Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jignesh.exe

Overview

General Information

Sample name:jignesh.exe
Analysis ID:1575666
MD5:64da51697ac726c1e27f5d7899c89cac
SHA1:29f336e761644ff1bd932d5649b5275fd7fd79b3
SHA256:611f6deadda658b042a6636e5e69c381fa65ed5cab95d2e8f5e43c285ed3cfc7
Tags:exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jignesh.exe (PID: 528 cmdline: "C:\Users\user\Desktop\jignesh.exe" MD5: 64DA51697AC726C1E27F5D7899C89CAC)
    • schtasks.exe (PID: 5808 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Client.exe (PID: 1536 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 64DA51697AC726C1E27F5D7899C89CAC)
      • schtasks.exe (PID: 5548 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Client.exe (PID: 1276 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 64DA51697AC726C1E27F5D7899C89CAC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "98.51.190.130:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
jignesh.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    jignesh.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      jignesh.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ee9d:$x1: Quasar.Common.Messages
      • 0x29f1c6:$x1: Quasar.Common.Messages
      • 0x2ab7ee:$x4: Uninstalling... good bye :-(
      • 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      jignesh.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aada0:$f1: FileZilla\recentservers.xml
      • 0x2aade0:$f2: FileZilla\sitemanager.xml
      • 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab06e:$b1: Chrome\User Data\
      • 0x2ab0c4:$b1: Chrome\User Data\
      • 0x2ab39c:$b2: Mozilla\Firefox\Profiles
      • 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6aa:$b5: YandexBrowser\User Data\
      • 0x2ab718:$b5: YandexBrowser\User Data\
      • 0x2ab3ec:$s4: logins.json
      • 0x2ab122:$a1: username_value
      • 0x2ab140:$a2: password_value
      • 0x2ab42c:$a3: encryptedUsername
      • 0x2fd338:$a3: encryptedUsername
      • 0x2ab450:$a4: encryptedPassword
      • 0x2fd356:$a4: encryptedPassword
      • 0x2fd2d4:$a5: httpRealm
      jignesh.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab8d8:$s3: Process already elevated.
      • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c58:$s5: GetKeyloggerLogsDirectory
      • 0x29e925:$s5: GetKeyloggerLogsDirectory
      • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SubDir\Client.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\SubDir\Client.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SubDir\Client.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28ee9d:$x1: Quasar.Common.Messages
          • 0x29f1c6:$x1: Quasar.Common.Messages
          • 0x2ab7ee:$x4: Uninstalling... good bye :-(
          • 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Users\user\AppData\Roaming\SubDir\Client.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aada0:$f1: FileZilla\recentservers.xml
          • 0x2aade0:$f2: FileZilla\sitemanager.xml
          • 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab06e:$b1: Chrome\User Data\
          • 0x2ab0c4:$b1: Chrome\User Data\
          • 0x2ab39c:$b2: Mozilla\Firefox\Profiles
          • 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6aa:$b5: YandexBrowser\User Data\
          • 0x2ab718:$b5: YandexBrowser\User Data\
          • 0x2ab3ec:$s4: logins.json
          • 0x2ab122:$a1: username_value
          • 0x2ab140:$a2: password_value
          • 0x2ab42c:$a3: encryptedUsername
          • 0x2fd338:$a3: encryptedUsername
          • 0x2ab450:$a4: encryptedPassword
          • 0x2fd356:$a4: encryptedPassword
          • 0x2fd2d4:$a5: httpRealm
          C:\Users\user\AppData\Roaming\SubDir\Client.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab8d8:$s3: Process already elevated.
          • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c58:$s5: GetKeyloggerLogsDirectory
          • 0x29e925:$s5: GetKeyloggerLogsDirectory
          • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.jignesh.exe.f60000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.jignesh.exe.f60000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.jignesh.exe.f60000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28ee9d:$x1: Quasar.Common.Messages
                        • 0x29f1c6:$x1: Quasar.Common.Messages
                        • 0x2ab7ee:$x4: Uninstalling... good bye :-(
                        • 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.jignesh.exe.f60000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aada0:$f1: FileZilla\recentservers.xml
                        • 0x2aade0:$f2: FileZilla\sitemanager.xml
                        • 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab06e:$b1: Chrome\User Data\
                        • 0x2ab0c4:$b1: Chrome\User Data\
                        • 0x2ab39c:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6aa:$b5: YandexBrowser\User Data\
                        • 0x2ab718:$b5: YandexBrowser\User Data\
                        • 0x2ab3ec:$s4: logins.json
                        • 0x2ab122:$a1: username_value
                        • 0x2ab140:$a2: password_value
                        • 0x2ab42c:$a3: encryptedUsername
                        • 0x2fd338:$a3: encryptedUsername
                        • 0x2ab450:$a4: encryptedPassword
                        • 0x2fd356:$a4: encryptedPassword
                        • 0x2fd2d4:$a5: httpRealm
                        0.0.jignesh.exe.f60000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab8d8:$s3: Process already elevated.
                        • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c58:$s5: GetKeyloggerLogsDirectory
                        • 0x29e925:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 1536, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5548, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jignesh.exe", ParentImage: C:\Users\user\Desktop\jignesh.exe, ParentProcessId: 528, ParentProcessName: jignesh.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5808, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-16T08:10:22.895020+010020355951Domain Observed Used for C2 Detected98.51.190.13020192.168.2.549704TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-16T08:10:22.895020+010020276191Domain Observed Used for C2 Detected98.51.190.13020192.168.2.549704TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: jignesh.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: jignesh.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "98.51.190.130:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeReversingLabs: Detection: 73%
                        Multi AV Scanner detection for submitted file
                        Source: jignesh.exeVirustotal: Detection: 73%Perma Link
                        Source: jignesh.exeReversingLabs: Detection: 73%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jignesh.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jignesh.exe PID: 528, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1536, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: jignesh.exeJoe Sandbox ML: detected
                        Source: jignesh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.5:49706 version: TLS 1.2
                        Source: jignesh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 98.51.190.130:20 -> 192.168.2.5:49704
                        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 98.51.190.130:20 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 98.51.190.130
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: jignesh.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 98.51.190.130:20
                        Source: Joe Sandbox ViewIP Address: 108.181.61.49 108.181.61.49
                        Source: Joe Sandbox ViewASN Name: COMCAST-7922US COMCAST-7922US
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ipwho.is
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownTCP traffic detected without corresponding DNS query: 98.51.190.130
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: Client.exe, 00000004.00000002.4522048168.0000000000C22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: Client.exe, 00000004.00000002.4532888614.000000001B69E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Client.exe, 00000004.00000002.4532888614.000000001B6CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0b9682d495338
                        Source: Client.exe, 00000004.00000002.4523952975.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: Client.exe, 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: jignesh.exe, 00000000.00000002.2071531993.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: jignesh.exe, Client.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: Client.exe, 00000004.00000002.4523952975.0000000002D47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: jignesh.exe, Client.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: jignesh.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: jignesh.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: jignesh.exe, Client.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                        Source: unknownHTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.5:49706 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jignesh.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jignesh.exe PID: 528, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1536, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: jignesh.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: jignesh.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: jignesh.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF84919AAAD4_2_00007FF84919AAAD
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF849199AC44_2_00007FF849199AC4
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491961874_2_00007FF849196187
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491954B64_2_00007FF8491954B6
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491AB4814_2_00007FF8491AB481
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491AF3394_2_00007FF8491AF339
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491AC6104_2_00007FF8491AC610
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491A863F4_2_00007FF8491A863F
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF849198D414_2_00007FF849198D41
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491A78464_2_00007FF8491A7846
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491978C84_2_00007FF8491978C8
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491AE7F44_2_00007FF8491AE7F4
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491911FA4_2_00007FF8491911FA
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF84919BD754_2_00007FF84919BD75
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF849190DD14_2_00007FF849190DD1
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491940604_2_00007FF849194060
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491910F24_2_00007FF8491910F2
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8492B23214_2_00007FF8492B2321
                        Source: jignesh.exe, 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs jignesh.exe
                        Source: jignesh.exe, 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs jignesh.exe
                        Source: jignesh.exeBinary or memory string: OriginalFilenameClient.exe. vs jignesh.exe
                        Source: jignesh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: jignesh.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: jignesh.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: jignesh.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@1/2
                        Source: C:\Users\user\Desktop\jignesh.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: \Sessions\1\BaseNamedObjects\Local\11bbf22e-826e-486b-b024-adbd86228a9e
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
                        Source: jignesh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: jignesh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: jignesh.exeVirustotal: Detection: 73%
                        Source: jignesh.exeReversingLabs: Detection: 73%
                        Source: jignesh.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\jignesh.exeFile read: C:\Users\user\Desktop\jignesh.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\jignesh.exe "C:\Users\user\Desktop\jignesh.exe"
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mrmcorer.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: thumbcache.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: jignesh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: jignesh.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: jignesh.exeStatic file information: File size 3265536 > 1048576
                        Source: jignesh.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
                        Source: jignesh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF848E0D2A5 pushad ; iretd 4_2_00007FF848E0D2A6
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF848F2752B push ebx; iretd 4_2_00007FF848F2756A
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF848F2D9F2 push eax; iretd 4_2_00007FF848F2DA11
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8491954B6 push ecx; retf 4_2_00007FF8491959DC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF849195948 push ecx; retf 4_2_00007FF8491959DC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF849192E42 push eax; ret 4_2_00007FF849192FFC
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8492B2321 push edx; retf 5F1Fh4_2_00007FF8492B5A3B
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF8492B5BB1 pushad ; ret 4_2_00007FF8492B5BD1
                        Source: C:\Users\user\Desktop\jignesh.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\jignesh.exeFile opened: C:\Users\user\Desktop\jignesh.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeMemory allocated: 1B430000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1A980000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: B90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1A6E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 2310Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 7472Jump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exe TID: 5764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6480Thread sleep count: 33 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6480Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5448Thread sleep count: 2310 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5448Thread sleep count: 7472 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5884Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\jignesh.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Client.exe, 00000004.00000002.4532888614.000000001B5C1000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000004.00000002.4531456435.000000001B3AD000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000004.00000002.4531456435.000000001B342000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\jignesh.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeQueries volume information: C:\Users\user\Desktop\jignesh.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\jignesh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jignesh.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jignesh.exe PID: 528, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1536, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jignesh.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jignesh.exe.f60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jignesh.exe PID: 528, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1536, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Masquerading                        		11
                        Input Capture                        		1
                        Query Registry                        		Remote Services11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory111
                        Security Software Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        DLL Side-Loading                        		41
                        Virtualization/Sandbox Evasion                        		Security Account Manager41
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging113
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync23
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        jignesh.exe74%VirustotalBrowse
                        jignesh.exe74%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                        jignesh.exe100%AviraHEUR/AGEN.1307453
                        jignesh.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe100%AviraHEUR/AGEN.1307453
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\SubDir\Client.exe74%ReversingLabsByteCode-MSIL.Backdoor.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        98.51.190.1300%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          ipwho.is
                          		108.181.61.49
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            98.51.190.130true
                            • Avira URL Cloud: safe
                            		unknown
                            https://ipwho.is/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/jignesh.exe, Client.exe.0.drfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354jignesh.exe, Client.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354sCannotjignesh.exe, Client.exe.0.drfalse
                                    		high
                                    http://schemas.datacontract.org/2004/07/Client.exe, 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejignesh.exe, 00000000.00000002.2071531993.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ipwho.isClient.exe, 00000004.00000002.4523952975.0000000002D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;jignesh.exe, Client.exe.0.drfalse
                                            		high
                                            https://ipwho.isClient.exe, 00000004.00000002.4523952975.0000000002D47000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              98.51.190.130
                                              		unknownUnited States
                                              		7922COMCAST-7922UStrue
                                              108.181.61.49
                                              		ipwho.isCanada
                                              		852ASN852CAfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1575666
                                              Start date and time:2024-12-16 08:09:24 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 16s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:jignesh.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@10/5@1/2
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 90%
                                              • Number of executed functions: 61
                                              • Number of non-executed functions: 4
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 13.107.246.63, 4.175.87.197
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target Client.exe, PID 1276 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              02:10:21API Interceptor14387420x Sleep call for process: Client.exe modified
                                              08:10:20Task SchedulerRun new task: ctfmon path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              98.51.190.130skibidi.exeGet hashmaliciousQuasarBrowse
                                                vanilla.exeGet hashmaliciousQuasarBrowse
                                                  1434orz.exeGet hashmaliciousQuasarBrowse
                                                    108.181.61.49888.exeGet hashmaliciousLuca StealerBrowse
                                                    • /?output=json
                                                    888.exeGet hashmaliciousLuca StealerBrowse
                                                    • /?output=json
                                                    Cracker.exeGet hashmaliciousLuca StealerBrowse
                                                    • /?output=json

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ipwho.isskibidi.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    vanilla.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    888.exeGet hashmaliciousLuca StealerBrowse
                                                    • 108.181.61.49
                                                    888.exeGet hashmaliciousLuca StealerBrowse
                                                    • 108.181.61.49
                                                    https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                    • 108.181.61.49
                                                    Loader.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                    • 108.181.61.49
                                                    full.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938Get hashmaliciousTechSupportScamBrowse
                                                    • 108.181.61.49
                                                    file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                    • 103.126.138.87
                                                    bg.microsoft.map.fastly.netskibidi.exeGet hashmaliciousQuasarBrowse
                                                    • 199.232.214.172
                                                    vanilla.exeGet hashmaliciousQuasarBrowse
                                                    • 199.232.214.172
                                                    ImageMso.Gallery.xllGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    Setup.msiGet hashmaliciousVidarBrowse
                                                    • 199.232.214.172
                                                    DVW8WyapUR.exeGet hashmaliciousSpyrix KeyloggerBrowse
                                                    • 199.232.210.172
                                                    v12p3S8p36.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                                    • 199.232.214.172
                                                    3333.png.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeGet hashmaliciousHTMLPhisherBrowse
                                                    • 199.232.210.172
                                                    PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                    • 199.232.210.172
                                                    PAYMENT COPY_PDF.exeGet hashmaliciousFormBookBrowse
                                                    • 199.232.210.172

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ASN852CAskibidi.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    vanilla.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    1.elfGet hashmaliciousUnknownBrowse
                                                    • 207.83.27.163
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 173.182.249.68
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 199.175.133.251
                                                    armv5l.elfGet hashmaliciousMiraiBrowse
                                                    • 209.29.162.111
                                                    armv6l.elfGet hashmaliciousMiraiBrowse
                                                    • 75.156.205.249
                                                    armv4l.elfGet hashmaliciousUnknownBrowse
                                                    • 161.188.10.7
                                                    armv6l.elfGet hashmaliciousMiraiBrowse
                                                    • 204.191.203.107
                                                    i686.elfGet hashmaliciousMiraiBrowse
                                                    • 50.93.121.166
                                                    COMCAST-7922USskibidi.exeGet hashmaliciousQuasarBrowse
                                                    • 98.51.190.130
                                                    Sentil.exeGet hashmaliciousQuasarBrowse
                                                    • 73.62.14.5
                                                    vanilla.exeGet hashmaliciousQuasarBrowse
                                                    • 98.51.190.130
                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 30.204.239.181
                                                    arm.elfGet hashmaliciousUnknownBrowse
                                                    • 29.140.48.103
                                                    sh4.elfGet hashmaliciousUnknownBrowse
                                                    • 30.230.215.28
                                                    ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 26.208.197.77
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 26.166.149.230
                                                    arm6.elfGet hashmaliciousUnknownBrowse
                                                    • 30.64.154.166
                                                    m68k.elfGet hashmaliciousUnknownBrowse
                                                    • 26.244.63.11

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eskibidi.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    vanilla.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                    • 108.181.61.49
                                                    clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                    • 108.181.61.49
                                                    c2.htaGet hashmaliciousXWormBrowse
                                                    • 108.181.61.49
                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                    • 108.181.61.49
                                                    SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                    • 108.181.61.49
                                                    TD2HjoogPx.dllGet hashmaliciousUnknownBrowse
                                                    • 108.181.61.49
                                                    wmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 108.181.61.49
                                                    LaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                                                    • 108.181.61.49

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                    Category:dropped
                                                    Size (bytes):71954
                                                    Entropy (8bit):7.996617769952133
                                                    Encrypted:true
                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):328
                                                    Entropy (8bit):3.239696782083497
                                                    Encrypted:false
                                                    SSDEEP:6:kKdD9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:laDImsLNkPlE99SNxAhUe/3
                                                    MD5:91AD2E19DCDEF474D16F41ADD4C07013
                                                    SHA1:2487F77EC35A87872653F51DFA40A0B2EBDBE31E
                                                    SHA-256:2A2E00580E25FECACA27C16446BE57BAE72FECACA7C59150D0F9F81B5E05D2C4
                                                    SHA-512:6BC02528945AC5DDF59DC6689E9BE8A75C43870AF8C197ABFE098A78954A261B7D48417DDD92DC586D5C67A09195101A0FC4B718E96E2524A4E0BEC0CA0F3B36
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:p...... ......../M...O..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):1281
                                                    Entropy (8bit):5.370111951859942
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jignesh.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\jignesh.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):1281
                                                    Entropy (8bit):5.370111951859942
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                    C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\jignesh.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3265536
                                                    Entropy (8bit):6.084024037231018
                                                    Encrypted:false
                                                    SSDEEP:49152:Wvht62XlaSFNWPjljiFa2RoUYISURJ6jbR3LoGddTHHB72eh2NT:WvL62XlaSFNWPjljiFXRoUYISURJ6V
                                                    MD5:64DA51697AC726C1E27F5D7899C89CAC
                                                    SHA1:29F336E761644FF1BD932D5649B5275FD7FD79B3
                                                    SHA-256:611F6DEADDA658B042A6636E5E69C381FA65ED5CAB95D2E8F5E43C285ED3CFC7
                                                    SHA-512:A4A123F0787B23A29C77AE6A3BAA348CDDBFE8B0232D0562982874462F49CF3EC4066356837780BE8B3B516D640049B47E4CFEA0E0659E37BEED8F2265D92751
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth
                                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen
                                                    • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 74%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@.................................\.1.O.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H...........L............k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.084024037231018
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:jignesh.exe
                                                    File size:3'265'536 bytes
                                                    MD5:64da51697ac726c1e27f5d7899c89cac
                                                    SHA1:29f336e761644ff1bd932d5649b5275fd7fd79b3
                                                    SHA256:611f6deadda658b042a6636e5e69c381fa65ed5cab95d2e8f5e43c285ed3cfc7
                                                    SHA512:a4a123f0787b23a29c77ae6a3baa348cddbfe8b0232d0562982874462f49cf3ec4066356837780be8b3b516d640049b47e4cfea0e0659e37beed8f2265d92751
                                                    SSDEEP:49152:Wvht62XlaSFNWPjljiFa2RoUYISURJ6jbR3LoGddTHHB72eh2NT:WvL62XlaSFNWPjljiFXRoUYISURJ6V
                                                    TLSH:3FE56B143BF85E27E1BBE277E5B0041267F0FC1AB363EB0B6581677A1C53B5098426A7
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x71e3ae
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x31e35c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x31c3b40x31c400bcfa77670063c653608ed34517e88a0funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x3200000xa930xc00cdeae95ac72e9e58017d2bcc89d2fbeaFalse0.36328125data4.653972105845318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x3220000xc0x200db08f4863a011f0cee33bb292322ab94False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x3200a00x31cdata0.4484924623115578
                                                    RT_MANIFEST0x3203bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-16T08:10:22.895020+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)198.51.190.13020192.168.2.549704TCP
                                                    2024-12-16T08:10:22.895020+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert198.51.190.13020192.168.2.549704TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 16, 2024 08:10:21.134790897 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:21.254679918 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:21.254779100 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:21.265202045 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:21.384927034 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:22.536735058 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:22.536801100 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:22.536838055 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:22.770543098 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:22.775237083 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:22.895020008 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:23.173640013 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:23.311768055 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:26.360057116 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:26.360102892 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:26.360213041 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:26.361756086 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:26.361788988 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:28.793692112 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:28.793804884 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:28.797888041 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:28.797916889 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:28.798415899 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:28.827800035 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:28.871329069 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:29.438837051 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:29.438913107 CET44349706108.181.61.49192.168.2.5
                                                    Dec 16, 2024 08:10:29.438971043 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:29.522468090 CET49706443192.168.2.5108.181.61.49
                                                    Dec 16, 2024 08:10:29.739053011 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:29.858858109 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:29.858913898 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:29.978924036 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:30.282596111 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:30.329710960 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:30.474558115 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:10:30.517196894 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:55.485981941 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:10:55.616820097 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:11:20.626702070 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:11:20.750607967 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:11:45.767265081 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:11:45.891671896 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:12:10.895479918 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:12:11.015255928 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:12:36.079761982 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:12:36.199678898 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:13:01.267446041 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:13:01.387307882 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:13:26.561845064 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:13:26.681725025 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:13:51.689177990 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:13:51.809170008 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:14:16.814204931 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:14:16.933923960 CET204970498.51.190.130192.168.2.5
                                                    Dec 16, 2024 08:14:41.939193010 CET4970420192.168.2.598.51.190.130
                                                    Dec 16, 2024 08:14:42.059258938 CET204970498.51.190.130192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 16, 2024 08:10:26.218031883 CET6435353192.168.2.51.1.1.1
                                                    Dec 16, 2024 08:10:26.355484009 CET53643531.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 16, 2024 08:10:26.218031883 CET192.168.2.51.1.1.10x8a6eStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 16, 2024 08:10:23.443224907 CET1.1.1.1192.168.2.50xa369No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Dec 16, 2024 08:10:23.443224907 CET1.1.1.1192.168.2.50xa369No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    Dec 16, 2024 08:10:26.355484009 CET1.1.1.1192.168.2.50x8a6eNo error (0)ipwho.is108.181.61.49A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • ipwho.is

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549706108.181.61.494431536C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-16 07:10:28 UTC150OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                    Host: ipwho.is
                                                    Connection: Keep-Alive
                                                    2024-12-16 07:10:29 UTC223INHTTP/1.1 200 OK
                                                    Date: Mon, 16 Dec 2024 07:10:29 GMT
                                                    Content-Type: application/json; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: ipwhois
                                                    Access-Control-Allow-Headers: *
                                                    X-Robots-Tag: noindex
                                                    2024-12-16 07:10:29 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                    Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:02:10:16
                                                    Start date:16/12/2024
                                                    Path:C:\Users\user\Desktop\jignesh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\jignesh.exe"
                                                    Imagebase:0xf60000
                                                    File size:3'265'536 bytes
                                                    MD5 hash:64DA51697AC726C1E27F5D7899C89CAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2045822771.0000000001280000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2074752283.000000001BF50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2045441699.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:02:10:18
                                                    Start date:16/12/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    Imagebase:0x7ff6a2c70000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:02:10:18
                                                    Start date:16/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:02:10:18
                                                    Start date:16/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                    Imagebase:0x3f0000
                                                    File size:3'265'536 bytes
                                                    MD5 hash:64DA51697AC726C1E27F5D7899C89CAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.4523952975.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.4523952975.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security
                                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth
                                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen
                                                    • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 74%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:5
                                                    Start time:02:10:19
                                                    Start date:16/12/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    Imagebase:0x7ff6a2c70000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:02:10:19
                                                    Start date:16/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:02:10:20
                                                    Start date:16/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                    Imagebase:0x140000
                                                    File size:3'265'536 bytes
                                                    MD5 hash:64DA51697AC726C1E27F5D7899C89CAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:14.4%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:13
                                                      Total number of Limit Nodes:0
                                                      execution_graph 2216 7ff848f13569 2217 7ff848f13571 DeleteFileW 2216->2217 2219 7ff848f13616 2217->2219 2220 7ff848f13811 2221 7ff848f1382f 2220->2221 2222 7ff848f138c4 2221->2222 2225 7ff848f13540 2222->2225 2224 7ff848f138d1 2226 7ff848f13551 DeleteFileW 2225->2226 2228 7ff848f13616 2226->2228 2228->2224 2229 7ff848f13525 2230 7ff848f13531 DeleteFileW 2229->2230 2232 7ff848f13616 2230->2232

                                                      Executed Functions

                                                      Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2076568922.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_jignesh.jbxd
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: 5f7035aa2d7026dd80aa516dba6dbb9466326c126d89f210b22014e44f42fa33
                                                      • Instruction ID: 90d4d0d7565b528b323e1740401200e2417d85a2e78c58fd29c854b29d222c41
                                                      • Opcode Fuzzy Hash: 5f7035aa2d7026dd80aa516dba6dbb9466326c126d89f210b22014e44f42fa33
                                                      • Instruction Fuzzy Hash: BF41F53180DB8C5FDB49DB6C98496E9BFF0FF56310F0442AFC049C7192DB6868098791
                                                      Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 13 7ff848f13569-7ff848f135d8 18 7ff848f135da-7ff848f135df 13->18 19 7ff848f135e2-7ff848f13614 DeleteFileW 13->19 18->19 20 7ff848f1361c-7ff848f1364a 19->20 21 7ff848f13616 19->21 21->20
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2076568922.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848f10000_jignesh.jbxd
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: c94bca7d2919669a070fa9a798061b53ba3c38f9ea1985fdee49394379fca024
                                                      • Instruction ID: e601a5c1e15cd20e3e64e3b63d3854e7762ccf32fa3ca32efdc2229670a99e4a
                                                      • Opcode Fuzzy Hash: c94bca7d2919669a070fa9a798061b53ba3c38f9ea1985fdee49394379fca024
                                                      • Instruction Fuzzy Hash: 0F31EF3180DB5C8FDB19DB5888496E9BBF0FF65320F04426BD049D3292CB78A8468B91

                                                      Execution Graph

                                                      Execution Coverage:6.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:8
                                                      Total number of Limit Nodes:1
                                                      execution_graph 55863 7ff848f23569 55864 7ff848f23571 DeleteFileW 55863->55864 55866 7ff848f23616 55864->55866 55867 7ff84919e1d9 55868 7ff84919e1ef 55867->55868 55869 7ff84919e29b 55868->55869 55870 7ff84919e394 SetWindowsHookExW 55868->55870 55871 7ff84919e3d6 55870->55871

                                                      Executed Functions

                                                      Function 00007FF8491AE7F4 Relevance: 8.6, Strings: 6, Instructions: 1056COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 197 7ff8491ae7f4-7ff8491ae85f call 7ff849194f50 201 7ff8491ae861-7ff8491ae866 197->201 202 7ff8491ae869-7ff8491ae879 197->202 201->202 203 7ff8491aeda2-7ff8491aedad 202->203 204 7ff8491ae87f-7ff8491ae88f call 7ff84919a730 202->204 206 7ff8491aedb7-7ff8491aee17 call 7ff849194660 203->206 207 7ff8491aedaf-7ff8491aedb4 203->207 209 7ff8491ae894-7ff8491ae899 204->209 213 7ff8491aed41-7ff8491aed4c 206->213 214 7ff8491aee1d-7ff8491aee26 206->214 207->206 211 7ff8491aecaf-7ff8491aecba 209->211 212 7ff8491ae89f-7ff8491ae8aa 209->212 220 7ff8491aecf4-7ff8491aed01 211->220 221 7ff8491aecbc-7ff8491aecd1 211->221 216 7ff8491ae8c7-7ff8491ae900 call 7ff849194660 212->216 217 7ff8491ae8ac-7ff8491ae8bd 212->217 227 7ff8491aed85-7ff8491aed8e 213->227 228 7ff8491aed4e-7ff8491aed63 213->228 218 7ff8491af01b-7ff8491af067 214->218 219 7ff8491aee2c-7ff8491aee37 214->219 238 7ff8491ae902-7ff8491ae926 call 7ff84919a460 call 7ff84919a5b0 216->238 239 7ff8491ae92b-7ff8491aea09 call 7ff849194660 216->239 217->216 236 7ff8491ae8bf-7ff8491ae8c4 217->236 256 7ff8491af06e-7ff8491af0b5 218->256 219->218 224 7ff8491aee3d-7ff8491aee40 219->224 232 7ff8491aed08-7ff8491aed3a 220->232 233 7ff8491aecd3-7ff8491aecd9 221->233 234 7ff8491aec89-7ff8491aec91 221->234 231 7ff8491aee46-7ff8491aeeb1 224->231 224->232 255 7ff8491aed95-7ff8491aed9d 227->255 228->227 270 7ff8491aeeb3-7ff8491aeee7 231->270 271 7ff8491aeee9-7ff8491aeef3 231->271 232->213 242 7ff8491aecdb-7ff8491aecee 233->242 234->242 245 7ff8491aec93-7ff8491aeca8 234->245 236->216 238->239 298 7ff8491aec76-7ff8491aec88 239->298 299 7ff8491aea0f-7ff8491aea13 239->299 242->220 245->211 265 7ff8491af0d2-7ff8491af0db 256->265 266 7ff8491af0b7-7ff8491af0c6 256->266 267 7ff8491af0de-7ff8491af125 265->267 272 7ff8491af0cd-7ff8491af0d0 266->272 275 7ff8491af12c-7ff8491af12d 267->275 270->271 280 7ff8491af134-7ff8491af13d 270->280 273 7ff8491aef05-7ff8491aef1b 271->273 274 7ff8491aeef5 271->274 272->267 273->256 284 7ff8491aef21-7ff8491aefb3 273->284 276 7ff8491aeef7-7ff8491aeefc 274->276 277 7ff8491aef04 274->277 275->280 276->277 277->273 282 7ff8491af143-7ff8491af14b 280->282 283 7ff8491aefc1-7ff8491aefef 280->283 282->283 286 7ff8491af151-7ff8491af162 282->286 293 7ff8491aeb87-7ff8491aeb93 283->293 294 7ff8491aeff5-7ff8491af016 283->294 291 7ff8491aefba-7ff8491aefbb 284->291 286->283 296 7ff8491af168-7ff8491af198 286->296 291->283 307 7ff8491aec42-7ff8491aec49 293->307 308 7ff8491aeb99-7ff8491aebb1 293->308 294->293 296->283 298->234 301 7ff8491aea19-7ff8491aeaa8 299->301 302 7ff8491aec4e 299->302 301->255 339 7ff8491aeaae-7ff8491aeb82 301->339 310 7ff8491aec53-7ff8491aec6f 302->310 312 7ff8491af201-7ff8491af221 call 7ff8491af222 307->312 315 7ff8491aebb7-7ff8491aebe2 308->315 316 7ff8491af19d-7ff8491af1b5 308->316 310->298 325 7ff8491aebe9-7ff8491aebfd 315->325 316->310 323 7ff8491af1bb-7ff8491af1fa 316->323 323->312 330 7ff8491aec12-7ff8491aec1b 325->330 331 7ff8491aebff-7ff8491aec10 325->331 330->307 331->307 331->330 339->293
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3%_H$5%_D$HAH$HAH$HAH$HAH
                                                      • API String ID: 0-1438528049
                                                      • Opcode ID: 06b1561bef142e22eafdefc86452232d79cad104513fdaf9617153b89a77b369
                                                      • Instruction ID: 4b026d52e38b2938dc8827c73624a7cbfbdcfcbeaca3011395c6ef7b9d9b6fba
                                                      • Opcode Fuzzy Hash: 06b1561bef142e22eafdefc86452232d79cad104513fdaf9617153b89a77b369
                                                      • Instruction Fuzzy Hash: FC729130A1CA8A8FEB98EF18849567977E2FF98750F54017DD45EC7286CE38EC428B41
                                                      Function 00007FF849199AC4 Relevance: 8.5, Strings: 6, Instructions: 956COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 350 7ff849199ac4-7ff849199ae8 353 7ff84919a08e-7ff84919a0a0 350->353 354 7ff849199aee-7ff849199b00 350->354 354->353 356 7ff849199b06-7ff849199b11 354->356 358 7ff849199b13-7ff849199b3f 356->358 359 7ff849199a9c-7ff849199ac1 356->359 358->353 364 7ff849199b45-7ff849199b86 358->364 367 7ff849199c38-7ff849199c4b 364->367 368 7ff849199b8c-7ff849199ba4 364->368 373 7ff849199ca0 367->373 374 7ff849199c4d-7ff849199c6e 367->374 371 7ff849199baa-7ff849199bca 368->371 372 7ff849199c2c-7ff849199c32 368->372 371->372 388 7ff849199bcc-7ff849199bde 371->388 372->367 372->368 375 7ff849199ca2-7ff849199ca7 373->375 380 7ff849199c70-7ff849199c97 374->380 381 7ff849199c99-7ff849199c9e 374->381 376 7ff849199ca9-7ff849199cb0 375->376 377 7ff849199cee-7ff849199cfa 375->377 383 7ff849199cb7-7ff849199cd1 376->383 382 7ff849199d03-7ff849199d11 377->382 380->375 381->375 385 7ff849199e07-7ff849199e13 382->385 386 7ff849199d17-7ff849199d3f 382->386 383->377 392 7ff849199cd3-7ff849199cec 383->392 385->353 389 7ff849199e19-7ff849199e2e 385->389 399 7ff849199d45-7ff849199d60 386->399 400 7ff849199dfb-7ff849199e01 386->400 388->372 394 7ff849199be0-7ff849199be4 388->394 389->353 392->377 397 7ff84919a0a1-7ff84919a143 394->397 398 7ff849199bea-7ff849199bff 394->398 411 7ff84919a255-7ff84919a288 397->411 412 7ff84919a149-7ff84919a14b 397->412 405 7ff849199c06-7ff849199c08 398->405 399->400 410 7ff849199d66-7ff849199d78 399->410 400->385 400->386 405->372 406 7ff849199c0a-7ff849199c28 call 7ff8491952a0 405->406 406->372 410->400 423 7ff849199d7e-7ff849199d82 410->423 429 7ff84919a28f-7ff84919a2c1 411->429 414 7ff84919a165-7ff84919a173 412->414 415 7ff84919a14d-7ff84919a15f 412->415 417 7ff84919a179-7ff84919a190 414->417 418 7ff84919a2c8-7ff84919a2fb 414->418 415->414 415->429 436 7ff84919a192-7ff84919a1a4 417->436 437 7ff84919a1aa-7ff84919a1ad 417->437 438 7ff84919a302-7ff84919a341 418->438 423->397 428 7ff849199d88-7ff849199dcb 423->428 428->400 458 7ff849199dcd-7ff849199df8 call 7ff8491952a0 428->458 429->418 436->437 436->438 440 7ff84919a1d6-7ff84919a1f2 call 7ff849197520 437->440 441 7ff84919a1af-7ff84919a1c6 437->441 460 7ff84919a343-7ff84919a349 438->460 461 7ff84919a34d 438->461 453 7ff84919a223-7ff84919a227 440->453 454 7ff84919a1f4-7ff84919a222 440->454 441->440 456 7ff84919a1c8-7ff84919a1cc 441->456 463 7ff84919a22e-7ff84919a254 453->463 459 7ff84919a1d3-7ff84919a1d4 456->459 458->400 459->440 464 7ff84919a351-7ff84919a38c 460->464 465 7ff84919a34b 460->465 461->464 466 7ff84919a34f 461->466 471 7ff84919a3cf-7ff84919a3f1 464->471 472 7ff84919a38e-7ff84919a3b5 464->472 465->461 466->464 479 7ff84919a409-7ff84919a451 471->479 472->479 483 7ff84919a3b7-7ff84919a3ce 472->483 487 7ff84919a453 479->487 488 7ff84919a455-7ff84919a477 479->488 487->488 489 7ff84919a495-7ff84919a49a 487->489 491 7ff84919a55a-7ff84919a563 488->491 492 7ff84919a47d-7ff84919a48f 488->492 495 7ff84919a491-7ff84919a494 492->495 496 7ff84919a49b-7ff84919a4b3 call 7ff849193f90 492->496 495->489 499 7ff84919a4b5-7ff84919a4e6 496->499 500 7ff84919a517-7ff84919a520 496->500 504 7ff84919a511-7ff84919a515 499->504 505 7ff84919a4e8-7ff84919a50f 499->505 504->499 504->500 505->504 507 7ff84919a521-7ff84919a559 505->507
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$HAH$HAH$HAH$HAH$HAH
                                                      • API String ID: 0-381444693
                                                      • Opcode ID: 9f4a05db5f40f6f852db2738fa8932820d07ddeda80ab352e5381acf30fa9d8d
                                                      • Instruction ID: 4716bebe06bef314a15b7ade03baa4102b4dbeba5e771586f3c61d402db64466
                                                      • Opcode Fuzzy Hash: 9f4a05db5f40f6f852db2738fa8932820d07ddeda80ab352e5381acf30fa9d8d
                                                      • Instruction Fuzzy Hash: D052EF31B1CA894FEBA8EF2C9455A7577D1FF98344F0401BAD44EC7292DE29AC46CB41
                                                      Function 00007FF8492B2321 Relevance: 7.5, Strings: 1, Instructions: 6205COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: 20e0b5170cc4ada1811c0fb949c262256a31cc7d3d7a0e9cb6cda70993b600bb
                                                      • Instruction ID: 86a27c4f9e1d07200815a4cf369b322dce1eec8b481f2a8f9fd3ee4291f95689
                                                      • Opcode Fuzzy Hash: 20e0b5170cc4ada1811c0fb949c262256a31cc7d3d7a0e9cb6cda70993b600bb
                                                      • Instruction Fuzzy Hash: D5839421F1DE9B1FF6B5FE2C146527912D2EFB8690B5905BAC11EC76D6EE28EC024340
                                                      Function 00007FF8491AC610 Relevance: 5.4, Strings: 3, Instructions: 1666COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$HAH$Y%_H
                                                      • API String ID: 0-3805949662
                                                      • Opcode ID: 55646772be88a6daf2d00577e06584fb3dcc3b2400d5d9b64ec35441ce085bbb
                                                      • Instruction ID: 0318a9099f262158a47ec363216e80731344e3f0fb39c6f004fd305b7c6e335f
                                                      • Opcode Fuzzy Hash: 55646772be88a6daf2d00577e06584fb3dcc3b2400d5d9b64ec35441ce085bbb
                                                      • Instruction Fuzzy Hash: 90B2057191DBCA4FE7B5EB2888566B57BE0EF95360F0401BAD04DC7593DE1CAC0A8B81
                                                      Function 00007FF8491AF339 Relevance: 4.2, Strings: 3, Instructions: 426COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3406 7ff8491af339-7ff8491af345 3407 7ff8491af347 3406->3407 3408 7ff8491af349-7ff8491af388 3406->3408 3407->3408 3409 7ff8491af389-7ff8491af394 3407->3409 3408->3409 3412 7ff8491af4a3-7ff8491af4ae 3409->3412 3413 7ff8491af39a-7ff8491af3b1 3409->3413 3418 7ff8491af4e0-7ff8491af50f 3412->3418 3419 7ff8491af4b0-7ff8491af4d6 3412->3419 3416 7ff8491af3b3-7ff8491af3b7 3413->3416 3417 7ff8491af40c 3413->3417 3423 7ff8491af3be-7ff8491af3ca 3416->3423 3421 7ff8491af40e-7ff8491af41f 3417->3421 3438 7ff8491af516-7ff8491af51a 3418->3438 3428 7ff8491af4dd-7ff8491af4de 3419->3428 3427 7ff8491af425-7ff8491af441 call 7ff849197b30 3421->3427 3421->3428 3432 7ff8491af405-7ff8491af40a 3423->3432 3433 7ff8491af3cc-7ff8491af3db 3423->3433 3427->3428 3441 7ff8491af447-7ff8491af44a 3427->3441 3428->3418 3432->3421 3439 7ff8491af401-7ff8491af403 3433->3439 3440 7ff8491af3dd-7ff8491af3ff call 7ff84919bec0 3433->3440 3442 7ff8491af51b-7ff8491af565 3438->3442 3439->3421 3440->3421 3444 7ff8491af496-7ff8491af4a2 3441->3444 3445 7ff8491af44c-7ff8491af463 3441->3445 3457 7ff8491af567-7ff8491af56c 3442->3457 3458 7ff8491af5af-7ff8491af5d8 3442->3458 3445->3438 3449 7ff8491af469-7ff8491af490 3445->3449 3449->3438 3449->3444 3457->3442 3463 7ff8491af56e-7ff8491af5ae 3457->3463 3461 7ff8491af622-7ff8491af6c4 3458->3461 3462 7ff8491af5da-7ff8491af5e7 3458->3462 3478 7ff8491af721-7ff8491af72d 3461->3478 3479 7ff8491af6c6-7ff8491af6d9 3461->3479 3462->3461 3463->3458 3479->3478 3481 7ff8491af6db-7ff8491af701 3479->3481
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$HAH$HAH
                                                      • API String ID: 0-2719557456
                                                      • Opcode ID: cb88074636e6d616e7b67267b1a4e0e67b0fc96edcef18311fc0365d72ba0612
                                                      • Instruction ID: efd97a547ce9da607c37d91229487f7d5a72742ff406edb63275a45c07d6d495
                                                      • Opcode Fuzzy Hash: cb88074636e6d616e7b67267b1a4e0e67b0fc96edcef18311fc0365d72ba0612
                                                      • Instruction Fuzzy Hash: 61C1E621B1DA894FE7A9EF3C985967977D1EF99790B0400BAD48EC73A3DD1CAC028741
                                                      Function 00007FF8491954B6 Relevance: 4.0, Strings: 2, Instructions: 1524COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3568 7ff8491954b6-7ff8491954c8 3570 7ff8491954ca-7ff849195523 3568->3570 3571 7ff8491954ae-7ff8491954b3 3568->3571 3573 7ff849195574-7ff8491955ac call 7ff849193f90 call 7ff849193e20 3570->3573 3574 7ff849195525-7ff849195530 3570->3574 3583 7ff8491955c8-7ff8491955d0 3573->3583 3584 7ff8491955ae-7ff8491955c3 call 7ff8491951d0 3573->3584 3577 7ff849195537-7ff84919553a 3574->3577 3577->3573 3579 7ff84919553c-7ff849195551 call 7ff849193e20 3577->3579 3579->3573 3585 7ff849195553-7ff84919556f call 7ff849193830 3579->3585 3587 7ff8491955d2-7ff8491955ea 3583->3587 3588 7ff8491955ec 3583->3588 3584->3583 3585->3573 3589 7ff8491955ee-7ff8491955f5 3587->3589 3588->3589 3591 7ff8491955f7-7ff849195607 3589->3591 3592 7ff849195608-7ff84919564a 3589->3592 3594 7ff849195650-7ff849195683 3592->3594 3595 7ff849196126-7ff849196130 3592->3595 3606 7ff849195689-7ff84919569b 3594->3606 3607 7ff8491958de-7ff8491958f0 3594->3607 3596 7ff849196132-7ff84919613d 3595->3596 3597 7ff849196148 3595->3597 3598 7ff84919614d-7ff84919614f 3596->3598 3597->3598 3600 7ff849196151-7ff849196163 3598->3600 3601 7ff84919616a-7ff84919616f 3598->3601 3600->3601 3602 7ff849196171 3601->3602 3603 7ff849196174-7ff849196186 3601->3603 3602->3603 3606->3607 3613 7ff8491956a1-7ff8491956d3 3606->3613 3611 7ff8491959b3-7ff8491959b5 3607->3611 3612 7ff8491958f6-7ff849195922 3607->3612 3614 7ff849195a25-7ff849195a37 3611->3614 3615 7ff8491959b7-7ff8491959c9 3611->3615 3612->3611 3620 7ff849195928-7ff84919592d 3612->3620 3621 7ff8491956d5-7ff849195703 3613->3621 3622 7ff849195706-7ff84919573a 3613->3622 3623 7ff84919600b-7ff84919601d 3614->3623 3624 7ff849195a3d-7ff849195a69 3614->3624 3615->3614 3625 7ff8491959cb-7ff8491959ce 3615->3625 3620->3611 3626 7ff849195933-7ff849195936 3620->3626 3621->3622 3634 7ff84919573c-7ff84919576b 3622->3634 3635 7ff84919576e-7ff8491957a5 3622->3635 3647 7ff84919608c-7ff84919609e 3623->3647 3648 7ff84919601f-7ff849196027 3623->3648 3645 7ff849195a6b-7ff849195a74 3624->3645 3646 7ff849195a9f-7ff849195ab6 3624->3646 3630 7ff8491959d0-7ff8491959dc 3625->3630 3631 7ff8491959f4-7ff849195a22 call 7ff8491952a0 3625->3631 3632 7ff849195938-7ff849195943 3626->3632 3633 7ff84919595b-7ff849195964 3626->3633 3631->3614 3632->3633 3640 7ff849195966-7ff849195989 3633->3640 3641 7ff84919598b-7ff8491959b0 call 7ff8491952a0 3633->3641 3634->3635 3659 7ff849195831-7ff84919585e 3635->3659 3660 7ff8491957ab-7ff8491957c3 3635->3660 3640->3641 3641->3611 3654 7ff849195a76-7ff849195a86 3645->3654 3655 7ff849195a98-7ff849195a99 3645->3655 3664 7ff849195bb2-7ff849195bdf 3646->3664 3665 7ff849195abc-7ff849195ae5 3646->3665 3667 7ff8491960a0-7ff8491960aa 3647->3667 3668 7ff849196115-7ff849196120 3647->3668 3648->3647 3656 7ff849196029-7ff849196056 3648->3656 3654->3655 3655->3646 3656->3647 3677 7ff849196058-7ff849196061 3656->3677 3680 7ff849195860-7ff849195869 3659->3680 3681 7ff849195894-7ff84919589e 3659->3681 3669 7ff8491957c5-7ff8491957d5 3660->3669 3670 7ff849195828-7ff84919582f 3660->3670 3686 7ff849195be1-7ff849195c0c 3664->3686 3687 7ff849195c0f-7ff849195c38 3664->3687 3665->3623 3688 7ff849195aeb-7ff849195b1a 3665->3688 3674 7ff8491960b0-7ff8491960dc 3667->3674 3675 7ff84919613f-7ff849196146 3667->3675 3668->3594 3668->3595 3672 7ff8491957f5-7ff849195826 3669->3672 3670->3672 3672->3681 3674->3668 3697 7ff8491960de-7ff8491960e7 3674->3697 3675->3668 3682 7ff849196063-7ff849196073 3677->3682 3683 7ff849196085-7ff849196086 3677->3683 3689 7ff84919586b-7ff84919587b 3680->3689 3690 7ff84919588d-7ff84919588e 3680->3690 3692 7ff8491958a4-7ff8491958c5 3681->3692 3693 7ff8491968fe-7ff849196965 3681->3693 3682->3683 3683->3647 3686->3687 3709 7ff849195c3e-7ff849195c6d 3687->3709 3710 7ff849195ccf-7ff849195cfc 3687->3710 3688->3623 3708 7ff849195b20-7ff849195b4c 3688->3708 3689->3690 3690->3681 3692->3607 3707 7ff8491958c7-7ff8491958d6 3692->3707 3740 7ff84919696b-7ff8491969ae 3693->3740 3703 7ff8491960e9-7ff8491960f9 3697->3703 3704 7ff84919610e-7ff84919610f 3697->3704 3703->3704 3704->3668 3707->3607 3708->3623 3720 7ff849195b52-7ff849195ba5 call 7ff8491951d0 3708->3720 3709->3710 3721 7ff849195c6f-7ff849195c9b 3709->3721 3718 7ff849195d37-7ff849195d64 3710->3718 3719 7ff849195cfe-7ff849195d03 3710->3719 3730 7ff849195d66-7ff849195db7 call 7ff8491951d0 3718->3730 3731 7ff849195dbc-7ff849195de8 3718->3731 3719->3718 3722 7ff849195d05-7ff849195d34 3719->3722 3720->3623 3742 7ff849195bab-7ff849195bad 3720->3742 3721->3710 3733 7ff849195c9d-7ff849195ccc 3721->3733 3722->3718 3730->3731 3743 7ff849195dea-7ff849195e28 call 7ff8491951d0 3731->3743 3744 7ff849195e2d-7ff849195e59 3731->3744 3733->3710 3755 7ff8491969b0-7ff849196a0d 3740->3755 3742->3623 3743->3744 3752 7ff849195e5b-7ff849195e99 call 7ff8491951d0 3744->3752 3753 7ff849195e9e-7ff849195eca 3744->3753 3752->3753 3760 7ff849195f32-7ff849195f5f 3753->3760 3761 7ff849195ecc-7ff849195f01 3753->3761 3783 7ff849196a18-7ff849196a29 3755->3783 3784 7ff849196a0f-7ff849196a17 3755->3784 3769 7ff849195f61-7ff849195f9f call 7ff8491951d0 3760->3769 3770 7ff849195fa4-7ff849195fd0 3760->3770 3761->3760 3767 7ff849195f03-7ff849195f31 3761->3767 3767->3760 3769->3770 3770->3623 3777 7ff849195fd2-7ff849195fdb 3770->3777 3779 7ff849196002-7ff849196003 3777->3779 3780 7ff849195fdd-7ff849196000 3777->3780 3779->3623 3780->3779 3785 7ff849196a34-7ff849196a46 3783->3785 3786 7ff849196a2b-7ff849196a33 3783->3786 3784->3783 3788 7ff849196a48-7ff849196a4a 3785->3788 3789 7ff849196a4c-7ff849196a56 3785->3789 3786->3785 3790 7ff849196a5a-7ff849196a9b 3788->3790 3789->3790 3795 7ff849196ab6-7ff849196ac7 3790->3795 3796 7ff849196a9d-7ff849196ab3 3790->3796 3797 7ff849196ac9-7ff849196ae8 3795->3797 3798 7ff849196afd-7ff849196b03 3795->3798 3796->3795 3797->3798 3800 7ff849196aea-7ff849196afb 3797->3800 3800->3798 3801 7ff849196b04-7ff849196b5b 3800->3801 3801->3798
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$HAH
                                                      • API String ID: 0-524784639
                                                      • Opcode ID: 83e6b89315a0c0706f28e301695e3ca2ae136410ff8576d7ef71323ab80766b9
                                                      • Instruction ID: 113926a5f94997c5342d12baafd6d6104d6c31c4b4773bc5530636a9a451f8e7
                                                      • Opcode Fuzzy Hash: 83e6b89315a0c0706f28e301695e3ca2ae136410ff8576d7ef71323ab80766b9
                                                      • Instruction Fuzzy Hash: 07B2A370A1CA498FDFA8EF18C894BA97BE1FF58344F1441A8D44ED7296CE39E845CB41
                                                      Function 00007FF8491AB481 Relevance: 3.4, Strings: 2, Instructions: 936COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$+_H
                                                      • API String ID: 0-453778174
                                                      • Opcode ID: bec66b25d99e8c0c98b1813c3a45da543987308634914065ef1edb1b753c0c4e
                                                      • Instruction ID: 33b506d404aee5acd248a865205bceb690676e4b4571373360ada8a8591666ae
                                                      • Opcode Fuzzy Hash: bec66b25d99e8c0c98b1813c3a45da543987308634914065ef1edb1b753c0c4e
                                                      • Instruction Fuzzy Hash: 8B529E31A1CB8A8FEBA8EF289445A7577E1FF98350F44057DD44EC3696DE28BC418B81
                                                      Function 00007FF849196187 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *%I$HAH
                                                      • API String ID: 0-562263629
                                                      • Opcode ID: b7830efad7d54739abaec787f7aca18b9e010f2da7f8c2b814fb5c4f1dc05597
                                                      • Instruction ID: 127c126fbf60a480dfc54e4362056502ce5ba6255daca6d64515180efa914902
                                                      • Opcode Fuzzy Hash: b7830efad7d54739abaec787f7aca18b9e010f2da7f8c2b814fb5c4f1dc05597
                                                      • Instruction Fuzzy Hash: 56E1C230A1CA8A8FEBA4EF28C84567977E1FF55394F144579D44AC7196CE38F841CB50
                                                      Function 00007FF8491978C8 Relevance: 2.9, Strings: 2, Instructions: 423COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH$HAH
                                                      • API String ID: 0-524784639
                                                      • Opcode ID: 16ea910182bb12414af786c7c72f50c8be98269834bbdeb844af061136773b2c
                                                      • Instruction ID: cd64ae5f5bf21a338a9f89d0fc4cfc7ab7824eabb35ea53ebdc770c2af16605c
                                                      • Opcode Fuzzy Hash: 16ea910182bb12414af786c7c72f50c8be98269834bbdeb844af061136773b2c
                                                      • Instruction Fuzzy Hash: 30B18731B0DA894FE7A8EB2C98556B53BD1EF99394B0901BAD04EC7293DD1CAC42C781
                                                      Function 00007FF84919AAAD Relevance: 2.2, Strings: 1, Instructions: 931COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x1_H
                                                      • API String ID: 0-4014100721
                                                      • Opcode ID: 507c11125af2b9d2216bbb0f077a98eeb7bf4867dd0fa468e7b3ec9d2d55a3ac
                                                      • Instruction ID: 3c4ef8b754624f72fccc97f7a2eb6aae1d1e9f1459e643cd371e0ed20dc533d3
                                                      • Opcode Fuzzy Hash: 507c11125af2b9d2216bbb0f077a98eeb7bf4867dd0fa468e7b3ec9d2d55a3ac
                                                      • Instruction Fuzzy Hash: 44624E30A0CA498FEB98EB2CC458B6577E1FF99344F1445B9E44DC72A6DE39E841CB41
                                                      Function 00007FF849194060 Relevance: 1.7, Strings: 1, Instructions: 470COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH
                                                      • API String ID: 0-1579723087
                                                      • Opcode ID: 223b61e2d206f5e78866aabf7eda0f376ecd0b5b034a6dcefcb25390f705fb83
                                                      • Instruction ID: c7405ec7026357ec24abfa2a3cd853cc75511a43afd444a5864387b90bffd80f
                                                      • Opcode Fuzzy Hash: 223b61e2d206f5e78866aabf7eda0f376ecd0b5b034a6dcefcb25390f705fb83
                                                      • Instruction Fuzzy Hash: C5E1BD30A1CA498FE768EE68D445676B3E1FF98349F10457DD48AC72D6DE38E842CB81
                                                      Function 00007FF849198D41 Relevance: .7, Instructions: 712COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2dffe724aeeb888e7ac884f27d0e0aca0471ba3da22b693e9daddd1d88cff960
                                                      • Instruction ID: 7cf735a7299602b01356d01deb4f40bd353dae22a0c0d2e0b867c62099b97b9e
                                                      • Opcode Fuzzy Hash: 2dffe724aeeb888e7ac884f27d0e0aca0471ba3da22b693e9daddd1d88cff960
                                                      • Instruction Fuzzy Hash: 1C228E30A0CA494FEBA8EF2C94557B977E2FF98344F1401BDD44EC3696DE39A8428B45
                                                      Function 00007FF8491A7846 Relevance: .5, Instructions: 475COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 321e21e993c3dea8851f283ae2fa0310f10d1f27fdf6f37c13be2af0ea72d42e
                                                      • Instruction ID: c398315d01a359393f1080d8395095da9ef4ab20326f0cb786553aadc6c9f4a8
                                                      • Opcode Fuzzy Hash: 321e21e993c3dea8851f283ae2fa0310f10d1f27fdf6f37c13be2af0ea72d42e
                                                      • Instruction Fuzzy Hash: 81F1957091CA8E8FEBA8EF28C8557E937D1FF94350F04426ED84DC7295CB3899458B82
                                                      Function 00007FF8491A863F Relevance: .4, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cfaf682702111d97d07f49859eeb2e18ddedca54ce32d12b26eaf829b856905
                                                      • Instruction ID: 41975686a7878f2500fa452df1f87f9a44b6b99c955d267d24c0e5910c07e235
                                                      • Opcode Fuzzy Hash: 2cfaf682702111d97d07f49859eeb2e18ddedca54ce32d12b26eaf829b856905
                                                      • Instruction Fuzzy Hash: CCD19130A1CA8D8FEBA8EF28C8557F977D1FB54360F04826ED84DC7295CE7899458B81
                                                      Function 00007FF84919E1D9 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5301334dc199d7e90d38ae7b97c199f8263553946f196be33d10c6a675cf7b4d
                                                      • Instruction ID: ef11512357a7d2b9e64038ccb7deba4c0baa8704273f02a38649e7afff73f344
                                                      • Opcode Fuzzy Hash: 5301334dc199d7e90d38ae7b97c199f8263553946f196be33d10c6a675cf7b4d
                                                      • Instruction Fuzzy Hash: DF71F531A1DA994FD759EB2C984A1B97BE0FF59710F0401BFD04AC7293DE29A84687C1
                                                      Function 00007FF848F23525 Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4537986856.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff848f20000_Client.jbxd
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: dbbaf086bfca0b5eac5faa4a12d6644538b5519bfd1f0847f9ba9787c65063fc
                                                      • Instruction ID: 8aa15179c02ee09258554009c9d9bd9593c9d287757418152a303558247cf2db
                                                      • Opcode Fuzzy Hash: dbbaf086bfca0b5eac5faa4a12d6644538b5519bfd1f0847f9ba9787c65063fc
                                                      • Instruction Fuzzy Hash: 0F41047180DB8C9FDB05DB6C98596E9BFF0EF56310F0441AFC049C75A2DB2968498751
                                                      Function 00007FF848F23569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4537986856.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff848f20000_Client.jbxd
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
                                                      • Instruction ID: abc54ccf21843c473a4d7dff86577630fd02a3549c39ea79b2012866f3849d86
                                                      • Opcode Fuzzy Hash: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
                                                      • Instruction Fuzzy Hash: 1131F07180CB5C9FDB19DB5888496E9BBF0FF65310F04426BC049D3292DB79A846CB91
                                                      Function 00007FF8492B52F1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: f5bca92a01b69c0125dbaadd2fd5c0e7c073279259d78b4e7f32683687b233be
                                                      • Instruction ID: bc4e820bb2a8a444afe08c09207bb1b889089c05077457eff7b2f4984a548030
                                                      • Opcode Fuzzy Hash: f5bca92a01b69c0125dbaadd2fd5c0e7c073279259d78b4e7f32683687b233be
                                                      • Instruction Fuzzy Hash: 4121C221F0CE9B0FF6AABA3C145567856C2EFA9590F9801B9C11ECB3D6DE2DEC424344
                                                      Function 00007FF8492B207D Relevance: .3, Instructions: 285COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c2eb767fb56384bad48817f7642d53b3704158ddad0dd4e284ee8ddfbb92aa4
                                                      • Instruction ID: d56b35c7cececb3290ecac5c483e591acfdb5219a94893389395a16a6e758ba3
                                                      • Opcode Fuzzy Hash: 9c2eb767fb56384bad48817f7642d53b3704158ddad0dd4e284ee8ddfbb92aa4
                                                      • Instruction Fuzzy Hash: 74816C21B2DEE60FE795BF6C44A637666D6EFA9640F4440B9D108C72C7CE19AC068351
                                                      Function 00007FF8492B0000 Relevance: .2, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfca725a22b7776b1a9b306e4e7f73ad9054c29ef361dc5786b0f5e4c32f3c93
                                                      • Instruction ID: 964a890cab5ce8cfae4f85b813930f4987ac954b5a80e9e980f79338cd509b1d
                                                      • Opcode Fuzzy Hash: cfca725a22b7776b1a9b306e4e7f73ad9054c29ef361dc5786b0f5e4c32f3c93
                                                      • Instruction Fuzzy Hash: 4241D23250E6D94FE366DF289C69A743FE0EF67210B0901EFC089CB1E7D919AC458351
                                                      Function 00007FF848E0ED80 Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4536847241.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff848e0d000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db1f747644653a925a8e21ca2277657b82c4d6228f4124e3217e526f5cb01951
                                                      • Instruction ID: ae8e4abc0d922834118dd6bf7c9097e506c80302ad3979363a4d2920fb498277
                                                      • Opcode Fuzzy Hash: db1f747644653a925a8e21ca2277657b82c4d6228f4124e3217e526f5cb01951
                                                      • Instruction Fuzzy Hash: 8C41B23180DBC54FD7569B3898459623FF0EF57264B1506EFD088CB1A3D629A846C7A2
                                                      Function 00007FF8492B014A Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b014be113257e8dbeda48c177a576f51bef50a53590bde4d594dc8bcb9008f5a
                                                      • Instruction ID: efe7a643439ed7d222696754cb37f8e6f56ec501e65018cadb00680ea56af217
                                                      • Opcode Fuzzy Hash: b014be113257e8dbeda48c177a576f51bef50a53590bde4d594dc8bcb9008f5a
                                                      • Instruction Fuzzy Hash: 03312A32E5DAD94FF3AAEE2C58262B5B7C1EB66250F0401BDD05EC32D7DE089C458346
                                                      Function 00007FF8492B0676 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d00bf7f5fa4ec0d433607ec737889181fd2fd9eb3727469b299ab5ffa6a0c48
                                                      • Instruction ID: f397aa713b5ed831e74996302b77efff1985ffcbc8b8aafc4472a0c34981053f
                                                      • Opcode Fuzzy Hash: 3d00bf7f5fa4ec0d433607ec737889181fd2fd9eb3727469b299ab5ffa6a0c48
                                                      • Instruction Fuzzy Hash: 52314B32E5DA990FF3A9EE1C58162B5B7C1EB65360F44017DD08EC32D7DD189C058346
                                                      Function 00007FF8492B3D9F Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 534ab72b33991376615a4ff6d1253edb44c2960697fe51856c311a65c4fcf84a
                                                      • Instruction ID: 22dc68752d0d5861f9be19aed8743333a624bc3e69e8ea333bcd20335012bbd2
                                                      • Opcode Fuzzy Hash: 534ab72b33991376615a4ff6d1253edb44c2960697fe51856c311a65c4fcf84a
                                                      • Instruction Fuzzy Hash: 1D219121F0EE9B1FF6A6BB2C245527656D2EFA8690B5801B9D41DC72D6EE2CEC024344
                                                      Function 00007FF8492B5090 Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50a39473969667319ef9e619384dc67b200b8719f980c4f63abc06bbba5edcb1
                                                      • Instruction ID: 63a15746eb61fd448213fc18deba1784949b6fa63614e366e5930e1ec118c105
                                                      • Opcode Fuzzy Hash: 50a39473969667319ef9e619384dc67b200b8719f980c4f63abc06bbba5edcb1
                                                      • Instruction Fuzzy Hash: 1421A221F1DE9B0FF6E5BA2C146567552C2EFBD690B5805B9C01DCB2D6EE29DC024380
                                                      Function 00007FF8492B43EE Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c50513b69e126e78c1bab8f62dfdc971b499a8cb604110b701bfb7f5a1fe19b
                                                      • Instruction ID: 209983e98a258c182d93e2ead1aba36ee3e2637be5923da8fe296ac9d67dae6a
                                                      • Opcode Fuzzy Hash: 6c50513b69e126e78c1bab8f62dfdc971b499a8cb604110b701bfb7f5a1fe19b
                                                      • Instruction Fuzzy Hash: 6D21A221F1DE9B0FF6A5FE2C149527556D2EFE8690B980179C51DC72D6EE29DC060380
                                                      Function 00007FF8492B35BA Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1120c3feafb5069f42ade9c1abee4907aa088ede6444729822ceaaf59d122ea
                                                      • Instruction ID: fae1d23a6e8e0d8c1b21825f70c5da260fde57e9dcfb220750677783f9c5beda
                                                      • Opcode Fuzzy Hash: a1120c3feafb5069f42ade9c1abee4907aa088ede6444729822ceaaf59d122ea
                                                      • Instruction Fuzzy Hash: FB21D621F1ED9B0FF7A9FA2C145527556C2EFA86A0B980079C11EC73D7EE29DC424344
                                                      Function 00007FF8492B2AAF Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26fc5174f7bac6fff85f19846de8381ce45bea91ca4518eb3fcb3efe391ac7da
                                                      • Instruction ID: 3df3ff5ca3e5eec8ccfadcb3ceefed1f0f656efa96f700fff59601ba0918166b
                                                      • Opcode Fuzzy Hash: 26fc5174f7bac6fff85f19846de8381ce45bea91ca4518eb3fcb3efe391ac7da
                                                      • Instruction Fuzzy Hash: FB21A021F1CE9A0FF6F9FE2C146563552C2EFB8690B5905BAC01EC72D6DE29DC428340
                                                      Function 00007FF8492B3293 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b251c99369f2f680bd145859275cd59b4200a99866daf6d529cc9ff7c9a4a35e
                                                      • Instruction ID: 9d1de2b4d18d2b2306ff69e611f124cd9d7090392ba3f18dd065e5e858f72b0f
                                                      • Opcode Fuzzy Hash: b251c99369f2f680bd145859275cd59b4200a99866daf6d529cc9ff7c9a4a35e
                                                      • Instruction Fuzzy Hash: 41219721F1DD9B0FF6B5FA2C145527A56C2EFA8690F584079C11DC72D6EE2DEC424344
                                                      Function 00007FF8492B292E Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15c68d3f0a67e4d08c9f55fd1bffd8b944f94b3717edd2002f748851b2a27dd3
                                                      • Instruction ID: f74cd4c77cd6599724979242197363775f13ff508d36f140b3fc41eb579d3f31
                                                      • Opcode Fuzzy Hash: 15c68d3f0a67e4d08c9f55fd1bffd8b944f94b3717edd2002f748851b2a27dd3
                                                      • Instruction Fuzzy Hash: 0521D321B1DE9B0FF6E5FA2C145527956D2EFB8690BA90179C00DC72D6DE29DC428340
                                                      Function 00007FF8492B39C2 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 810338b9380a778ba40e7d9a0b3e5604f8449db37a99ff251bffd27037e803ba
                                                      • Instruction ID: d7e3f0be76adb4e44f128f818d0a895e13183f8967046cbc9f4d79f2f6b5b86b
                                                      • Opcode Fuzzy Hash: 810338b9380a778ba40e7d9a0b3e5604f8449db37a99ff251bffd27037e803ba
                                                      • Instruction Fuzzy Hash: EC21C521B0DE9B0FF6A5FA2C145523956D2EFE8590B6901BAC01DC72DBDE29EC424344
                                                      Function 00007FF8492B555F Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e8ac7bd1f02bdb332c2002d39384166f777d7f81353152e037f3a3e324e45f3
                                                      • Instruction ID: 659ddee3c2bbbb34c6f1021e7609ff4fa111a78a5eac0bb96b54fc01b791f203
                                                      • Opcode Fuzzy Hash: 9e8ac7bd1f02bdb332c2002d39384166f777d7f81353152e037f3a3e324e45f3
                                                      • Instruction Fuzzy Hash: BD21F221F1DE9F0FF2A5FA2C145563962C3EFA8691B9901BAD01EC72D6EE2CDC424340
                                                      Function 00007FF8492B3762 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 672c24a038a3c359394c163c798ea1a6019a5c92cb7b292360e67312c2092ee9
                                                      • Instruction ID: 6981366b7f16b6e07ed1febf7a23660a77b655f790ce37e0cf867778d6fdb9fc
                                                      • Opcode Fuzzy Hash: 672c24a038a3c359394c163c798ea1a6019a5c92cb7b292360e67312c2092ee9
                                                      • Instruction Fuzzy Hash: 7721C521B0DE9B0FF6A5FB3C145527656C2EFA8691B5901B9C01EC73D6EE29EC424340
                                                      Function 00007FF8492B4E48 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b4462e80271777a2c4eed83756cb58197ace54f244c38db57fe7d569d1031b9
                                                      • Instruction ID: 9ab20ba0908118ff7ede00f5bd75904ba4ee6e53dfb21f17da7caa5439dcc603
                                                      • Opcode Fuzzy Hash: 3b4462e80271777a2c4eed83756cb58197ace54f244c38db57fe7d569d1031b9
                                                      • Instruction Fuzzy Hash: 9221C521F1DE9B0FF7A5FB2C249527966C2EFA8690B5901B9C11DC72DAEE29DC424340
                                                      Function 00007FF8492B26DA Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92d932daeba2a379f6b5b1fd1b91f2209f30139b92b6e1410ada9713a5bcf4e5
                                                      • Instruction ID: a9513f29c867f1a9db8eae9cc983485b0abc06bb721af8cba1eb72e5aa6ecd4d
                                                      • Opcode Fuzzy Hash: 92d932daeba2a379f6b5b1fd1b91f2209f30139b92b6e1410ada9713a5bcf4e5
                                                      • Instruction Fuzzy Hash: 28219F22B1DF9A0FF2E9AB2C145123651C2EFA8691F9901BAC11EC3296DE2CDC464349
                                                      Function 00007FF8492B3CF1 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: facefc8ba9d922ef2b713652c42ac356f59c1cbc29ea9ec867a03dd51ff8ad02
                                                      • Instruction ID: d2e55c45d03df515859d5d7ab5e22e26c5eb8f082c1e561b68cbff0b8a1f65e8
                                                      • Opcode Fuzzy Hash: facefc8ba9d922ef2b713652c42ac356f59c1cbc29ea9ec867a03dd51ff8ad02
                                                      • Instruction Fuzzy Hash: 5A21C221F0DE9B4FF2B9FA2C141123566D2EFE8590B9801B9C01EC72D6DE29DC424344
                                                      Function 00007FF8492B597E Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1463e31762afc3b99e16233ef0d4131ad8a3cc5f3415d383c8e7b9e76dd26e33
                                                      • Instruction ID: da659b8f440be171a73be186e236cc2adb70427a316e9e8cdd2e6ef39c29aa2e
                                                      • Opcode Fuzzy Hash: 1463e31762afc3b99e16233ef0d4131ad8a3cc5f3415d383c8e7b9e76dd26e33
                                                      • Instruction Fuzzy Hash: DB110821B0DE9B0FF7B5FB2C141063956D2EFA41A0B5901BAC01DCB2CADE2DDC424344
                                                      Function 00007FF8492B5330 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b14afecc8560a7950d749efb06ac103be97713576782cf3057e412c2a2775e1
                                                      • Instruction ID: 57ce46b87b64c7ac74eb0921c4da40a27821d4aa48037cad751dbe5ca17e4c9e
                                                      • Opcode Fuzzy Hash: 1b14afecc8560a7950d749efb06ac103be97713576782cf3057e412c2a2775e1
                                                      • Instruction Fuzzy Hash: 8D11C821B0DE9B0FF7E5FA2C145063956D2EFA9190B5901BAC41DC73C6DE2DEC414340
                                                      Function 00007FF8492B3B82 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a81ea8d2d49d3c140d9d04f71b37ea39926597c02f5c5a7843d39c025a8b0ad5
                                                      • Instruction ID: d5d816be6a6fe30681ae5a0a7764225fe1bc78c76f58fb936d86fadab40c1cb5
                                                      • Opcode Fuzzy Hash: a81ea8d2d49d3c140d9d04f71b37ea39926597c02f5c5a7843d39c025a8b0ad5
                                                      • Instruction Fuzzy Hash: AE11B231B0DE9B0EF6B6FA2C1461235A6C2EFA5690B5905B9D51DC72CAEE29E8024344
                                                      Function 00007FF8492B5268 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 442fdd128a34e64d4b765414adf99cf4120d46ee7462a54e44368914e1c77403
                                                      • Instruction ID: 3054c43571810f1fd06c183320327db5f58704353c01d34efb3754801371737a
                                                      • Opcode Fuzzy Hash: 442fdd128a34e64d4b765414adf99cf4120d46ee7462a54e44368914e1c77403
                                                      • Instruction Fuzzy Hash: 4911B221B0EE9B0FF6A6FA3C1451639A6C2EFA9590F5901B9C41ECB2C6DE29DC414340
                                                      Function 00007FF8492B0EE1 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4541263388.00007FF8492B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff8492b0000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d86d720c7b08c8c7deccfe36fce3b7814bd552f44627347b81d06b8f92a9b56
                                                      • Instruction ID: 00390e2124714f5c53151eebd797ecec3e8cfe7d450b744f14185d11a7de5194
                                                      • Opcode Fuzzy Hash: 9d86d720c7b08c8c7deccfe36fce3b7814bd552f44627347b81d06b8f92a9b56
                                                      • Instruction Fuzzy Hash: C9D0C92172D9220BF214368C78533B9B2C5DBA8B61F501077E409C22E6C98F6DC243D6

                                                      Non-executed Functions

                                                      Function 00007FF849190DD1 Relevance: .8, Instructions: 828COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48a055fb1c4586f8a1a27640468aace1af1c0fa8240f680ae34290a8c817f30a
                                                      • Instruction ID: 24d0c389ab10f2ac4e8a81daaefdd01144053e53a7a78ae9dbd1bc3144414a15
                                                      • Opcode Fuzzy Hash: 48a055fb1c4586f8a1a27640468aace1af1c0fa8240f680ae34290a8c817f30a
                                                      • Instruction Fuzzy Hash: 7D326417D1F1E2AAE65176BD74A24EB7F70EF422BDB0C42B7D1CC8D0539D0D148A82A9
                                                      Function 00007FF84919BD75 Relevance: .6, Instructions: 551COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d0b957f0c8f0647ece5af045f70e42cf817460fd051b5746a163072d90f001c
                                                      • Instruction ID: df0f2ea7f8e9458642996cb01787f3b7dc9c206eb886a61759faca58632ec010
                                                      • Opcode Fuzzy Hash: 2d0b957f0c8f0647ece5af045f70e42cf817460fd051b5746a163072d90f001c
                                                      • Instruction Fuzzy Hash: 0AF1A430A0DA894FEBA5EF2C9854BB577E1EF59344F0900FAD44DC72A2DA29EC45CB41
                                                      Function 00007FF8491910F2 Relevance: .5, Instructions: 532COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5d6373653ee725f67ee015413cf988c3e27487eca37f78ad8645594ce4396fb
                                                      • Instruction ID: 161a3ab65f829a0136184b0eb618da2ba49b87f02d9ad7b772a0bffd1a6b0f27
                                                      • Opcode Fuzzy Hash: f5d6373653ee725f67ee015413cf988c3e27487eca37f78ad8645594ce4396fb
                                                      • Instruction Fuzzy Hash: 2EE1411791F1E2AAE75176BD74A24EB7F70EF422BDB0C42B7D18C4D0539E0D148A82A9
                                                      Function 00007FF8491911FA Relevance: .4, Instructions: 431COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.4540499319.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ff849190000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb2270d591c4fbf09c8b015f5d2d05adae823a5f4df34348ec7271bdc8f2e803
                                                      • Instruction ID: f4265e5d17678a624b1f0440c0732461e493f5ce55d9c6cab8dce16d487c05e1
                                                      • Opcode Fuzzy Hash: bb2270d591c4fbf09c8b015f5d2d05adae823a5f4df34348ec7271bdc8f2e803
                                                      • Instruction Fuzzy Hash: 7AC1221791F1E2AAE75276BD74A24EB7F70EF422BDB0C42B7D1CC4D0539D0D148A82A9

                                                      Executed Functions

                                                      Function 00007FF848F10B18 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ;O_I
                                                      • API String ID: 0-1334563566
                                                      • Opcode ID: b423384c8d64a679e8feaee9039305b41a8463fa4b9bc4c98868f66f0fa2df6c
                                                      • Instruction ID: 98e9f889677f3d8303e986831bfb5a651fda7d281677c82d735ce7a445a2f8c8
                                                      • Opcode Fuzzy Hash: b423384c8d64a679e8feaee9039305b41a8463fa4b9bc4c98868f66f0fa2df6c
                                                      • Instruction Fuzzy Hash: 68A11531D0F5929FE319EB2854552BA3FB0FF81344F9940BAD488873CBDA2CAD45875A
                                                      Function 00007FF848F12DC8 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH
                                                      • API String ID: 0-1579723087
                                                      • Opcode ID: 7d969912467f4d55c660e34a8c03852cd151610806f5fe4b0b1975dd61c1958f
                                                      • Instruction ID: e439818bd9d86d18ca21ffe55abc9ff5c3383a09ebcb603bd093696da19501c1
                                                      • Opcode Fuzzy Hash: 7d969912467f4d55c660e34a8c03852cd151610806f5fe4b0b1975dd61c1958f
                                                      • Instruction Fuzzy Hash: 1A715C31E1C90A4FEB98EBA894557BDB7E2EF98790F444579D00ED32C6CF28AC428745
                                                      Function 00007FF848F12729 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HAH
                                                      • API String ID: 0-1579723087
                                                      • Opcode ID: f651801f04857c390f19c24eed4898b14e5dc77d94ab34ff4b625ed59b794370
                                                      • Instruction ID: 29ce60afecb58a0bba5a7faefbe69edcd57f39f9063bc7ff10a2f089782094bd
                                                      • Opcode Fuzzy Hash: f651801f04857c390f19c24eed4898b14e5dc77d94ab34ff4b625ed59b794370
                                                      • Instruction Fuzzy Hash: E2410732A1DA495FE758E7A894163BA77D1FF95760F14017EE04EC32C2DE285C428396
                                                      Function 00007FF848F115FA Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .O_^
                                                      • API String ID: 0-2879385732
                                                      • Opcode ID: fedfb76be6d8b49f46bf55fd84915353bb3d0ab5bda2f4515d1c62bf333f767e
                                                      • Instruction ID: d298665459116a61089ec4c591a302852ea13e106a19fd0b41c8f62a30af1659
                                                      • Opcode Fuzzy Hash: fedfb76be6d8b49f46bf55fd84915353bb3d0ab5bda2f4515d1c62bf333f767e
                                                      • Instruction Fuzzy Hash: BB210226B0D9990FD356A72DA8652E43BE1EF96371B0C01FBC18CCB193D90C5C4A8369
                                                      Function 00007FF848F120FA Relevance: .4, Instructions: 360COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ddcac0ae65f429edaaec9cb626a90059199a698d4e9a8de59f7fb64f71516f9
                                                      • Instruction ID: d63217e5b0579926411cecfdbc7e8ea29629a10be1a95018f160326663928c36
                                                      • Opcode Fuzzy Hash: 5ddcac0ae65f429edaaec9cb626a90059199a698d4e9a8de59f7fb64f71516f9
                                                      • Instruction Fuzzy Hash: 36A1D431A0D98A4FEB95FB6894956B977E2FF95390F0401BAD40DC72C7CF28AC428385
                                                      Function 00007FF848F124A2 Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8311856dcb0d5192038fe8b0fcd3b5eaa55d42ddd7301788c8999e5eedd54c93
                                                      • Instruction ID: 05713a5b555d52f2b96d2f6aea3882b1324b4a234226e784b7b72c70378cade9
                                                      • Opcode Fuzzy Hash: 8311856dcb0d5192038fe8b0fcd3b5eaa55d42ddd7301788c8999e5eedd54c93
                                                      • Instruction Fuzzy Hash: 9751A324B0E9564FEB81F7B840612FA3AE2EF85380F5440BAD00DC72C7DE2CAD468395
                                                      Function 00007FF848F10CF5 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff90c2a566b5ae36e0a8ee25e9bb37a7580f31e816bb88225e09d53c55f2163e
                                                      • Instruction ID: 5462db791e100ed9246839408d862b71cccb3bb392ef3cec04745f9790e934fe
                                                      • Opcode Fuzzy Hash: ff90c2a566b5ae36e0a8ee25e9bb37a7580f31e816bb88225e09d53c55f2163e
                                                      • Instruction Fuzzy Hash: 70510432D1E9965FE356B738A4555F97BD0EF913A0F0801BAD448CB1C7DE086C8A8399
                                                      Function 00007FF848F12110 Relevance: .2, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52dc4ac858218d5e03db6fa6fde471482ab591808afb42c0822e8ab746c6d6c7
                                                      • Instruction ID: 28edda98547a112a330ea5edd88ffcc0b27caa4ba0762ab2d7bcb11c2a0d3dda
                                                      • Opcode Fuzzy Hash: 52dc4ac858218d5e03db6fa6fde471482ab591808afb42c0822e8ab746c6d6c7
                                                      • Instruction Fuzzy Hash: 5C41C431A0DA8A4FEB95FBA894916F977A1EF95390F0400BAD00DC72C7CF2DAC458756
                                                      Function 00007FF848F132DD Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2736ffe4aa11fec2d0c406eb0f6fa83d5fea56ed0f59462e4ed9798249431928
                                                      • Instruction ID: 1a0acc85758155d2371d1a874e5d4671f8a728d69f41410bebe5543d19b7c0fa
                                                      • Opcode Fuzzy Hash: 2736ffe4aa11fec2d0c406eb0f6fa83d5fea56ed0f59462e4ed9798249431928
                                                      • Instruction Fuzzy Hash: DD31F131E1AA4C8FDB90FB7988595BA77E1FF58351F4005BAE40CC7292EE389845C780
                                                      Function 00007FF848F1196D Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20bb83d4e85dcd1ebe1651af9ac9e6736d043b2ac48bcae08cbfa3c8e860ee18
                                                      • Instruction ID: 94d834e2c3b57aeb015d72fc25a66bfd02721aa1c3296ffed76d3577b7d07655
                                                      • Opcode Fuzzy Hash: 20bb83d4e85dcd1ebe1651af9ac9e6736d043b2ac48bcae08cbfa3c8e860ee18
                                                      • Instruction Fuzzy Hash: 7E21D23190D5864FEB45AB2880955A5BBA1EF95310F1842F9D458CF1DBDB28ECC6C385
                                                      Function 00007FF848F11BF5 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3304dda476dec28de2c2c7fa7eeba98314e39d8e86893a17191be8be6e5eb66b
                                                      • Instruction ID: 25145c90cf562204f375008dfce06f3dee3ecc4973da62ba450481b6dd74e297
                                                      • Opcode Fuzzy Hash: 3304dda476dec28de2c2c7fa7eeba98314e39d8e86893a17191be8be6e5eb66b
                                                      • Instruction Fuzzy Hash: 66316C7555B6459BE304EB2C80913FA3F72EF84304FA441A9E409873CACE7E6A84C761
                                                      Function 00007FF848F10872 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1878d5dbb65ed571144111677796ec4f5aed4f1875e7cfd72a7ef04809f7a93
                                                      • Instruction ID: f3e8803f83b39258a2e40065d95ef01befe9a08bce53bbe85ac00a82231ac3cd
                                                      • Opcode Fuzzy Hash: c1878d5dbb65ed571144111677796ec4f5aed4f1875e7cfd72a7ef04809f7a93
                                                      • Instruction Fuzzy Hash: F0213561C1EAC69FF346B33858652B5ABA0FF96790F5805FAC089CB1C3DE0C1C448391
                                                      Function 00007FF848F13491 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 462ff05d408b5aaf55125a432579b3b68d89246b5c929f792225cf6560850bf6
                                                      • Instruction ID: c1b40271c855efce80be8e39d09d86dcbb67cbf2fad6d11acf368abc92c40d15
                                                      • Opcode Fuzzy Hash: 462ff05d408b5aaf55125a432579b3b68d89246b5c929f792225cf6560850bf6
                                                      • Instruction Fuzzy Hash: C8113A3191DA850FE345E7386C994F67BD1EB94364B0842BBE48DC31D3CE1D99868355
                                                      Function 00007FF848F128D5 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c702d3b621a7e1bea718341aa5e31ef82dd4edf45dd27cf2f9fd417862e1c863
                                                      • Instruction ID: d1c6cca83802bd00598dce3b8d345ff3c00b54124d8c6ce9a373d6daad8cb431
                                                      • Opcode Fuzzy Hash: c702d3b621a7e1bea718341aa5e31ef82dd4edf45dd27cf2f9fd417862e1c863
                                                      • Instruction Fuzzy Hash: 7911C620A0EAC91FE347E37C9898AB43FD1EF56350B0901E7D048CB0A3CA684C45C356
                                                      Function 00007FF848F10DA9 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e45c38a2d4bd3ab0e5b9edacbae58ac8c77f96db2b9fef770ce195bee9e0be3
                                                      • Instruction ID: b3d531bc3def58c32ae1b8248a34e2e71dd44ca8ab42204100b8b8fb69ded4c5
                                                      • Opcode Fuzzy Hash: 5e45c38a2d4bd3ab0e5b9edacbae58ac8c77f96db2b9fef770ce195bee9e0be3
                                                      • Instruction Fuzzy Hash: 2A018532E2DC9A4ED69AB32814452FA2BD1EBD4350F4405BBE40EC32CAEE0C6C824385
                                                      Function 00007FF848F11E58 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7b9470d6c5ba93321c06dfdbe9590e04a1b366c912f2630bb45e2dbd5cd8a76
                                                      • Instruction ID: 364d8950af816d48f24021d7d15b94f72c377a2227776c1384def99be8c561c1
                                                      • Opcode Fuzzy Hash: d7b9470d6c5ba93321c06dfdbe9590e04a1b366c912f2630bb45e2dbd5cd8a76
                                                      • Instruction Fuzzy Hash: 96F02422B1DC1C1FE680F2AD94D9AFA67D0DBEC261B0401B7E00CC72A3DD189C828390
                                                      Function 00007FF848F11E70 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ee8dcc762ba244a404042fb27ee6e111c7c3008f0dfea5142ce789e7da895c1
                                                      • Instruction ID: 38b01eef9e203b12852b3d0e3e089fa4c89c4bd9b9a8fdc95820c6ab1e85183f
                                                      • Opcode Fuzzy Hash: 3ee8dcc762ba244a404042fb27ee6e111c7c3008f0dfea5142ce789e7da895c1
                                                      • Instruction Fuzzy Hash: D2E09231B19C1D1FAB94F7AD84CDB7962C1EBAC361B1005B6E40CC72A7DD28AC819380
                                                      Function 00007FF848F1094D Relevance: .0, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2111942373.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff848f10000_Client.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 781557e9ce83c0a2f0ecd41b5c9a0813370a555524753c47963b6de9414c64ef
                                                      • Instruction ID: 9c6f17baa97f1290e02f68e4a29341655e6b88ddb63b713c63f600580e880ea4
                                                      • Opcode Fuzzy Hash: 781557e9ce83c0a2f0ecd41b5c9a0813370a555524753c47963b6de9414c64ef
                                                      • Instruction Fuzzy Hash: 60E02622F0E8665BE599373C24921BC61C0CF956D0F4400BAE40DC72C3DE1C2C820388