeGet hashmaliciousXenoRATBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 150.171.27.10
                                        Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.28.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.27.10
                                        QyzM5yhuwd.exeGet hashmaliciousMedusaLockerBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 150.171.28.10
                                        6C2Oryo96G.exeGet hashmaliciousUnknownBrowse
                                        • 150.171.27.10
                                        win.exeGet hashmaliciousLynxBrowse
                                        • 150.171.28.10

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        THEZONEBGcobaltstrike.dllGet hashmaliciousCobaltStrikeBrowse
                                        • 91.92.250.70
                                        sample.binGet hashmaliciousOkiruBrowse
                                        • 91.92.246.113
                                        mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 85.217.215.190
                                        SecuriteInfo.com.Win32.BotX-gen.7614.10551.exeGet hashmaliciousUnknownBrowse
                                        • 91.92.242.236
                                        Scan_Revised-SOP_MCA_pdf.jsGet hashmaliciousWSHRATBrowse
                                        • 91.92.243.39
                                        na.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 85.217.208.78
                                        m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                        • 91.92.255.109
                                        mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                        • 91.92.246.113
                                        arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 91.92.246.113
                                        x86_32.nn.elfGet hashmaliciousOkiruBrowse
                                        • 91.92.246.113

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cclent.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\cclent.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\cclent.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3265536
                                        Entropy (8bit):6.084119151334142
                                        Encrypted:false
                                        SSDEEP:49152:ivht62XlaSFNWPjljiFa2RoUYIo7RJ6SbR3LoGd+vTHHB72eh2NT:ivL62XlaSFNWPjljiFXRoUYIo7RJ6M
                                        MD5:94222631EF1071A4F7CEB180CF8A4A5A
                                        SHA1:786D8B2D8B931A9282EE54367D2DDA501F1CA946
                                        SHA-256:A45B373B780F5B9FCF5C51473C69BBF0ED650F300523097602B35F5222BD122B
                                        SHA-512:00503983A35E8D0F65EEA6A811D7177A389CB1B4D8716D32E50FD5346DEB428CD472CBACA7375C56AC3F113EA76DB55322993B4D68D816B50A4B27887A2FA14D
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 79%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.K.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H...........p............k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):6.084119151334142
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:cclent.exe
                                        File size:3'265'536 bytes
                                        MD5:94222631ef1071a4f7ceb180cf8a4a5a
                                        SHA1:786d8b2d8b931a9282ee54367d2dda501f1ca946
                                        SHA256:a45b373b780f5b9fcf5c51473c69bbf0ed650f300523097602b35f5222bd122b
                                        SHA512:00503983a35e8d0f65eea6a811d7177a389cb1b4d8716d32e50fd5346deb428cd472cbaca7375c56ac3f113ea76db55322993b4d68d816b50a4b27887a2fa14d
                                        SSDEEP:49152:ivht62XlaSFNWPjljiFa2RoUYIo7RJ6SbR3LoGd+vTHHB72eh2NT:ivL62XlaSFNWPjljiFXRoUYIo7RJ6M
                                        TLSH:54E56B143BF85E27E1BBE277E5B0041267F0FC1AB363EB0B6581677A1C53B5098426A7
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x71e3ce
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3800x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x31c3d40x31c4002f2903a646573f48eeee7ce19f67ad5funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x3200000xa930xc00cdeae95ac72e9e58017d2bcc89d2fbeaFalse0.36328125data4.653972105845318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3220000xc0x200105af7051e42b4961b4839afab5834f8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x3200a00x31cdata0.4484924623115578
                                        RT_MANIFEST0x3203bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 13, 2024 11:30:12.852539062 CET497155401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:12.973243952 CET54014971591.92.243.191192.168.2.6
                                        Dec 13, 2024 11:30:12.973413944 CET497155401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:13.037790060 CET497155401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:13.157917023 CET54014971591.92.243.191192.168.2.6
                                        Dec 13, 2024 11:30:34.894588947 CET54014971591.92.243.191192.168.2.6
                                        Dec 13, 2024 11:30:34.894709110 CET497155401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:34.908318996 CET497155401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:35.030070066 CET54014971591.92.243.191192.168.2.6
                                        Dec 13, 2024 11:30:38.435017109 CET497725401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:38.554991961 CET54014977291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:30:38.555248022 CET497725401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:38.555743933 CET497725401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:30:38.677737951 CET54014977291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:00.504394054 CET54014977291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:00.504681110 CET497725401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:00.505053043 CET497725401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:00.625380039 CET54014977291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:04.215924978 CET498515401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:04.335792065 CET54014985191.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:04.336070061 CET498515401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:04.336429119 CET498515401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:04.456717968 CET54014985191.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:26.254338980 CET54014985191.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:26.254439116 CET498515401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:26.254852057 CET498515401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:26.374617100 CET54014985191.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:29.716856956 CET499125401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:29.836759090 CET54014991291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:29.836889982 CET499125401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:29.837480068 CET499125401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:29.957207918 CET54014991291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:51.754668951 CET54014991291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:51.754748106 CET499125401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:51.755400896 CET499125401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:51.875256062 CET54014991291.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:55.435362101 CET499735401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:55.555465937 CET54014997391.92.243.191192.168.2.6
                                        Dec 13, 2024 11:31:55.555577040 CET499735401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:55.556241989 CET499735401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:31:55.676065922 CET54014997391.92.243.191192.168.2.6
                                        Dec 13, 2024 11:32:17.458661079 CET54014997391.92.243.191192.168.2.6
                                        Dec 13, 2024 11:32:17.458736897 CET499735401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:32:17.459163904 CET499735401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:32:17.578943968 CET54014997391.92.243.191192.168.2.6
                                        Dec 13, 2024 11:32:20.903249025 CET500135401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:32:21.026052952 CET54015001391.92.243.191192.168.2.6
                                        Dec 13, 2024 11:32:21.026144028 CET500135401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:32:21.026465893 CET500135401192.168.2.691.92.243.191
                                        Dec 13, 2024 11:32:21.146471024 CET54015001391.92.243.191192.168.2.6

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 13, 2024 11:31:19.840467930 CET1.1.1.1192.168.2.60xffd6No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                        Dec 13, 2024 11:31:19.840467930 CET1.1.1.1192.168.2.60xffd6No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                        Dec 13, 2024 11:31:19.840467930 CET1.1.1.1192.168.2.60xffd6No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:05:30:07
                                        Start date:13/12/2024
                                        Path:C:\Users\user\Desktop\cclent.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\cclent.exe"
                                        Imagebase:0x3d0000
                                        File size:3'265'536 bytes
                                        MD5 hash:94222631EF1071A4F7CEB180CF8A4A5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2150804372.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2150325950.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:05:30:09
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff6ff160000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:05:30:09
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:05:30:09
                                        Start date:13/12/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                        Imagebase:0x2e0000
                                        File size:3'265'536 bytes
                                        MD5 hash:94222631EF1071A4F7CEB180CF8A4A5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.3417932787.0000000002849000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 79%, ReversingLabs
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:05:30:10
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff6ff160000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:05:30:10
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:05:30:11
                                        Start date:13/12/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                        Imagebase:0x8a0000
                                        File size:3'265'536 bytes
                                        MD5 hash:94222631EF1071A4F7CEB180CF8A4A5A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:17.1%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:13
                                          Total number of Limit Nodes:0
                                          execution_graph 1739 7ffd34813811 1740 7ffd3481382f 1739->1740 1741 7ffd348138c4 1740->1741 1744 7ffd34813540 1741->1744 1743 7ffd348138d1 1746 7ffd34813551 DeleteFileW 1744->1746 1747 7ffd34813616 1746->1747 1747->1743 1752 7ffd34813525 1753 7ffd34813531 DeleteFileW 1752->1753 1755 7ffd34813616 1753->1755 1748 7ffd34813569 1749 7ffd34813571 DeleteFileW 1748->1749 1751 7ffd34813616 1749->1751

                                          Executed Functions

                                          Function 00007FFD34813525 Relevance: 1.6, APIs: 1, Instructions: 134fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2181950130.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd34810000_cclent.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 193b8c4ea21b05630d81dafc8978d81274ff7c1a2b56f7a74a684ff0e7150cab
                                          • Instruction ID: a4db7c63f804256eec9e615ce84cf683e9c8b9ac3f97e1c5549386e3be841685
                                          • Opcode Fuzzy Hash: 193b8c4ea21b05630d81dafc8978d81274ff7c1a2b56f7a74a684ff0e7150cab
                                          • Instruction Fuzzy Hash: C841277190DB8C9FDB19DB6888596E97FF0EF56310F0482AFD04AD7192CA28A809C781
                                          Function 00007FFD34813569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 61 7ffd34813569-7ffd348135d8 66 7ffd348135e2-7ffd34813614 DeleteFileW 61->66 67 7ffd348135da-7ffd348135df 61->67 68 7ffd34813616 66->68 69 7ffd3481361c-7ffd3481364a 66->69 67->66 68->69
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2181950130.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd34810000_cclent.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: b51c98a455ed8bb562b672c0fc40fc8de62e1bb9e48dbbb73ef6489256de3930
                                          • Instruction ID: a704fa8efd88466ecd44217d745835f21468d5cc975521743c9c5b4bf7f51746
                                          • Opcode Fuzzy Hash: b51c98a455ed8bb562b672c0fc40fc8de62e1bb9e48dbbb73ef6489256de3930
                                          • Instruction Fuzzy Hash: F431CF7190CA5C8FDB19DBA888596E9BBF0FF66311F04426BD049D3292CB74A855CB81

                                          Execution Graph

                                          Execution Coverage:10.9%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:6
                                          Total number of Limit Nodes:0
                                          execution_graph 12094 7ffd34a7e773 12095 7ffd34a7e784 SetWindowsHookExW 12094->12095 12096 7ffd34a7e7c6 12095->12096 12090 7ffd34803569 12091 7ffd34803571 DeleteFileW 12090->12091 12093 7ffd34803616 12091->12093

                                          Executed Functions

                                          Function 00007FFD34A79AC4 Relevance: 8.5, Strings: 6, Instructions: 958COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 47 7ffd34a79ac4-7ffd34a79ae8 50 7ffd34a7a08e-7ffd34a7a0a0 47->50 51 7ffd34a79aee-7ffd34a79b00 47->51 51->50 53 7ffd34a79b06-7ffd34a79b11 51->53 55 7ffd34a79b13-7ffd34a79b3f 53->55 56 7ffd34a79a9c-7ffd34a79ac1 53->56 55->50 61 7ffd34a79b45-7ffd34a79b86 55->61 64 7ffd34a79b8c-7ffd34a79ba4 61->64 65 7ffd34a79c38-7ffd34a79c4b 61->65 68 7ffd34a79c2c-7ffd34a79c32 64->68 69 7ffd34a79baa-7ffd34a79bca 64->69 70 7ffd34a79ca0 65->70 71 7ffd34a79c4d-7ffd34a79c6e 65->71 68->64 68->65 69->68 85 7ffd34a79bcc-7ffd34a79bde 69->85 72 7ffd34a79ca2-7ffd34a79ca7 70->72 77 7ffd34a79c70-7ffd34a79c97 71->77 78 7ffd34a79c99-7ffd34a79c9e 71->78 74 7ffd34a79cee-7ffd34a79d11 72->74 75 7ffd34a79ca9-7ffd34a79cb0 72->75 82 7ffd34a79e07-7ffd34a79e13 74->82 83 7ffd34a79d17-7ffd34a79d3f 74->83 80 7ffd34a79cb7-7ffd34a79cd1 75->80 77->72 78->72 80->74 89 7ffd34a79cd3-7ffd34a79cec 80->89 82->50 86 7ffd34a79e19-7ffd34a79e2e 82->86 96 7ffd34a79dfb-7ffd34a79e01 83->96 97 7ffd34a79d45-7ffd34a79d60 83->97 85->68 91 7ffd34a79be0-7ffd34a79be4 85->91 86->50 89->74 92 7ffd34a7a0a1-7ffd34a7a143 91->92 93 7ffd34a79bea-7ffd34a79bff 91->93 107 7ffd34a7a149-7ffd34a7a14b 92->107 108 7ffd34a7a255-7ffd34a7a288 92->108 102 7ffd34a79c06-7ffd34a79c08 93->102 96->82 96->83 97->96 109 7ffd34a79d66-7ffd34a79d78 97->109 102->68 103 7ffd34a79c0a-7ffd34a79c28 call 7ffd34a752a0 102->103 103->68 112 7ffd34a7a14d-7ffd34a7a15f 107->112 113 7ffd34a7a165-7ffd34a7a173 107->113 122 7ffd34a7a28f-7ffd34a7a2c1 108->122 109->96 121 7ffd34a79d7e-7ffd34a79d82 109->121 112->113 112->122 115 7ffd34a7a179-7ffd34a7a190 113->115 116 7ffd34a7a2c8-7ffd34a7a2fb 113->116 133 7ffd34a7a192-7ffd34a7a1a4 115->133 134 7ffd34a7a1aa-7ffd34a7a1ad 115->134 135 7ffd34a7a302-7ffd34a7a341 116->135 121->92 123 7ffd34a79d88-7ffd34a79dcb 121->123 122->116 123->96 155 7ffd34a79dcd-7ffd34a79df8 call 7ffd34a752a0 123->155 133->134 133->135 137 7ffd34a7a1af-7ffd34a7a1c6 134->137 138 7ffd34a7a1d6-7ffd34a7a1f2 call 7ffd34a77520 134->138 157 7ffd34a7a343-7ffd34a7a349 135->157 158 7ffd34a7a34d 135->158 137->138 153 7ffd34a7a1c8-7ffd34a7a1cc 137->153 150 7ffd34a7a1f4-7ffd34a7a222 138->150 151 7ffd34a7a223-7ffd34a7a227 138->151 160 7ffd34a7a22e-7ffd34a7a254 151->160 156 7ffd34a7a1d3-7ffd34a7a1d4 153->156 155->96 156->138 161 7ffd34a7a351-7ffd34a7a38c 157->161 162 7ffd34a7a34b 157->162 158->161 163 7ffd34a7a34f 158->163 168 7ffd34a7a3cf-7ffd34a7a3f1 161->168 169 7ffd34a7a38e-7ffd34a7a3b5 161->169 162->158 163->161 176 7ffd34a7a409-7ffd34a7a451 168->176 169->176 180 7ffd34a7a3b7-7ffd34a7a3ce 169->180 184 7ffd34a7a453 176->184 185 7ffd34a7a455-7ffd34a7a477 176->185 184->185 186 7ffd34a7a495-7ffd34a7a49a 184->186 188 7ffd34a7a47d-7ffd34a7a48f 185->188 189 7ffd34a7a55a-7ffd34a7a563 185->189 192 7ffd34a7a491-7ffd34a7a494 188->192 193 7ffd34a7a49b-7ffd34a7a4b3 call 7ffd34a73f90 188->193 192->186 196 7ffd34a7a517-7ffd34a7a520 193->196 197 7ffd34a7a4b5-7ffd34a7a4e6 193->197 201 7ffd34a7a511-7ffd34a7a515 197->201 202 7ffd34a7a4e8-7ffd34a7a50f 197->202 201->196 201->197 202->201 204 7ffd34a7a521-7ffd34a7a559 202->204
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4$HAo4$HAo4$HAo4$HAo4$HAo4
                                          • API String ID: 0-875613142
                                          • Opcode ID: 635f2119961dc8aa22048585a5f4a4b22dadb2e47809b2004a38dc3b15cdc729
                                          • Instruction ID: 481adc1a1b9d2b99a54606677408a86102304bfad759a47d352d8df35cf9a3ae
                                          • Opcode Fuzzy Hash: 635f2119961dc8aa22048585a5f4a4b22dadb2e47809b2004a38dc3b15cdc729
                                          • Instruction Fuzzy Hash: EC52063171C9094FEBA8EB6C98A5A753BD1FF99308F1440BAD54EC72A3DD29EC428741
                                          Function 00007FFD34A754B6 Relevance: 4.0, Strings: 2, Instructions: 1530COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 7ffd34a754b6-7ffd34a754c8 334 7ffd34a754ae-7ffd34a754b3 332->334 335 7ffd34a754ca-7ffd34a75523 332->335 338 7ffd34a75574-7ffd34a755ac call 7ffd34a73f90 call 7ffd34a73e20 335->338 339 7ffd34a75525-7ffd34a75530 335->339 347 7ffd34a755ae-7ffd34a755c3 call 7ffd34a751d0 338->347 348 7ffd34a755c8-7ffd34a755d0 338->348 341 7ffd34a75537-7ffd34a7553a 339->341 341->338 344 7ffd34a7553c-7ffd34a75551 call 7ffd34a73e20 341->344 344->338 353 7ffd34a75553-7ffd34a7556f call 7ffd34a73830 344->353 347->348 351 7ffd34a755d2-7ffd34a755ea 348->351 352 7ffd34a755ec 348->352 354 7ffd34a755ee-7ffd34a755f5 351->354 352->354 353->338 357 7ffd34a755f7-7ffd34a75607 354->357 358 7ffd34a75608-7ffd34a7564a 354->358 359 7ffd34a75650-7ffd34a75683 358->359 360 7ffd34a76126-7ffd34a76130 358->360 371 7ffd34a758de-7ffd34a758f0 359->371 372 7ffd34a75689-7ffd34a7569b 359->372 361 7ffd34a76132-7ffd34a7613d 360->361 362 7ffd34a76148 360->362 363 7ffd34a7614d-7ffd34a7614f 361->363 362->363 365 7ffd34a76151-7ffd34a76163 363->365 366 7ffd34a7616a-7ffd34a7616f 363->366 365->366 368 7ffd34a76174-7ffd34a76186 366->368 369 7ffd34a76171 366->369 369->368 377 7ffd34a759b3-7ffd34a759b5 371->377 378 7ffd34a758f6-7ffd34a75922 371->378 372->371 376 7ffd34a756a1-7ffd34a756d3 372->376 385 7ffd34a756d5-7ffd34a75703 376->385 386 7ffd34a75706-7ffd34a7573a 376->386 379 7ffd34a759b7-7ffd34a759c9 377->379 380 7ffd34a75a25-7ffd34a75a37 377->380 378->377 383 7ffd34a75928-7ffd34a7592d 378->383 379->380 389 7ffd34a759cb-7ffd34a759ce 379->389 391 7ffd34a75a3d-7ffd34a75a69 380->391 392 7ffd34a7600b-7ffd34a7601d 380->392 383->377 388 7ffd34a75933-7ffd34a75936 383->388 385->386 406 7ffd34a7576e-7ffd34a757a5 386->406 407 7ffd34a7573c-7ffd34a7576b 386->407 393 7ffd34a7595b-7ffd34a75964 388->393 394 7ffd34a75938-7ffd34a75943 388->394 395 7ffd34a759f4-7ffd34a75a22 call 7ffd34a752a0 389->395 396 7ffd34a759d0-7ffd34a759dc 389->396 408 7ffd34a75a9f-7ffd34a75ab6 391->408 409 7ffd34a75a6b-7ffd34a75a74 391->409 410 7ffd34a7601f-7ffd34a76027 392->410 411 7ffd34a7608c-7ffd34a7609e 392->411 403 7ffd34a7598b-7ffd34a759b0 call 7ffd34a752a0 393->403 404 7ffd34a75966-7ffd34a75989 393->404 394->393 395->380 403->377 404->403 423 7ffd34a75831-7ffd34a7585e 406->423 424 7ffd34a757ab-7ffd34a757c3 406->424 407->406 432 7ffd34a75bb2-7ffd34a75bdf 408->432 433 7ffd34a75abc-7ffd34a75ae5 408->433 416 7ffd34a75a98-7ffd34a75a99 409->416 417 7ffd34a75a76-7ffd34a75a86 409->417 410->411 419 7ffd34a76029-7ffd34a76056 410->419 435 7ffd34a760a0-7ffd34a760aa 411->435 436 7ffd34a76115-7ffd34a76120 411->436 416->408 417->416 419->411 440 7ffd34a76058-7ffd34a76061 419->440 443 7ffd34a75894-7ffd34a7589e 423->443 444 7ffd34a75860-7ffd34a75869 423->444 429 7ffd34a75828-7ffd34a7582f 424->429 430 7ffd34a757c5-7ffd34a757d5 424->430 441 7ffd34a757f5-7ffd34a75826 429->441 430->441 456 7ffd34a75be1-7ffd34a75c0c 432->456 457 7ffd34a75c0f-7ffd34a75c38 432->457 433->392 458 7ffd34a75aeb-7ffd34a75b1a 433->458 437 7ffd34a7613f-7ffd34a76146 435->437 438 7ffd34a760b0-7ffd34a760dc 435->438 436->359 436->360 437->436 438->436 460 7ffd34a760de-7ffd34a760e7 438->460 445 7ffd34a76063-7ffd34a76073 440->445 446 7ffd34a76085-7ffd34a76086 440->446 441->443 452 7ffd34a758a4-7ffd34a758c5 443->452 453 7ffd34a768fe-7ffd34a76965 443->453 449 7ffd34a7588d-7ffd34a7588e 444->449 450 7ffd34a7586b-7ffd34a7587b 444->450 445->446 446->411 449->443 450->449 452->371 475 7ffd34a758c7-7ffd34a758d6 452->475 503 7ffd34a7696b-7ffd34a769ae 453->503 456->457 472 7ffd34a75ccf-7ffd34a75cfc 457->472 473 7ffd34a75c3e-7ffd34a75c6d 457->473 458->392 476 7ffd34a75b20-7ffd34a75b4c 458->476 465 7ffd34a7610e-7ffd34a7610f 460->465 466 7ffd34a760e9-7ffd34a760f9 460->466 465->436 466->465 485 7ffd34a75cfe-7ffd34a75d03 472->485 486 7ffd34a75d37-7ffd34a75d64 472->486 473->472 483 7ffd34a75c6f-7ffd34a75c9b 473->483 475->371 476->392 482 7ffd34a75b52-7ffd34a75ba5 call 7ffd34a751d0 476->482 482->392 505 7ffd34a75bab-7ffd34a75bad 482->505 483->472 498 7ffd34a75c9d-7ffd34a75ccc 483->498 485->486 488 7ffd34a75d05-7ffd34a75d34 485->488 495 7ffd34a75dbc-7ffd34a75de8 486->495 496 7ffd34a75d66-7ffd34a75db7 call 7ffd34a751d0 486->496 488->486 509 7ffd34a75e2d-7ffd34a75e59 495->509 510 7ffd34a75dea-7ffd34a75e28 call 7ffd34a751d0 495->510 496->495 498->472 522 7ffd34a769b0-7ffd34a76a0d 503->522 505->392 515 7ffd34a75e9e-7ffd34a75eca 509->515 516 7ffd34a75e5b-7ffd34a75e99 call 7ffd34a751d0 509->516 510->509 526 7ffd34a75f32-7ffd34a75f5f 515->526 527 7ffd34a75ecc-7ffd34a75f01 515->527 516->515 548 7ffd34a76a0f-7ffd34a76a17 522->548 549 7ffd34a76a18-7ffd34a76a29 522->549 532 7ffd34a75fa4-7ffd34a75fd0 526->532 533 7ffd34a75f61-7ffd34a75f9f call 7ffd34a751d0 526->533 527->526 534 7ffd34a75f03-7ffd34a75f31 527->534 532->392 542 7ffd34a75fd2-7ffd34a75fdb 532->542 533->532 534->526 544 7ffd34a76002-7ffd34a76003 542->544 545 7ffd34a75fdd-7ffd34a76000 542->545 544->392 545->544 548->549 550 7ffd34a76a34-7ffd34a76a46 549->550 551 7ffd34a76a2b-7ffd34a76a33 549->551 554 7ffd34a76a4c-7ffd34a76a56 550->554 555 7ffd34a76a48-7ffd34a76a4a 550->555 551->550 556 7ffd34a76a5a-7ffd34a76a5d 554->556 555->556 557 7ffd34a76a5f-7ffd34a76a6f 556->557 558 7ffd34a76a70-7ffd34a76a73 556->558 557->558 560 7ffd34a76a7e-7ffd34a76a83 558->560 561 7ffd34a76a75-7ffd34a76a7c 558->561 562 7ffd34a76a87-7ffd34a76a9b 560->562 561->562 564 7ffd34a76a9d-7ffd34a76ab3 562->564 565 7ffd34a76ab6-7ffd34a76ac7 562->565 564->565 567 7ffd34a76afd-7ffd34a76b03 565->567 568 7ffd34a76ac9-7ffd34a76ae8 565->568 568->567 570 7ffd34a76aea-7ffd34a76afb 568->570 570->567 571 7ffd34a76b04-7ffd34a76b5b 570->571 571->567
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4$HAo4
                                          • API String ID: 0-1544131401
                                          • Opcode ID: ee92137e0cd1151f7f22c87be6f28a0ed54c440842f3da352ff0e5848dd4d464
                                          • Instruction ID: 3af28c85a5135a7e65ce54b4308d15b815bc587636fcd31d878f36072c104f24
                                          • Opcode Fuzzy Hash: ee92137e0cd1151f7f22c87be6f28a0ed54c440842f3da352ff0e5848dd4d464
                                          • Instruction Fuzzy Hash: 85B2A570B18A098FDFA8DF58C894BA97BE1FF99308F1481A9D44DD7292DE35E841DB40
                                          Function 00007FFD34A7AAAD Relevance: 2.2, Strings: 1, Instructions: 927COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 632 7ffd34a7aaad-7ffd34a7ab49 634 7ffd34a7b1c1-7ffd34a7b1d6 632->634 635 7ffd34a7ab4f-7ffd34a7ab52 632->635 635->634 636 7ffd34a7ab58-7ffd34a7ab75 635->636 636->634 638 7ffd34a7ab7b-7ffd34a7ab9a 636->638 640 7ffd34a7ab9c-7ffd34a7ab9f 638->640 641 7ffd34a7aba6-7ffd34a7abb9 638->641 642 7ffd34a7aba1 640->642 643 7ffd34a7abbe-7ffd34a7abee 640->643 644 7ffd34a7ac49-7ffd34a7ac5b 641->644 642->634 643->634 649 7ffd34a7abf4-7ffd34a7ac42 643->649 644->634 647 7ffd34a7ac61-7ffd34a7aca0 644->647 647->634 654 7ffd34a7aca6-7ffd34a7acb0 647->654 649->644 657 7ffd34a7acb2-7ffd34a7acc6 654->657 658 7ffd34a7acc8-7ffd34a7acd8 654->658 661 7ffd34a7ace2-7ffd34a7ad37 657->661 658->661 665 7ffd34a7ad3d-7ffd34a7ad45 661->665 666 7ffd34a7adab-7ffd34a7adb3 665->666 667 7ffd34a7ad47-7ffd34a7ad5b 665->667 666->634 668 7ffd34a7adb9-7ffd34a7addb 666->668 667->666 670 7ffd34a7ad5d-7ffd34a7ada7 667->670 672 7ffd34a7ade1-7ffd34a7ae0a 668->672 673 7ffd34a7aedf-7ffd34a7af15 668->673 670->666 677 7ffd34a7ae91-7ffd34a7aeb2 672->677 678 7ffd34a7ae10-7ffd34a7ae36 672->678 673->634 685 7ffd34a7af1b-7ffd34a7af2d 673->685 677->672 681 7ffd34a7aeb8 677->681 678->677 688 7ffd34a7ae38-7ffd34a7ae4e 678->688 681->673 685->634 690 7ffd34a7af33-7ffd34a7af51 685->690 688->677 693 7ffd34a7ae50-7ffd34a7ae68 688->693 690->634 696 7ffd34a7af57-7ffd34a7af85 690->696 693->677 697 7ffd34a7ae6a-7ffd34a7ae8f 693->697 704 7ffd34a7afa8-7ffd34a7afb5 696->704 705 7ffd34a7af87-7ffd34a7afa1 696->705 697->677 700 7ffd34a7aeba-7ffd34a7aed8 697->700 700->673 708 7ffd34a7afbb-7ffd34a7afe8 704->708 709 7ffd34a7b07a-7ffd34a7b09a 704->709 705->704 718 7ffd34a7b00b-7ffd34a7b017 708->718 719 7ffd34a7afea-7ffd34a7b004 708->719 712 7ffd34a7b0a4-7ffd34a7b0e0 709->712 713 7ffd34a7b09c-7ffd34a7b09d 709->713 712->634 725 7ffd34a7b0e6-7ffd34a7b103 712->725 713->712 723 7ffd34a7b019-7ffd34a7b025 718->723 724 7ffd34a7b068-7ffd34a7b074 718->724 719->718 726 7ffd34a7b310-7ffd34a7b327 723->726 727 7ffd34a7b02b-7ffd34a7b061 723->727 724->634 724->709 732 7ffd34a7b10d-7ffd34a7b148 725->732 733 7ffd34a7b105-7ffd34a7b106 725->733 734 7ffd34a7b331-7ffd34a7b39e call 7ffd34a74f50 call 7ffd34a77840 call 7ffd34a75250 call 7ffd34a7b3a0 726->734 735 7ffd34a7b329-7ffd34a7b330 726->735 727->724 732->634 747 7ffd34a7b14a-7ffd34a7b15c 732->747 733->732 735->734 747->634 751 7ffd34a7b15e-7ffd34a7b17c 747->751 751->634 754 7ffd34a7b17e-7ffd34a7b19a 751->754 757 7ffd34a7b19c-7ffd34a7b1bf 754->757 758 7ffd34a7b1d7-7ffd34a7b24c 754->758 757->634 757->758 768 7ffd34a7b252-7ffd34a7b25e 758->768 769 7ffd34a7b2f7-7ffd34a7b30f 758->769 771 7ffd34a7b291-7ffd34a7b2f0 768->771 772 7ffd34a7b260-7ffd34a7b27a 768->772 771->769 772->769 775 7ffd34a7b27c-7ffd34a7b28f 772->775 775->771
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x1_H
                                          • API String ID: 0-4014100721
                                          • Opcode ID: 888ebd636b827b5188522aa4ce60b62c644c0d53943771acf4bae974a04f1adc
                                          • Instruction ID: 51321061c17ca3d220035cf1deead4aa4c7e112abeec08f29c59c580f67ee7b6
                                          • Opcode Fuzzy Hash: 888ebd636b827b5188522aa4ce60b62c644c0d53943771acf4bae974a04f1adc
                                          • Instruction Fuzzy Hash: 0D526130708A098FEBA8EB6CC4A4B6977E1FF99305F1485B9E44DC72A6DE35EC418741
                                          Function 00007FFD34A76187 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1029 7ffd34a76187-7ffd34a761a7 1031 7ffd34a761b0 1029->1031 1032 7ffd34a761a9-7ffd34a761ae 1029->1032 1033 7ffd34a761b5-7ffd34a761df 1031->1033 1032->1033 1035 7ffd34a76731-7ffd34a76734 1033->1035 1036 7ffd34a761e5-7ffd34a7621f 1033->1036 1037 7ffd34a76756-7ffd34a76777 1035->1037 1038 7ffd34a76736-7ffd34a7673a 1035->1038 1048 7ffd34a7670e-7ffd34a7672b 1036->1048 1049 7ffd34a76225-7ffd34a7623f 1036->1049 1043 7ffd34a76779-7ffd34a7678f 1037->1043 1044 7ffd34a76796-7ffd34a7679b 1037->1044 1038->1037 1039 7ffd34a7673c-7ffd34a76751 call 7ffd34a751d0 1038->1039 1039->1037 1043->1044 1046 7ffd34a767dd-7ffd34a767e4 1044->1046 1047 7ffd34a7679d-7ffd34a767ac 1044->1047 1051 7ffd34a76812-7ffd34a76817 1046->1051 1052 7ffd34a767e6-7ffd34a767ff 1046->1052 1048->1035 1048->1036 1049->1048 1053 7ffd34a7681d-7ffd34a76825 1051->1053 1054 7ffd34a768ec-7ffd34a768fd 1051->1054 1059 7ffd34a76801-7ffd34a76802 1052->1059 1060 7ffd34a7680a-7ffd34a76810 1052->1060 1056 7ffd34a7682b-7ffd34a7683b 1053->1056 1057 7ffd34a76977-7ffd34a769ae 1053->1057 1063 7ffd34a7683d-7ffd34a76841 1056->1063 1064 7ffd34a7684b-7ffd34a76853 1056->1064 1067 7ffd34a769b0-7ffd34a76a0d 1057->1067 1068 7ffd34a7696b-7ffd34a76971 1057->1068 1059->1060 1060->1051 1060->1052 1063->1057 1066 7ffd34a76847-7ffd34a76848 1063->1066 1064->1057 1069 7ffd34a76859-7ffd34a76869 1064->1069 1066->1064 1085 7ffd34a76a0f-7ffd34a76a17 1067->1085 1086 7ffd34a76a18-7ffd34a76a29 1067->1086 1068->1057 1073 7ffd34a7686b-7ffd34a7686f 1069->1073 1074 7ffd34a76879-7ffd34a76881 1069->1074 1073->1057 1075 7ffd34a76875-7ffd34a76876 1073->1075 1074->1057 1076 7ffd34a76887-7ffd34a76897 1074->1076 1075->1074 1079 7ffd34a76899-7ffd34a7689d 1076->1079 1080 7ffd34a768a7-7ffd34a768af 1076->1080 1079->1057 1082 7ffd34a768a3-7ffd34a768a4 1079->1082 1080->1057 1083 7ffd34a768b5-7ffd34a768c5 1080->1083 1082->1080 1090 7ffd34a768c7-7ffd34a768cb 1083->1090 1091 7ffd34a768d5-7ffd34a768e5 1083->1091 1085->1086 1088 7ffd34a76a34-7ffd34a76a46 1086->1088 1089 7ffd34a76a2b-7ffd34a76a33 1086->1089 1094 7ffd34a76a4c-7ffd34a76a56 1088->1094 1095 7ffd34a76a48-7ffd34a76a4a 1088->1095 1089->1088 1090->1057 1093 7ffd34a768d1-7ffd34a768d2 1090->1093 1091->1054 1093->1091 1096 7ffd34a76a5a-7ffd34a76a5d 1094->1096 1095->1096 1097 7ffd34a76a5f-7ffd34a76a6f 1096->1097 1098 7ffd34a76a70-7ffd34a76a73 1096->1098 1097->1098 1100 7ffd34a76a7e-7ffd34a76a83 1098->1100 1101 7ffd34a76a75-7ffd34a76a7c 1098->1101 1102 7ffd34a76a87-7ffd34a76a9b 1100->1102 1101->1102 1104 7ffd34a76a9d-7ffd34a76ab3 1102->1104 1105 7ffd34a76ab6-7ffd34a76ac7 1102->1105 1104->1105 1107 7ffd34a76afd-7ffd34a76b03 1105->1107 1108 7ffd34a76ac9-7ffd34a76ae8 1105->1108 1108->1107 1110 7ffd34a76aea-7ffd34a76afb 1108->1110 1110->1107 1111 7ffd34a76b04-7ffd34a76b5b 1110->1111 1111->1107
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4
                                          • API String ID: 0-3446524900
                                          • Opcode ID: 8b4dc46d5e4cfb19743da5d13c8e6a2c9c2eb404db7465547c6b3cd519a49234
                                          • Instruction ID: 5198ddeab435a680fe9a6a6d3cdd36f23e5649fecc1e90239b9bd160d7d547c8
                                          • Opcode Fuzzy Hash: 8b4dc46d5e4cfb19743da5d13c8e6a2c9c2eb404db7465547c6b3cd519a49234
                                          • Instruction Fuzzy Hash: CBE1C470A18A4A4FEBA4DF58C8A07B97BE1FF46318F148179D54DD71A2CE38F8418740
                                          Function 00007FFD34A78D41 Relevance: .7, Instructions: 709COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4a0ecb9e837246243f0beb25005f5e7b1a80b73c21d0a00d6dae65c738dfdfc
                                          • Instruction ID: 7f9a8d1103d94e758fbff68242bd6fb32ac827e26ce2448e45256349b43dd195
                                          • Opcode Fuzzy Hash: c4a0ecb9e837246243f0beb25005f5e7b1a80b73c21d0a00d6dae65c738dfdfc
                                          • Instruction Fuzzy Hash: 8F228330B1CA094FEBA8DB5888A57B977E5FF99304F14417ED54EC32D2DE38A8429B41
                                          Function 00007FFD34803525 Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1118 7ffd34803525-7ffd3480352f 1119 7ffd34803571-7ffd348035d8 1118->1119 1120 7ffd34803531-7ffd34803562 1118->1120 1126 7ffd348035da-7ffd348035df 1119->1126 1127 7ffd348035e2-7ffd34803614 DeleteFileW 1119->1127 1120->1119 1126->1127 1128 7ffd3480361c-7ffd3480364a 1127->1128 1129 7ffd34803616 1127->1129 1129->1128
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3428102610.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 6551cc8c44d8f245952c5d42c1fbe248236f8edb0322d3cb320f9e36b7b9ea32
                                          • Instruction ID: d271b2020f896846ded65e0998f8893ad7d39e334f317ad0c881fa30d6d97e9a
                                          • Opcode Fuzzy Hash: 6551cc8c44d8f245952c5d42c1fbe248236f8edb0322d3cb320f9e36b7b9ea32
                                          • Instruction Fuzzy Hash: 7F41277190DB8C9FDB19DB6888596E9BFF0FF57310F0442AFD049D75A2CA28A845CB81
                                          Function 00007FFD34803569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1245 7ffd34803569-7ffd348035d8 1250 7ffd348035da-7ffd348035df 1245->1250 1251 7ffd348035e2-7ffd34803614 DeleteFileW 1245->1251 1250->1251 1252 7ffd3480361c-7ffd3480364a 1251->1252 1253 7ffd34803616 1251->1253 1253->1252
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3428102610.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 6a4d22fcc19cf2de9a2b810406157b0e6793d9409c7eb46786d5601cdf1906e5
                                          • Instruction ID: 7e01d749dc768987a35b4c0e0c46da5819599ae76ab7b748c71ae49feb16da94
                                          • Opcode Fuzzy Hash: 6a4d22fcc19cf2de9a2b810406157b0e6793d9409c7eb46786d5601cdf1906e5
                                          • Instruction Fuzzy Hash: 6631FE3190CB5C9FDB19DB9888596F9BBF0FF66320F04426BD049D3292CB75A806CB81
                                          Function 00007FFD34A7E773 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: 5ee25c9b15cd881392c1abb55d295c8fb1e5aebdfb6e0874be22d0b04cb2e261
                                          • Instruction ID: 77fd7c763eb26414b84cc2cef9609cb32b472d15b95ad11ed9866915c34a89b7
                                          • Opcode Fuzzy Hash: 5ee25c9b15cd881392c1abb55d295c8fb1e5aebdfb6e0874be22d0b04cb2e261
                                          • Instruction Fuzzy Hash: D6118C7161CA098FDB18EF9CE8466A8B7E0EB59715F00427EE10DC3282CB35B8568BC5

                                          Non-executed Functions

                                          Function 00007FFD34A70DD1 Relevance: .8, Instructions: 826COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 097255edda2d4c3c4aab8bcf16608b56f5a9c3604899ce62422dd3d84a4c7a28
                                          • Instruction ID: 5ff02d298572e62951de41b69e3ac88b0ed830839976c43f53b425a5a1f7adec
                                          • Opcode Fuzzy Hash: 097255edda2d4c3c4aab8bcf16608b56f5a9c3604899ce62422dd3d84a4c7a28
                                          • Instruction Fuzzy Hash: 38321D1BB0D5A22AF63276FD74B60EF7FA49F4223971C41B3D18C994539D0C28CA9395
                                          Function 00007FFD34A710F2 Relevance: .5, Instructions: 526COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e8ba969f26efda9550f411be041a9e6c5d7ad605577cc75e7e79ae174787763
                                          • Instruction ID: 863e28cad2eb8688b7708d543a0ed2763db359c96c9458c847f5758959a3a846
                                          • Opcode Fuzzy Hash: 5e8ba969f26efda9550f411be041a9e6c5d7ad605577cc75e7e79ae174787763
                                          • Instruction Fuzzy Hash: 2FE10A1BB0D5A26AF63276FD74B60EF7FA49F4223971C41B3D28C9D4539D0828CA8395
                                          Function 00007FFD34A711FA Relevance: .4, Instructions: 423COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.3431360540.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a70000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a6e52a2996b3e9c36a372526b92b08e7315454e3fcd72c58d9caff1f67199b6
                                          • Instruction ID: f8b5f094f61e911b313985f24beb62b9c3515116b532f86c9b8c1b2a1421624c
                                          • Opcode Fuzzy Hash: 9a6e52a2996b3e9c36a372526b92b08e7315454e3fcd72c58d9caff1f67199b6
                                          • Instruction Fuzzy Hash: 5EC1091BB0D5A22AF63276FD74B20EF7FA48F4323971C41B7E18C99453980C28CA8395

                                          Executed Functions

                                          Function 00007FFD34800BCD Relevance: 10.2, Strings: 8, Instructions: 241COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Yn4$0[n4$8Yn4$;N_I$HYn4$XZn4$Wn4$Xn4
                                          • API String ID: 0-3362832448
                                          • Opcode ID: c8c43f40a8638643544ecef26faed0bea088cfb42286cfb4864c31edbfc552b2
                                          • Instruction ID: 48d5be820d034c1929f9ca316cb7ca3ec2acbf0b7e609959ef9f6f9a62dff2b4
                                          • Opcode Fuzzy Hash: c8c43f40a8638643544ecef26faed0bea088cfb42286cfb4864c31edbfc552b2
                                          • Instruction Fuzzy Hash: 28811C2271E9C14FE365EBAC54B51B93FE1EF46314B9441FAD488872C7D92CAC85D381
                                          Function 00007FFD34802DC8 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H$HAo4
                                          • API String ID: 0-2325853342
                                          • Opcode ID: 2a2ad6d187d8484a0e7fb68015b217ea9a5dad0b6409510318e2f102a5d83920
                                          • Instruction ID: bf6d0de0e009106a5e745abb074d81ebd760902e3f531326417cb0f8a416674e
                                          • Opcode Fuzzy Hash: 2a2ad6d187d8484a0e7fb68015b217ea9a5dad0b6409510318e2f102a5d83920
                                          • Instruction Fuzzy Hash: 31719221F1891D5FEBA8EB6894A57BDB3E2EF99310F440179D44ED32C2CE2CAC429740
                                          Function 00007FFD34802729 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4
                                          • API String ID: 0-3446524900
                                          • Opcode ID: 01308c5b4c0c45d10943b7d9ea28b843c8834c927ffc0cdb7251df1d3bca6858
                                          • Instruction ID: 6b853e67ece0bf5ad8aaedafed271ae9fb83c802f5b3fd7903137353c327f9ee
                                          • Opcode Fuzzy Hash: 01308c5b4c0c45d10943b7d9ea28b843c8834c927ffc0cdb7251df1d3bca6858
                                          • Instruction Fuzzy Hash: BC413C21B1DA491FE768E76C94667B977D1EF9A310F04017EE04EC32D2CD6D6C428382
                                          Function 00007FFD348015FA Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .N_^
                                          • API String ID: 0-2858261171
                                          • Opcode ID: 78c893501b96e1093591233ba8ca1fd757201cdcd04cef562fe63fce75f22d92
                                          • Instruction ID: 243f0fc7bf5a3adbbd56086f726e4970bcf2a94bda03c20656a0e9e995aa93e6
                                          • Opcode Fuzzy Hash: 78c893501b96e1093591233ba8ca1fd757201cdcd04cef562fe63fce75f22d92
                                          • Instruction Fuzzy Hash: 0521A126B1C9A91FD356A72C9CB96E97BE1EF5723170D01BBC298C7153C80C5C068391
                                          Function 00007FFD34802138 Relevance: .3, Instructions: 334COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e2a7ce6bd95e94811c5ebfc17e2bcd6edd4922c21aea5976c8da634dfec175f
                                          • Instruction ID: 9fbcef518035fee7ad5089c15c3e4bff712d0a17bc12bed8053f8b1d1057da87
                                          • Opcode Fuzzy Hash: 9e2a7ce6bd95e94811c5ebfc17e2bcd6edd4922c21aea5976c8da634dfec175f
                                          • Instruction Fuzzy Hash: 5291D562B28D4A5FEB95EB2C84E57B973D2FF99314F0401BAD50DC7286CD2CAC429781
                                          Function 00007FFD348024A2 Relevance: .2, Instructions: 189COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e04412ff4d2dd0090313f1ca512ea981ad73d86f2d774d475bf5ffa3359792f1
                                          • Instruction ID: ca92e2b1e1d20cd016778a0b72b3a84df2d14b9ff3fdd73932c5105d737ed904
                                          • Opcode Fuzzy Hash: e04412ff4d2dd0090313f1ca512ea981ad73d86f2d774d475bf5ffa3359792f1
                                          • Instruction Fuzzy Hash: 6B51A221B5CD5A1FEB96F37844B56AD2AE3EF8A250B8481F5E00CC7697CD1CAC46C385
                                          Function 00007FFD3480196D Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fb1e0bf2b8a859abb7a214207593ed0645f5b9e51f77a2aef5dcecf01a6f0e4
                                          • Instruction ID: fb519d4c51923a7618653e5aaba748d44ba46a181eca47eb8abd29bb3b3ed7b3
                                          • Opcode Fuzzy Hash: 7fb1e0bf2b8a859abb7a214207593ed0645f5b9e51f77a2aef5dcecf01a6f0e4
                                          • Instruction Fuzzy Hash: 7321493061D5815FEB55DF28C4E55A57BD1EF52320B1842F9D108CF1ABDA2DEC86C381
                                          Function 00007FFD34801BF5 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e62d32f0c030d807ef9626114a0f119869a1a3ab46a2bd9657f2898177111fe
                                          • Instruction ID: d9363d7218d4921a3ab1d6963ee52a1ad3643626eecc2c17c7edd987a552e023
                                          • Opcode Fuzzy Hash: 1e62d32f0c030d807ef9626114a0f119869a1a3ab46a2bd9657f2898177111fe
                                          • Instruction Fuzzy Hash: 4B3174306595454BE364F7AC84BB6E93F62AF84304FD086E9D40883786CA3C7985CBD1
                                          Function 00007FFD348032DD Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8087afa43f2e250f3e4808fcc4666aa14136cafa2f033bd4c31a34decf047acd
                                          • Instruction ID: b2ca93bbdbab46788e7ad2c5b7970e1b908d749aa5f284db9716813cc7a375db
                                          • Opcode Fuzzy Hash: 8087afa43f2e250f3e4808fcc4666aa14136cafa2f033bd4c31a34decf047acd
                                          • Instruction Fuzzy Hash: 4121F531B18A598FD7A4FB7C94AA5B873E2FF59301B4504BAE00DC7292DE28EC44C780
                                          Function 00007FFD34803491 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 379ad404d976455c083104a27d412810da2174c16fc2d6894b6c5b4de4b176ca
                                          • Instruction ID: 7a0aef63da3cf1f87919d13efbc3919b25eb40069146ed164c6ad03f68bd5d94
                                          • Opcode Fuzzy Hash: 379ad404d976455c083104a27d412810da2174c16fc2d6894b6c5b4de4b176ca
                                          • Instruction Fuzzy Hash: 8B119C21B1DE811FE342E7786CA94F17BE0EFA122070842BBE40CC71A3CD0D99868341
                                          Function 00007FFD3480088B Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ca2efaedfe9396b6c1b499d514bcffd1ad152280d433b7bd3cf04377b7543b3
                                          • Instruction ID: 87153a6ad4d157d525bf1da15282b3b9dbbb449ee2461ce3600ad370a748b9a9
                                          • Opcode Fuzzy Hash: 8ca2efaedfe9396b6c1b499d514bcffd1ad152280d433b7bd3cf04377b7543b3
                                          • Instruction Fuzzy Hash: B9110592A2DD8A4BF3A5E76868656A967D0FF86390F4405BDC08ACB1C3DC1C68448380
                                          Function 00007FFD348028D5 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a0948cddd50cfea09cc0de07297f03a5b221bc340eebed6860d56d9b5321c9b
                                          • Instruction ID: 51d661a30dcb20a88b3ca5b4e2c65ce37e47a3038e2bdd69cfd9e64a7d7a56d8
                                          • Opcode Fuzzy Hash: 1a0948cddd50cfea09cc0de07297f03a5b221bc340eebed6860d56d9b5321c9b
                                          • Instruction Fuzzy Hash: C511C620B0EAC91FE347E37898A8AA43FE1AF87225B0901E6D088CB1A3C9594845C342
                                          Function 00007FFD34800DA9 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b757057db8f4c08fa149810f75da6d3b7c706563da65ada69c9f219a4bfb53fe
                                          • Instruction ID: e3ad65825fbb1dd32f1739605951601ab31048fbeb5c55f6bcd638b7be9a9a32
                                          • Opcode Fuzzy Hash: b757057db8f4c08fa149810f75da6d3b7c706563da65ada69c9f219a4bfb53fe
                                          • Instruction Fuzzy Hash: 8F016D13B79C8A0FD6A6A36C68E55F577D1DF97310B4402BBE40DD2186DD1C7C824381
                                          Function 00007FFD34801E58 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2afaba269039c8a0006eea3ca0fe4a3615065ef6b72b458a717546d397cd2924
                                          • Instruction ID: e050498823424497c88df53b4aa10b1516660d2244de35b05b5381985bbc6923
                                          • Opcode Fuzzy Hash: 2afaba269039c8a0006eea3ca0fe4a3615065ef6b72b458a717546d397cd2924
                                          • Instruction Fuzzy Hash: 0FF0B422B18C1D1FE7A4F3ED54E9AFA67D5DFAD22271401B7E54CC72A3DC1898828391
                                          Function 00007FFD34801E70 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6ecfaf177d8e681b7fad2047f6bce1f81f60547087eebfadeb4a84971b43ef6
                                          • Instruction ID: 7213814038da9735a22e6a5034230d517664231890cb55ca7965a5db7b5ce2ec
                                          • Opcode Fuzzy Hash: d6ecfaf177d8e681b7fad2047f6bce1f81f60547087eebfadeb4a84971b43ef6
                                          • Instruction Fuzzy Hash: B5E09221B28C1D2FABA4F3AD40DDF7962D6EFAC22171005B6E40CC73A2DC19AC919381
                                          Function 00007FFD3480094D Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2222628153.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: feb5a7b624934c4d7fe5ebac80e514b8cd00d621a276818e0d9d8fbf9c17b5aa
                                          • Instruction ID: 242f31755734299a4de9e5d73b534df48f0e680a5b26cf56fe2422a19724f035
                                          • Opcode Fuzzy Hash: feb5a7b624934c4d7fe5ebac80e514b8cd00d621a276818e0d9d8fbf9c17b5aa
                                          • Instruction Fuzzy Hash: 03E08C32F1A86627E699733C20761FC63C2EF8A6A1B44157AE64DDA283DC1D6D834284