Edit tour

Windows Analysis Report
Client-built-Playit.exe

Overview

General Information

Sample name:	Client-built-Playit.exe
Analysis ID:	1576464
MD5:	c3e8ea545254bb9d01bff3f53668e04f
SHA1:	84bfec02d33d829736407744504c271f71c21078
SHA256:	942e216bf41aea0642c7f219560630dc21d29219920e90be79e990e6387a3a9a
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (STR)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Client-built-Playit.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\Client-built-Playit.exe" MD5: C3E8EA545254BB9D01BFF3F53668E04F)

schtasks.exe (PID: 3636 cmdline: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

System32.exe (PID: 2436 cmdline: "C:\Users\user\AppData\Roaming\System32\System32.exe" MD5: C3E8EA545254BB9D01BFF3F53668E04F)

schtasks.exe (PID: 1532 cmdline: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

System32.exe (PID: 2228 cmdline: C:\Users\user\AppData\Roaming\System32\System32.exe MD5: C3E8EA545254BB9D01BFF3F53668E04F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "147.185.221.24:15249;", "SubDirectory": "System32", "InstallName": "System32.exe", "MutexName": "da67ff1b-f911-4ad4-a51c-c7c5bd13aeb3", "StartupKey": "System32", "Tag": "rat1", "LogDirectoryName": "Logs", "ServerSignature": "mJZ0ALFFC05viEI1hMCyBpKmVmen4BMFm2i5IlVmqu+Lvc4S+H3f0DBp0m78Waf+gzyX0mUfuqbKmqmeDyVualpZfVSgw7HBeFce/fIDUcFehLI3eR3ceh+jCm1FP/DQQBHp98rIvgMGxafnL87D86fKjQD8nVJvEtxxPzeAOsW5mR7ysdtZ3w6TqETob9i2tB3JaNmiCJ7arn2TSkfFVY8KudVD2b7WJ9jRdk9eQHfHTcG1Wx13GyGv9iZRDn8ss5AQs+/TC9PbauKpTSepO6SQQi83+oQjr0FJkJpgOVenYXAK4AaHOmO0xjajR+F8SSmGl0aYGTi7JbPWX/JLukKfIoog3XIgx1gen/X0PSP6hKbF0QIAwxjY4bA8v8sNonrd4cQYmQW0z8mDAfu4k74OMur0sqa1PWpEZFXtJxMI21dicIsXp64R/b3/xMQogOuLVqlM0ebusQrY9ariCVKq1tofQYcMK1iYtiRCTnzR4701TbzthVmLCgN/L/2Lk76eXLwfC9QPX+6svJcfxH5Pr2pIFbR0yaZqUsBOCgPHWAZ+fUzE3aOl0fSFQRDa+Q2jtro7DS8ahLjvmfyetnilQ5PFc46V5SjFiMM5ewYYR+PyoaGSh+xf90uWCViA4ldRLlZzbd+eYIaAiSxYUpP4a+T4+fRayMhZ6HfabCs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIiSH7hYaoIGKueL/RUXuTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAxOTE2NDkzOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28uy8neNh2xzV7hyJx8f+G94QKwKUTRBjefu1TZZP2rVXJj3INPqBknTWCy1qqQXd5ar4qbcHgl5QIU4c+lmPY0RV+J4Ba69oUsMxuCs8iFkyMR0C9NRixCdp4vbKdRIXrlBruvqiEsDqBAJMMTcaCj4e2bcb6vYoigUsWpZpV1KC/DwMXdXfNhKA/rAA6oifqe/q2Dlul7OCkpLIJZ6AptKEGXJkvlBaj2rGpy8YyXJxZ6fI+jsaUQoKYTmZIWbIrd1ZzgOMtDi6iU4oUGXLXpdna4umxqK/y3nSzRL+/aQuqVKGRiPTw8Zp93ZcKVtDCgsu3nhVit2rUa1i6SSkticgOAekoXXmPfg2zaBKHWRjHOKHUYWCOCPVEFneHLY6ZL/ZNhdmnjZfWeliFZ659OvLB5treJtkdfutrgrQHlqy/S7U4xkkWpoaQiBLNivCFqohex2pZhSxpY+GqeMJqiy7dPHQaWGrsm9UIsMMFw5E62b4IPkMoQM+tnqybAeUvkuEOU/sV2541k2jDN1e3XsLNmX5cZN8DTKviVwbDQumgjBzGFT046bDMtvqVFQbpyIGwObvYNG7JhfF6RUHJYKFGrO4V3Deo/pxinQOQPTwPNlGx+B9p82zyJ42HiW/+UvYnsBMWx8EFUMOWN2rb2IcmkGIPzgt0iPnO3uSRkCAwEAAaMyMDAwHQYDVR0OBBYEFI7a/T2ouXh29Ill7XpWM4Vf30hxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAKWvYnET0+STGIaWmKToRnCQgKS1HfvUazEY0K8vpEaZ2yvr1NbIB6OALKv/1aKH8M8NEAU3A5Bj2zqxWSW2bwD8+YG6JV4bSR1WDkhCUHTYLS/QcodCl7TV/2xI2ro0uuIbaaapTtXsIa1S+wIqIf6VkzqI3tPg1G1wI3XsNkjYPzXCgOM0u6JJSmSrhCX5I1dPuZYjPZFJWeBmgu8vVZ48Tx1/zUJztk2oZgZVMPpqkPTdk7WODk02uTQIFZxr1Uf40rT8mLhC0sAOYQg7jyKMruvXs1KY/Aoj5LEYIV5DBXOGtKz2cS+VG/uVSDHs+E5Nr1zzASJqVlGHTQweKUbBnKX+dYo5qP9CuYnyYYBTfLR8dB3lfuoU8CRhnZTDqkC3VpLfyxhZtvUlkybUoBf3HCAoFeL9FNFu2tc4itrtQZtU9NORLNjqdDqNfB3PvRMcNLkDKKqALnRqYZ0GjgUCNgnbl+S/HaWLRAEDDzTfD7X9zjTwHB0I7yCqoj1iQrphXHkf3nRo92os4GPdabBy7FpspMsv+/Cdfox7qKeKBsw6gjZbfcNQIbg/70rMQPPXHfvAyriEJMbQ9z2uaFCmNzc6ktGSPOsR/uBnpBx3bIVeClsdP89hXzlSd7RU4JGQ68YJgsnm3QAcPlXqIB0mcI3YySp+5pUguji19lYZ"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client-built-Playit.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Client-built-Playit.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Client-built-Playit.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ede7:$x1: Quasar.Common.Messages 0x29f104:$x1: Quasar.Common.Messages 0x2ab756:$x4: Uninstalling... good bye :-( 0x2acf4b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
Client-built-Playit.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aad08:$f1: FileZilla\recentservers.xml 0x2aad48:$f2: FileZilla\sitemanager.xml 0x2aad8a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2aafd6:$b1: Chrome\User Data\ 0x2ab02c:$b1: Chrome\User Data\ 0x2ab304:$b2: Mozilla\Firefox\Profiles 0x2ab400:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd344:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab558:$b4: Opera Software\Opera Stable\Login Data 0x2ab612:$b5: YandexBrowser\User Data\ 0x2ab680:$b5: YandexBrowser\User Data\ 0x2ab354:$s4: logins.json 0x2ab08a:$a1: username_value 0x2ab0a8:$a2: password_value 0x2ab394:$a3: encryptedUsername 0x2fd288:$a3: encryptedUsername 0x2ab3b8:$a4: encryptedPassword 0x2fd2a6:$a4: encryptedPassword 0x2fd224:$a5: httpRealm
Client-built-Playit.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164eba:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab840:$s3: Process already elevated. 0x28eae6:$s4: get_PotentiallyVulnerablePasswords 0x278bb8:$s5: GetKeyloggerLogsDirectory 0x29e863:$s5: GetKeyloggerLogsDirectory 0x28eb09:$s6: set_PotentiallyVulnerablePasswords 0x2fe964:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\System32\System32.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\System32\System32.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\System32\System32.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ede7:$x1: Quasar.Common.Messages 0x29f104:$x1: Quasar.Common.Messages 0x2ab756:$x4: Uninstalling... good bye :-( 0x2acf4b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\System32\System32.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aad08:$f1: FileZilla\recentservers.xml 0x2aad48:$f2: FileZilla\sitemanager.xml 0x2aad8a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2aafd6:$b1: Chrome\User Data\ 0x2ab02c:$b1: Chrome\User Data\ 0x2ab304:$b2: Mozilla\Firefox\Profiles 0x2ab400:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd344:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab558:$b4: Opera Software\Opera Stable\Login Data 0x2ab612:$b5: YandexBrowser\User Data\ 0x2ab680:$b5: YandexBrowser\User Data\ 0x2ab354:$s4: logins.json 0x2ab08a:$a1: username_value 0x2ab0a8:$a2: password_value 0x2ab394:$a3: encryptedUsername 0x2fd288:$a3: encryptedUsername 0x2ab3b8:$a4: encryptedPassword 0x2fd2a6:$a4: encryptedPassword 0x2fd224:$a5: httpRealm
C:\Users\user\AppData\Roaming\System32\System32.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164eba:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab840:$s3: Process already elevated. 0x28eae6:$s4: get_PotentiallyVulnerablePasswords 0x278bb8:$s5: GetKeyloggerLogsDirectory 0x29e863:$s5: GetKeyloggerLogsDirectory 0x28eb09:$s6: set_PotentiallyVulnerablePasswords 0x2fe964:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client-built-Playit.exe PID: 6400	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: System32.exe PID: 2436	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client-built-Playit.exe.320000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.Client-built-Playit.exe.320000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Client-built-Playit.exe.320000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ede7:$x1: Quasar.Common.Messages 0x29f104:$x1: Quasar.Common.Messages 0x2ab756:$x4: Uninstalling... good bye :-( 0x2acf4b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.Client-built-Playit.exe.320000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aad08:$f1: FileZilla\recentservers.xml 0x2aad48:$f2: FileZilla\sitemanager.xml 0x2aad8a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2aafd6:$b1: Chrome\User Data\ 0x2ab02c:$b1: Chrome\User Data\ 0x2ab304:$b2: Mozilla\Firefox\Profiles 0x2ab400:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd344:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab558:$b4: Opera Software\Opera Stable\Login Data 0x2ab612:$b5: YandexBrowser\User Data\ 0x2ab680:$b5: YandexBrowser\User Data\ 0x2ab354:$s4: logins.json 0x2ab08a:$a1: username_value 0x2ab0a8:$a2: password_value 0x2ab394:$a3: encryptedUsername 0x2fd288:$a3: encryptedUsername 0x2ab3b8:$a4: encryptedPassword 0x2fd2a6:$a4: encryptedPassword 0x2fd224:$a5: httpRealm
0.0.Client-built-Playit.exe.320000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164eba:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab840:$s3: Process already elevated. 0x28eae6:$s4: get_PotentiallyVulnerablePasswords 0x278bb8:$s5: GetKeyloggerLogsDirectory 0x29e863:$s5: GetKeyloggerLogsDirectory 0x28eb09:$s6: set_PotentiallyVulnerablePasswords 0x2fe964:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\System32\System32.exe", ParentImage: C:\Users\user\AppData\Roaming\System32\System32.exe, ParentProcessId: 2436, ParentProcessName: System32.exe, ProcessCommandLine: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, ProcessId: 1532, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Client-built-Playit.exe", ParentImage: C:\Users\user\Desktop\Client-built-Playit.exe, ParentProcessId: 6400, ParentProcessName: Client-built-Playit.exe, ProcessCommandLine: "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f, ProcessId: 3636, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client-built-Playit.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\System32\System32.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: Client-built-Playit.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "147.185.221.24:15249;", "SubDirectory": "System32", "InstallName": "System32.exe", "MutexName": "da67ff1b-f911-4ad4-a51c-c7c5bd13aeb3", "StartupKey": "System32", "Tag": "rat1", "LogDirectoryName": "Logs", "ServerSignature": "mJZ0ALFFC05viEI1hMCyBpKmVmen4BMFm2i5IlVmqu+Lvc4S+H3f0DBp0m78Waf+gzyX0mUfuqbKmqmeDyVualpZfVSgw7HBeFce/fIDUcFehLI3eR3ceh+jCm1FP/DQQBHp98rIvgMGxafnL87D86fKjQD8nVJvEtxxPzeAOsW5mR7ysdtZ3w6TqETob9i2tB3JaNmiCJ7arn2TSkfFVY8KudVD2b7WJ9jRdk9eQHfHTcG1Wx13GyGv9iZRDn8ss5AQs+/TC9PbauKpTSepO6SQQi83+oQjr0FJkJpgOVenYXAK4AaHOmO0xjajR+F8SSmGl0aYGTi7JbPWX/JLukKfIoog3XIgx1gen/X0PSP6hKbF0QIAwxjY4bA8v8sNonrd4cQYmQW0z8mDAfu4k74OMur0sqa1PWpEZFXtJxMI21dicIsXp64R/b3/xMQogOuLVqlM0ebusQrY9ariCVKq1tofQYcMK1iYtiRCTnzR4701TbzthVmLCgN/L/2Lk76eXLwfC9QPX+6svJcfxH5Pr2pIFbR0yaZqUsBOCgPHWAZ+fUzE3aOl0fSFQRDa+Q2jtro7DS8ahLjvmfyetnilQ5PFc46V5SjFiMM5ewYYR+PyoaGSh+xf90uWCViA4ldRLlZzbd+eYIaAiSxYUpP4a+T4+fRayMhZ6HfabCs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIiSH7hYaoIGKueL/RUXuTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAxOTE2NDkzOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28uy8neNh2xzV7hyJx8f+G94QKwKUTRBjefu1TZZP2rVXJj3INPqBknTWCy1qqQXd5ar4qbcHgl5QIU4c+lmPY0RV+J4Ba69oUsMxuCs8iFkyMR0C9NRixCdp4vbKdRIXrlBruvqiEsDqBAJMMTcaCj4e2bcb6vYoigUsWpZpV1KC/DwMXdXfNhKA/rAA6oifqe/q2Dlul7OCkpLIJZ6AptKEGXJkvlBaj2rGpy8YyXJxZ6fI+jsaUQoKYTmZIWbIrd1ZzgOMtDi6iU4oUGXLXpdna4umxqK/y3nSzRL+/aQuqVKGRiPTw8Zp93ZcKVtDCgsu3nhVit2rUa1i6SSkticgOAekoXXmPfg2zaBKHWRjHOKHUYWCOCPVEFneHLY6ZL/ZNhdmnjZfWeliFZ659OvLB5treJtkdfutrgrQHlqy/S7U4xkkWpoaQiBLNivCFqohex2pZhSxpY+GqeMJqiy7dPHQaWGrsm9UIsMMFw5E62b4IPkMoQM+tnqybAeUvkuEOU/sV2541k2jDN1e3XsLNmX5cZN8DTKviVwbDQumgjBzGFT046bDMtvqVFQbpyIGwObvYNG7JhfF6RUHJYKFGrO4V3Deo/pxinQOQPTwPNlGx+B9p82zyJ42HiW/+UvYnsBMWx8EFUMOWN2rb2IcmkGIPzgt0iPnO3uSRkCAwEAAaMyMDAwHQYDVR0OBBYEFI7a/T2ouXh29Ill7XpWM4Vf30hxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAKWvYnET0+STGIaWmKToRnCQgKS1HfvUazEY0K8vpEaZ2yvr1NbIB6OALKv/1aKH8M8NEAU3A5Bj2zqxWSW2bwD8+YG6JV4bSR1WDkhCUHTYLS/QcodCl7TV/2xI2ro0uuIbaaapTtXsIa1S+wIqIf6VkzqI3tPg1G1wI3XsNkjYPzXCgOM0u6JJSmSrhCX5I1dPuZYjPZFJWeBmgu8vVZ48Tx1/zUJztk2oZgZVMPpqkPTdk7WODk02uTQIFZxr1Uf40rT8mLhC0sAOYQg7jyKMruvXs1KY/Aoj5LEYIV5DBXOGtKz2cS+VG/uVSDHs+E5Nr1zzASJqVlGHTQweKUbBnKX+dYo5qP9CuYnyYYBTfLR8dB3lfuoU8CRhnZTDqkC3VpLfyxhZtvUlkybUoBf3HCAoFeL9FNFu2tc4itrtQZtU9NORLNjqdDqNfB3PvRMcNLkDKKqALnRqYZ0GjgUCNgnbl+S/HaWLRAEDDzTfD7X9zjTwHB0I7yCqoj1iQrphXHkf3nRo92os4GPdabBy7FpspMsv+/Cdfox7qKeKBsw6gjZbfcNQIbg/70rMQPPXHfvAyriEJMbQ9z2uaFCmNzc6ktGSPOsR/uBnpBx3bIVeClsdP89hXzlSd7RU4JGQ68YJgsnm3QAcPlXqIB0mcI3YySp+5pUguji19lYZ"}

Multi AV Scanner detection for domain / URL

Source: 147.185.221.24

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\System32\System32.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Virustotal: Detection: 75%			Perma Link

Multi AV Scanner detection for submitted file

Source: Client-built-Playit.exe	Virustotal: Detection: 75%			Perma Link
Source: Client-built-Playit.exe	ReversingLabs: Detection: 73%

Yara detected Quasar RAT

Source: Yara match	File source: Client-built-Playit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built-Playit.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System32.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\System32\System32.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Client-built-Playit.exe

Joe Sandbox ML: detected

Source: Client-built-Playit.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client-built-Playit.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.185.221.24

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.24 ports 1,2,4,5,15249,9

Yara detected Generic Downloader

Source: Yara match	File source: Client-built-Playit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.24:15249

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24

Source: Client-built-Playit.exe, 00000000.00000002.2067157808.0000000002951000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000004.00000002.4487542626.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Client-built-Playit.exe, System32.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Client-built-Playit.exe, System32.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: Client-built-Playit.exe, System32.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Client-built-Playit.exe, System32.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Client-built-Playit.exe, System32.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\System32\System32.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\System32\System32.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: Client-built-Playit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built-Playit.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System32.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF849189271	4_2_00007FF849189271
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF8491855D6	4_2_00007FF8491855D6
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF84918AFDD	4_2_00007FF84918AFDD
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF849189BD1	4_2_00007FF849189BD1
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF84918621F	4_2_00007FF84918621F

Source: Client-built-Playit.exe, 00000000.00000000.2038711405.0000000000640000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem322 vs Client-built-Playit.exe
Source: Client-built-Playit.exe, 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem322 vs Client-built-Playit.exe
Source: Client-built-Playit.exe	Binary or memory string: OriginalFilenameSystem322 vs Client-built-Playit.exe

Source: Client-built-Playit.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Client-built-Playit.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/3@0/1

Source: C:\Users\user\Desktop\Client-built-Playit.exe

File created: C:\Users\user\AppData\Roaming\System32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\da67ff1b-f911-4ad4-a51c-c7c5bd13aeb3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03

Source: Client-built-Playit.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client-built-Playit.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client-built-Playit.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client-built-Playit.exe	Virustotal: Detection: 75%
Source: Client-built-Playit.exe	ReversingLabs: Detection: 73%

Source: Client-built-Playit.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Client-built-Playit.exe

File read: C:\Users\user\Desktop\Client-built-Playit.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Client-built-Playit.exe "C:\Users\user\Desktop\Client-built-Playit.exe"
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Users\user\AppData\Roaming\System32\System32.exe "C:\Users\user\AppData\Roaming\System32\System32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\System32\System32.exe C:\Users\user\AppData\Roaming\System32\System32.exe
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Users\user\AppData\Roaming\System32\System32.exe "C:\Users\user\AppData\Roaming\System32\System32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Client-built-Playit.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client-built-Playit.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Client-built-Playit.exe

Static file information: File size 3265536 > 1048576

Source: Client-built-Playit.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: Client-built-Playit.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF848F12B85 pushad ; iretd	4_2_00007FF848F12C3D
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF848F12BE5 pushad ; iretd	4_2_00007FF848F12C3D
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Code function: 4_2_00007FF8491833A0 push eax; ret	4_2_00007FF84918340C

Source: C:\Users\user\Desktop\Client-built-Playit.exe

File created: C:\Users\user\AppData\Roaming\System32\System32.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Client-built-Playit.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Client-built-Playit.exe	File opened: C:\Users\user\Desktop\Client-built-Playit.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	File opened: C:\Users\user\AppData\Roaming\System32\System32.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	File opened: C:\Users\user\AppData\Roaming\System32\System32.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Memory allocated: 1A950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Memory allocated: 1B2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Memory allocated: 1A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Memory allocated: 1B430000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\System32\System32.exe

Code function: 4_2_00007FF848F1F1F2 str ax

4_2_00007FF848F1F1F2

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Window / User API: threadDelayed 2025			Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Window / User API: threadDelayed 7806			Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe TID: 1252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe TID: 3436	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe TID: 3436	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe TID: 4796	Thread sleep count: 2025 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe TID: 4796	Thread sleep count: 7806 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: System32.exe, 00000004.00000002.4494916451.000000001C073000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: System32.exe, 00000004.00000002.4494916451.000000001C073000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Client-built-Playit.exe	Process created: C:\Users\user\AppData\Roaming\System32\System32.exe "C:\Users\user\AppData\Roaming\System32\System32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe	Queries volume information: C:\Users\user\Desktop\Client-built-Playit.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Queries volume information: C:\Users\user\AppData\Roaming\System32\System32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\System32\System32.exe	Queries volume information: C:\Users\user\AppData\Roaming\System32\System32.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Client-built-Playit.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: Client-built-Playit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built-Playit.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System32.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: Client-built-Playit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built-Playit.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built-Playit.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System32.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\System32\System32.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Client-built-Playit.exe	75%	Virustotal		Browse
Client-built-Playit.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Client-built-Playit.exe	100%	Avira	HEUR/AGEN.1307453
Client-built-Playit.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\System32\System32.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\System32\System32.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\System32\System32.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
C:\Users\user\AppData\Roaming\System32\System32.exe	75%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
147.185.221.24	0%	Avira URL Cloud	safe
147.185.221.24	18%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
147.185.221.24	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Client-built-Playit.exe, System32.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	Client-built-Playit.exe, System32.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Client-built-Playit.exe, System32.exe.0.dr	false	high
https://ipwho.is/	Client-built-Playit.exe, System32.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Client-built-Playit.exe, 00000000.00000002.2067157808.0000000002951000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000004.00000002.4487542626.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Client-built-Playit.exe, System32.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576464
Start date and time:	2024-12-17 07:30:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client-built-Playit.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/3@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target System32.exe, PID 2228 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:31:01	API Interceptor	12495188x Sleep call for process: System32.exe modified
07:30:59	Task Scheduler	Run new task: System32 path: C:\Users\user\AppData\Roaming\System32\System32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse
	72OWK7wBVH.exe	Get hash	malicious	XWorm	Browse
	aZDwfEKorn.exe	Get hash	malicious	XWorm	Browse
	HdTSntLSMB.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	PowerRat.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.211
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	147.185.221.24
	msedge.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	imagelogger.exe	Get hash	malicious	XWorm	Browse	147.185.221.229
	NJRAT DANGEROUS.exe	Get hash	malicious	XWorm	Browse	147.185.221.181
	com surrogate.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	lastest.exe	Get hash	malicious	Njrat	Browse	147.185.221.20
	Fast Download.exe	Get hash	malicious	Njrat	Browse	147.185.221.229
	cnct.exe	Get hash	malicious	Njrat	Browse	147.185.221.20
	Server1.exe	Get hash	malicious	Njrat	Browse	147.185.221.17

Process:	C:\Users\user\Desktop\Client-built-Playit.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\System32\System32.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\System32\System32.exe

Download File

Process:	C:\Users\user\Desktop\Client-built-Playit.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3265536
Entropy (8bit):	6.086654643570332
Encrypted:	false
SSDEEP:	49152:OUd1/DM2zv8aMlqCPwln5+Hjdh+Euvr9+VZzNAxoGnjwTHHB72eh2NTe:OUPrM2zEaMlqCPwln5+Ddh+Zvr4zq1k
MD5:	C3E8EA545254BB9D01BFF3F53668E04F
SHA1:	84BFEC02D33D829736407744504C271F71C21078
SHA-256:	942E216BF41AEA0642C7F219560630DC21D29219920E90BE79E990E6387A3A9A
SHA-512:	84933B3FC7A888673079C2FCCF987189777FC20831EB76CC3F4B94CF960C0C74831B98892781F2E9053C97DE7818922FD6A950A8AACCAF696903B536972F0B38
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 75%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..................1...........1.. ........@.. .......................@2...........@.................................x.1.S.....2.<.................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc...<.....2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H.......................@k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....6.{.....o......0..........(...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.086654643570332
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client-built-Playit.exe
File size:	3'265'536 bytes
MD5:	c3e8ea545254bb9d01bff3f53668e04f
SHA1:	84bfec02d33d829736407744504c271f71c21078
SHA256:	942e216bf41aea0642c7f219560630dc21d29219920e90be79e990e6387a3a9a
SHA512:	84933b3fc7a888673079c2fccf987189777fc20831eb76cc3f4b94cf960c0c74831b98892781f2e9053c97de7818922fd6a950a8aaccaf696903b536972f0b38
SSDEEP:	49152:OUd1/DM2zv8aMlqCPwln5+Hjdh+Euvr9+VZzNAxoGnjwTHHB72eh2NTe:OUPrM2zEaMlqCPwln5+Ddh+Zvr4zq1k
TLSH:	E1E55B1477F84E23E1ABE673D9B044126BF0FC2AB363EB0B658167B91C53B9058417A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e2ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671685FA [Mon Oct 21 16:48:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e278	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xb3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c2d4	0x31c400	ddf52cca7c821df1235a8721fb2ed124	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xb3c	0xc00	a8ee2a1d668a184f96fdf258195d48ea	False	0.3736979166666667	data	5.12328100731859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	6195ec41dc9e41ca4e666293a65322d4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x3c4	data			0.39107883817427386
RT_MANIFEST	0x320464	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 07:31:01.876777887 CET	49704	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:01.996570110 CET	15249	49704	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:01.996726036 CET	49704	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:02.014177084 CET	49704	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:02.133955956 CET	15249	49704	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:23.880109072 CET	15249	49704	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:23.880192041 CET	49704	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:23.892736912 CET	49704	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:24.012422085 CET	15249	49704	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:27.486116886 CET	49735	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:27.606281996 CET	15249	49735	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:27.606437922 CET	49735	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:27.606950045 CET	49735	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:27.726785898 CET	15249	49735	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:49.506433964 CET	15249	49735	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:49.506577015 CET	49735	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:49.506978989 CET	49735	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:49.626704931 CET	15249	49735	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:52.845520020 CET	49796	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:52.965421915 CET	15249	49796	147.185.221.24	192.168.2.5
Dec 17, 2024 07:31:52.965605021 CET	49796	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:52.966053963 CET	49796	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:31:53.085936069 CET	15249	49796	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:14.880909920 CET	15249	49796	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:14.880979061 CET	49796	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:14.884584904 CET	49796	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:15.004460096 CET	15249	49796	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:18.236143112 CET	49852	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:18.356592894 CET	15249	49852	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:18.356686115 CET	49852	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:18.357145071 CET	49852	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:18.476876974 CET	15249	49852	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:40.256513119 CET	15249	49852	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:40.256570101 CET	49852	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:40.257102966 CET	49852	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:40.377047062 CET	15249	49852	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:43.845899105 CET	49913	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:43.965766907 CET	15249	49913	147.185.221.24	192.168.2.5
Dec 17, 2024 07:32:43.965852022 CET	49913	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:43.966258049 CET	49913	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:32:44.085985899 CET	15249	49913	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:05.882064104 CET	15249	49913	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:05.882132053 CET	49913	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:05.882642984 CET	49913	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:06.002413034 CET	15249	49913	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:09.220654964 CET	49973	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:09.340528965 CET	15249	49973	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:09.340660095 CET	49973	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:09.340955973 CET	49973	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:09.460671902 CET	15249	49973	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:31.257786036 CET	15249	49973	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:31.257916927 CET	49973	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:31.258552074 CET	49973	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:31.378381014 CET	15249	49973	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:34.845617056 CET	49981	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:34.966912985 CET	15249	49981	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:34.970328093 CET	49981	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:34.970657110 CET	49981	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:35.090368986 CET	15249	49981	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:56.851605892 CET	15249	49981	147.185.221.24	192.168.2.5
Dec 17, 2024 07:33:56.851754904 CET	49981	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:56.852291107 CET	49981	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:33:56.972615957 CET	15249	49981	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:00.273888111 CET	49982	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:00.393604040 CET	15249	49982	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:00.393691063 CET	49982	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:00.394155979 CET	49982	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:00.515479088 CET	15249	49982	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:22.289674997 CET	15249	49982	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:22.289777040 CET	49982	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:22.290071964 CET	49982	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:22.410335064 CET	15249	49982	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:26.033265114 CET	49983	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:26.153189898 CET	15249	49983	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:26.153299093 CET	49983	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:26.153666019 CET	49983	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:26.273420095 CET	15249	49983	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:48.071866035 CET	15249	49983	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:48.071953058 CET	49983	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:48.076741934 CET	49983	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:48.196579933 CET	15249	49983	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:51.597284079 CET	49984	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:51.718719006 CET	15249	49984	147.185.221.24	192.168.2.5
Dec 17, 2024 07:34:51.718856096 CET	49984	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:51.719650030 CET	49984	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:34:51.840924978 CET	15249	49984	147.185.221.24	192.168.2.5
Dec 17, 2024 07:35:13.618993044 CET	15249	49984	147.185.221.24	192.168.2.5
Dec 17, 2024 07:35:13.619062901 CET	49984	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:35:13.619415045 CET	49984	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:35:13.739120007 CET	15249	49984	147.185.221.24	192.168.2.5
Dec 17, 2024 07:35:17.033170938 CET	49985	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:35:17.152987003 CET	15249	49985	147.185.221.24	192.168.2.5
Dec 17, 2024 07:35:17.153088093 CET	49985	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:35:17.153490067 CET	49985	15249	192.168.2.5	147.185.221.24
Dec 17, 2024 07:35:17.273127079 CET	15249	49985	147.185.221.24	192.168.2.5

Target ID:	0
Start time:	01:30:57
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\Client-built-Playit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Client-built-Playit.exe"
Imagebase:	0x320000
File size:	3'265'536 bytes
MD5 hash:	C3E8EA545254BB9D01BFF3F53668E04F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2070520834.000000001B420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2038376842.0000000000322000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:30:58
Start date:	17/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
Imagebase:	0x7ff647eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:30:58
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:30:58
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Roaming\System32\System32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\System32\System32.exe"
Imagebase:	0xd90000
File size:	3'265'536 bytes
MD5 hash:	C3E8EA545254BB9D01BFF3F53668E04F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\System32\System32.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:30:59
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Roaming\System32\System32.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\System32\System32.exe
Imagebase:	0xec0000
File size:	3'265'536 bytes
MD5 hash:	C3E8EA545254BB9D01BFF3F53668E04F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:31:00
Start date:	17/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
Imagebase:	0x7ff647eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:31:00
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F13607

Memory Dump Source

Source File: 00000000.00000002.2071361440.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Client-built-Playit.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 424f7f9430f43fd4bfea831b7104e9cf001006021b7d28277aef5e0a2260db1e
Instruction ID: 068c57c94a78f2dd64ce20e4a37db12168b61fbe4dc0d600ed7de442752b1d7c
Opcode Fuzzy Hash: 424f7f9430f43fd4bfea831b7104e9cf001006021b7d28277aef5e0a2260db1e
Instruction Fuzzy Hash: 1841063180DB9D9FDB49EB6C98496E9BBF0EF56310F04426FC049C7192DB28684ACB91

Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 112
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F13607

Memory Dump Source

Source File: 00000000.00000002.2071361440.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Client-built-Playit.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1d910e5256cac39e22722a921e3f466f3610269a26abe065d0757ab6f871030b
Instruction ID: 69882cb851ce44fff02090bc80b00609dead7888145b233cc19e5fab4dea83b2
Opcode Fuzzy Hash: 1d910e5256cac39e22722a921e3f466f3610269a26abe065d0757ab6f871030b
Instruction Fuzzy Hash: 8C31EF3180DB5C9FDB19DB6888496E9BBF0FF66311F04426BD049D3292DB78A846CB91

Analysis Process: System32.exePID: 2436, Parent PID: 6400COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF849189BD1 Relevance: 11.5, Strings: 8, Instructions: 1482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF84918A84A
HAH, xrefs: 00007FF84918A79D
HAH, xrefs: 00007FF849189F5B
HAH, xrefs: 00007FF84918A810
HAH, xrefs: 00007FF84918AAA2
HAH, xrefs: 00007FF84918A7D7
HAH, xrefs: 00007FF84918A917
HAH, xrefs: 00007FF84918A951

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-4024470385
Opcode ID: 8b88a0907fc04cb74fca69651a176f3c16b809b825c8d81bcc5faa3d01632a4d
Instruction ID: d6d0d3f2ed8cb20f746facdd9e67f0c54fee7fef0227838ceea9923695b082fb
Opcode Fuzzy Hash: 8b88a0907fc04cb74fca69651a176f3c16b809b825c8d81bcc5faa3d01632a4d
Instruction Fuzzy Hash: A992D430B1C9894FEBA8FB2C945977577D1FF99390F0501BAD44EC7296DE28AC428B41

Function 00007FF8491855D6 Relevance: 5.9, Strings: 3, Instructions: 2123COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF849186A36
*$I, xrefs: 00007FF849186880
HAH, xrefs: 00007FF849186ADB

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID: *$I$HAH$HAH
API String ID: 0-4050887664
Opcode ID: a7160bd360ef9136e5b8c217ef11912bd81b3a8f30fad51daaafb1f79911e6d7
Instruction ID: 33e9dd605a3daca8aa0f700fcb8b020f70563c97fa2688e9ad45d420b640e0b6
Opcode Fuzzy Hash: a7160bd360ef9136e5b8c217ef11912bd81b3a8f30fad51daaafb1f79911e6d7
Instruction Fuzzy Hash: 18F2A370A1CA498FDBA8EF18C484BA977E2FF58340F1445A9D44ED7296DE39E881CF41

Function 00007FF84918621F Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

*$I, xrefs: 00007FF849186880

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID: *$I
API String ID: 0-3406757088
Opcode ID: 7a8db7a5061314ae9707061419fe51fde913f63b48bb9ed8f19afc211232b15b
Instruction ID: 1a385e26e0ba1a41b44e132e687a0a336afd66b972a940fb317f39d8fd2dda83
Opcode Fuzzy Hash: 7a8db7a5061314ae9707061419fe51fde913f63b48bb9ed8f19afc211232b15b
Instruction Fuzzy Hash: 81026E30E18A5A8FEBA8EF18C444779B7E1FF58385F1545B9D44ED3295DE38B8828B40

Function 00007FF84918AFDD Relevance: .9, Instructions: 865
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2fc55a89c4dbb652458c4fefb2b7de794e870ab0e9b811976669c5bcb33998
Instruction ID: 5ceddb6c0ffa656dc0a39c9be80608947095f122b657bb2a2ebcbb948bfdcb26
Opcode Fuzzy Hash: 9e2fc55a89c4dbb652458c4fefb2b7de794e870ab0e9b811976669c5bcb33998
Instruction Fuzzy Hash: 7B527E30A0CA498FEBA8EF2CC458B6577E1FF99340F1541B9E44DC72A6DE39E8418B41

Function 00007FF849189271 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaecfa5d53200870766bbeda2a21f1bfc29f5f0c9c36214ef2d69aea536710e3
Instruction ID: 40d63021ee0e5887386730a2f2978ef641a301d38c2d704d9e81cc2a550bfbab
Opcode Fuzzy Hash: aaecfa5d53200870766bbeda2a21f1bfc29f5f0c9c36214ef2d69aea536710e3
Instruction Fuzzy Hash: 68227130A1CA494FEB68EF1894957B973E2FF98340F55417DD44EC3296DE38AC428B85

Function 00007FF84918E6F9 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4501355489.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff849180000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bbba2ed5dd96c5979930093a761c91eab26ed4c8dd052809baf8893e12cc0a
Instruction ID: 02f666e9d3ade53a9918ec778003f3a534c21cab7f7705afe8fda71a81094d44
Opcode Fuzzy Hash: 98bbba2ed5dd96c5979930093a761c91eab26ed4c8dd052809baf8893e12cc0a
Instruction Fuzzy Hash: D7711631E1DA9A5FD758FB6C984A1B97BE0EF59750F0441BBD00AC3287DE28AC4687C1

Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F13607

Memory Dump Source

Source File: 00000004.00000002.4498981989.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_System32.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e6b213d8d9803cf979de96db528495b92caddabd1a0f9b4a66710d34fca53395
Instruction ID: ab10fa655d28f5a68ced8c914674cb694ae4b9211b158b03e8a68786aaf07e8f
Opcode Fuzzy Hash: e6b213d8d9803cf979de96db528495b92caddabd1a0f9b4a66710d34fca53395
Instruction Fuzzy Hash: FD41F53180DB899FDB49EB6C88496E9BBF0EF56311F0442AFC049C7592DB286849CB91

Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 112
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F13607

Memory Dump Source

Source File: 00000004.00000002.4498981989.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_System32.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1d910e5256cac39e22722a921e3f466f3610269a26abe065d0757ab6f871030b
Instruction ID: 69882cb851ce44fff02090bc80b00609dead7888145b233cc19e5fab4dea83b2
Opcode Fuzzy Hash: 1d910e5256cac39e22722a921e3f466f3610269a26abe065d0757ab6f871030b
Instruction Fuzzy Hash: 8C31EF3180DB5C9FDB19DB6888496E9BBF0FF66311F04426BD049D3292DB78A846CB91

Non-executed Functions

Function 00007FF848F1F1F2 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4498981989.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848f10000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111faaa5f5b30c88858d4465008ad9015a6ab344b950bc08a100c341080580a4
Instruction ID: 385888b42e4b8b44dc5a251deac500f83280f27c5a29ac5c277eebd4003db719
Opcode Fuzzy Hash: 111faaa5f5b30c88858d4465008ad9015a6ab344b950bc08a100c341080580a4
Instruction Fuzzy Hash: E331481791F1A16AD251B3BC74A25E73B60EF523BDF0842B7D18C4D0939E0D548A42FD

Analysis Process: System32.exePID: 2228, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F00B18 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

;P_I, xrefs: 00007FF848F00C04

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID: ;P_I
API String ID: 0-1492203171
Opcode ID: 99cc55dec58770206f4867cdde16747dacfa1cc35ca3fdd119516ba87cc1b1ae
Instruction ID: 0cfc21ba3a25fad704207fdbccbc3401836512ecff291c9a9977cf14a9f46630
Opcode Fuzzy Hash: 99cc55dec58770206f4867cdde16747dacfa1cc35ca3fdd119516ba87cc1b1ae
Instruction Fuzzy Hash: B6A1373190E9929FE354B72854557B93BA0FF86398F4840BAD448873DBEA2C9805C35A

Function 00007FF848F015FA Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

.P_^, xrefs: 00007FF848F01601

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID: .P_^
API String ID: 0-3169129673
Opcode ID: ac88be3431922601719741f6211c95becaceb5c2c23e47a9eff4c4ccb1304b5b
Instruction ID: b5a421fda7f01fb5dd7c9c62b1d70fe6cc6f6eda8bd8230b435c9eac968b50a3
Opcode Fuzzy Hash: ac88be3431922601719741f6211c95becaceb5c2c23e47a9eff4c4ccb1304b5b
Instruction Fuzzy Hash: 93212736A0E6890FE785EB2CAC655E53BE0EF96270B0C01BBD088CB193E91C5C4A4364

Function 00007FF848F020D7 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef967c2ef36693efe74c3149adddb804eb7a9a5aa67755f089c333d72ee02090
Instruction ID: d265b9508ffa13fec4f15849f4970bc59e1baf4cdf860eb9751d83efd5739aaf
Opcode Fuzzy Hash: ef967c2ef36693efe74c3149adddb804eb7a9a5aa67755f089c333d72ee02090
Instruction Fuzzy Hash: D7B1D631E0D98A5FEB96FB6894556F977D1FF96390F0801BAD00DC71C7EE28A8428394

Function 00007FF848F02DC8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034d50870e79c4acc0d920190602dd0b51e96988d28dcd25fc66ec8039e62671
Instruction ID: aa141e54b32eb0a882448c1f96232d38e4ca234cb1d038a977b1c26ba2b10c08
Opcode Fuzzy Hash: 034d50870e79c4acc0d920190602dd0b51e96988d28dcd25fc66ec8039e62671
Instruction Fuzzy Hash: 39717D31E1C90A5FEB99EBA884557BCB3E2EF99390F540179D00ED32C6DF28AC428755

Function 00007FF848F024AA Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80969eadcc9aff1ce8bc40cc6e98d10ba7d21a5b74a7427591f86e7e6d84cfe5
Instruction ID: de35e970e04bc3d3e42c663bf70780be1360338640b72611a6a1f6788ef0d859
Opcode Fuzzy Hash: 80969eadcc9aff1ce8bc40cc6e98d10ba7d21a5b74a7427591f86e7e6d84cfe5
Instruction Fuzzy Hash: 8551B824B0D96A0FE796B77840657BA2AE2EF8B290F4440B6D00DC72D7DE2CDD468359

Function 00007FF848F020FA Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ae7eabb054dcd4fa0288dc0794b347eb7fd03ce0b683d9afaa8e4efe6c5f72
Instruction ID: 2182675126a434350dc087fb338f323c115a0144aaacdb59fca5680bc09a2b5d
Opcode Fuzzy Hash: 10ae7eabb054dcd4fa0288dc0794b347eb7fd03ce0b683d9afaa8e4efe6c5f72
Instruction Fuzzy Hash: 62415A3190D98A5FFB82FB6894516F97BA5EF96394F0400B6E04DCB1C3DF2DA8058365

Function 00007FF848F00CF5 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75569f788444d43f418c581b76b2cd324762321a1bb11f95e27dffcd7f7a8307
Instruction ID: 36a428e28cd8717cc6d3bfeab15aed5997ea9c10054488471af1fa032fd4cb3a
Opcode Fuzzy Hash: 75569f788444d43f418c581b76b2cd324762321a1bb11f95e27dffcd7f7a8307
Instruction Fuzzy Hash: CE511732D1E9865FE356B73CA8555F5ABD0EF923A4F0801BBD448C71C7EE0C68498399

Function 00007FF848F02729 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9df788e4db58cddbbef4c7846dd456871ea8d0629ee2e675d35b36890cf05fb
Instruction ID: 3e5e498e9cfde08fc66fbf0a60db25b029e78b94768c5654f5a3ffd85f7b6c98
Opcode Fuzzy Hash: e9df788e4db58cddbbef4c7846dd456871ea8d0629ee2e675d35b36890cf05fb
Instruction Fuzzy Hash: CD412731E1DA454FE759A768941A3B97BD1FF99760F04017EE04EC32C2DE2C98428366

Function 00007FF848F0196D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f71fa5d0bef40bd6cd3a916e348990a7f962b70d5c3f9a5702e415b15128584
Instruction ID: c47a4f1550269997ea0c0c9bffd15d0cdfbd2d1a55ff622215c05646d736c0c5
Opcode Fuzzy Hash: 1f71fa5d0bef40bd6cd3a916e348990a7f962b70d5c3f9a5702e415b15128584
Instruction Fuzzy Hash: 7621F23090D5814FE745AF28C4C55A5B7A1EF56310F1842FAD4088F1EBE628ECC6C384

Function 00007FF848F01BF5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a13faa1cae1aa4a9144545cccb9960f748f24f6a9ed62ae2c96c148170b272f
Instruction ID: 9a9736f99d9287fe19342527801849d9d4d7aec782c036a6d03689e3dffd0179
Opcode Fuzzy Hash: 2a13faa1cae1aa4a9144545cccb9960f748f24f6a9ed62ae2c96c148170b272f
Instruction Fuzzy Hash: B831A43454B6695FE354EB2C80953A63FB1FB89309F9041A5D408873DBCF3DA900C765

Function 00007FF848F00872 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a89c2a0f5786ed7796b024292eea6cc69fdca51af7ab672dd2f0e92d4a597
Instruction ID: c62be1757e4457812de4fc4db4cfe14f641fe586477e35084161b9e26d061db7
Opcode Fuzzy Hash: b69a89c2a0f5786ed7796b024292eea6cc69fdca51af7ab672dd2f0e92d4a597
Instruction Fuzzy Hash: 50215561C1EA868FF359B33848256A5ABE0FF92380F0805FAC049CB2D3ED0C18448395

Function 00007FF848F032DD Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067adb916c8c85e08e30884563953f268791332d86b2994d5d29525a7288836a
Instruction ID: 6ff7a29d274a0bcc79f4f10dc553d145990c8d1231a70974bcbd9869c4a3021f
Opcode Fuzzy Hash: 067adb916c8c85e08e30884563953f268791332d86b2994d5d29525a7288836a
Instruction Fuzzy Hash: A921CF31E19A599FD794FB3884996BA77E1EF99341B4500BAE00DC72A3EE38E841C740

Function 00007FF848F03491 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a5aedff297d12765e2462ae79493f04c4b43bedd973a4536336d081e547a5a
Instruction ID: b15ad7bdaaff7e0306b286c6b134d8716cf450a587cf1efe7afe4cf9afb95b95
Opcode Fuzzy Hash: d4a5aedff297d12765e2462ae79493f04c4b43bedd973a4536336d081e547a5a
Instruction Fuzzy Hash: 43115C31A1DA850FE345B73C6C594F27BD1DF96261B0842BBD44DCB2E3DE1C99868351

Function 00007FF848F028D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590eb1cecec4f9afa76525117802a8b8ab715b047ee6cfea95e8442405458984
Instruction ID: 82f875587402957c0b5b4c689956142bcc7ae5a852faaaf2c3087352af202ecc
Opcode Fuzzy Hash: 590eb1cecec4f9afa76525117802a8b8ab715b047ee6cfea95e8442405458984
Instruction Fuzzy Hash: E711E920A4EAC91FE347E3789898AB43FD1EF57250F0901F7D048CB1A3DA684845C352

Function 00007FF848F00DA9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15018f0babf9165f12a2a7d9a9cd980c62ab8a6b68fff9a2638d00b9dd8287db
Instruction ID: ea395ac60c506b37fdb3c65dbbb98d43523056db72ce1d681e349748ecd1056a
Opcode Fuzzy Hash: 15018f0babf9165f12a2a7d9a9cd980c62ab8a6b68fff9a2638d00b9dd8287db
Instruction Fuzzy Hash: 5601263292DC8B5ED69AB32824455F667D1EBD6254F4401B6D40EC32C7EE0C69424385

Function 00007FF848F01E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9758dc0ab777f7adb64743896e9d62452b544831493da5d95415c72367353e
Instruction ID: 10cfd3c2b4d4a4b75350a0d3e1eae5c6b292710a76973f2243fc33573162f200
Opcode Fuzzy Hash: 4a9758dc0ab777f7adb64743896e9d62452b544831493da5d95415c72367353e
Instruction Fuzzy Hash: C4F02422B0D81C1FE690F3AD98D8AFA67C4DBAC265B0401B7E00CC72A3DC1898828390

Function 00007FF848F01640 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689726d576c510e0cedd9a49dfdfdfe4742e6bab80ec82d9deae548ef08dbc98
Instruction ID: 72d1ac7c8f3f42eb4f7b96f2f8786c74e75063b81d41b54353948f87a01c24c3
Opcode Fuzzy Hash: 689726d576c510e0cedd9a49dfdfdfe4742e6bab80ec82d9deae548ef08dbc98
Instruction Fuzzy Hash: 7101AF21A0EEC90FD786E72C58246A43BE2EF9A250B0D02F7C08CCB1E7E9185C458395

Function 00007FF848F01E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd7886ccefb17b670663deaa53672d378b1eb4aaafd7419fcb709d6a355a943
Instruction ID: 312c143ce487ef721dcfbc86bb1ea0709fbc44beb608229d0814405d5eaf4f1b
Opcode Fuzzy Hash: 8bd7886ccefb17b670663deaa53672d378b1eb4aaafd7419fcb709d6a355a943
Instruction Fuzzy Hash: 4AE09231B19C1D1FAB94F7AD84CDB7962C1EBAC251B1005B6E40CC72A6DD28AC819390

Function 00007FF848F0094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2097203250.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f00000_System32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fedf5d644249932def50e3f0134c389279f721b012c748d0eee25cb14ff38af
Instruction ID: 28efca4dbb9292c7df39597514c284fa53d40f92b39a98d6fee13aa7fe11cba8
Opcode Fuzzy Hash: 5fedf5d644249932def50e3f0134c389279f721b012c748d0eee25cb14ff38af
Instruction Fuzzy Hash: 24E0DF22E0E8565FE69A337C24021B8A280DF966D1B0800BAE40DCB2C3ED1C29420288

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client-built-Playit.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built-Playit.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

C:\Users\user\AppData\Roaming\System32\System32.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Client-built-Playit.exe

Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 140
fileCOMMON

Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 112
fileCOMMON

Function 00007FF849189BD1 Relevance: 11.5, Strings: 8, Instructions: 1482
COMMON

Function 00007FF84918AFDD Relevance: .9, Instructions: 865
COMMON

Function 00007FF84918E6F9 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Function 00007FF848F13525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Function 00007FF848F13569 Relevance: 1.6, APIs: 1, Instructions: 112
fileCOMMON