Edit tour

Windows Analysis Report
Test2.exe

Overview

General Information

Sample name:	Test2.exe
Analysis ID:	1581170
MD5:	7f888b6cbd5062a7558eea61eb9a9ca2
SHA1:	2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256:	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Test2.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\Test2.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

Client.exe (PID: 1352 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 760 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5608 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5628 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 3648 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 5972 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4564 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6300 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 3640 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6588 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 516 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 3652 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 3128 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7092 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3780 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 5728 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 3168 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 616 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6464 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 2292 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 2636 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7120 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4824 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 3788 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2408 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2232 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 4832 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 6720 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3924 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 1372 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 6180 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 2624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5744 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2968 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 3452 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 4460 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2704 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

Conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5836 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 2792 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 6192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6200 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3032 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Client.exe (PID: 6164 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7F888B6CBD5062A7558EEA61EB9A9CA2)

cmd.exe (PID: 5528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6120 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6464 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "llordiWasHere-55715.portmap.host:55715;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "124c5996-13c0-46a2-804a-191042a109db", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "h+dzM/IShDOI6hVmZ5ntXLjXZf8jpZkAvCs+CmrfKrj7tcZntlmmf2Qj2W/+j2oFUm+TWbjrMuVRxAPpMBoPtjpiCuGijITPeNNHm0jwhRjtOpx/FBZM1PpUT/+IsQogH/+nGF5XpLnBPjypUcac7XDx8Q3zxcpD9zdedz8YIArNSfxhCi0uSQvaNxghZrF+RhedHBuOxaxVK6IB+yd8CyZ0buvpmZH7EEXjDSMCo1MigtrkP69AB4zKQW83vbIPb8xXLn/5t1EvEMwFHhjzVHad4uvxjcgXAFOMoLb1LRraa3LfX13MXyv6wC7Zh89XvT+T+yggBI+WDhYEFm4KVf3yxAGHb052Yi0JFdukbdBAwrJHg9+dyOuBUgQXf+2xfNZsUimkS2NCY4loQDodZ2kTtfw2HayTNgfF4WF+8OmvDEC4HMS58cfJ8EjhmI9hLc+nGkjpSM71rxGTS0VGxHivN7g3QZCvxSgWSOg0VPOrMa2nPgB/TnTaosM3VOAPHUST3WjQt40mY3JuYLFEccKTD5MwrcibfkJH5NriUKf0eoQhEs6Y51ZEOqSso55sj/r4XEbX+2RKpqsrWLyLxZzHxJYm78WW4pFXWlOK+g4eYHAyF81zbBk+OsSEF4mNwmp3QGVPxj6x+v2FUkqugWDlNC1zGHXBL32ADJ/6pG0=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIXaYfZoCIPsDpKUPnOqtzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxNDA3NDkwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmNv4AwGc2deuTPhlF91PiC5mS1wdYg37TLdFL1gNRVcSRHPoOIUNVRgwbAvtxBAA2aG59CB8qjoeKV21Q0hEiKxzvKLhQk+98tK8xreioswEmQXPPrujjnWyIDrozdDFbjYBFnNOUK7IepZYpXW02HLz6gP6rKau5a/wcp7xiThdcp8Ba8L0cPHfDlgrHx8WLkj+8kGCRUxeEgWYYPc2a6pN5hZeQgRY31jmNtYVAt7JQzFcjGhkP5fEm4aDifaR5hLN9ZfCHE2V16l4Yg45cDbodmQ4bWFL3Uo20/6ADbOE+ASUQ347MyWqeoaDVCkiPxE2NAUom4+AJJVDBNLmqsxKornIMG3XFFtTAeiYVwNqeDZ4fe5+YnZ0NLjSOPm4DYZotykKsZZ+RBJ5Q2pKKc4dnwoMa+890CTPd7ivMmgSYKSdukQTTUsczc0tS4SetaRkSpCcHQhS07xKd+65lZkABdNEPQkN4V+lU3B+9VZaXDebQDrHaMpQa3rVOYs0DG4J420cQ5gSUgjNUiIme2f3nvYSiMAsHvOz798ChCuTK5+f23LEP7rJA9+8yBe/G6P7XCTatwoXYjlEV2U1ZKkAnSSJ1TIQf7yfVQ0bT2By5VpThlzpODeI5p+CMAQMVsyOxBQcsalP2CqfL/wc/3FmJEVnGh9YrramS22WWAcCAwEAAaMyMDAwHQYDVR0OBBYEFLbdC8wNaCuvbyePDaHlRb+pIzsEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAHi/FdNFmeIXieoGwyx3R/aL3J8RPwIZWyAvAme/s/cBiuxrdX4LrndawqfL8BahyPbtxcDLrON3IyY+VbZB4TsTSddzF/BEJlFJPvjjvrHLs3V/K3o7ni/lDOA9/PySUNTZB5roOt3vl7IANIL2ztmpsDWUgXahEVKDpN1i7yukuEC0U5XGG0TVbHGdpR9T6lMnf5t3giAYY/WydAlIglVqVEruijWfj1K2jBJwkgoptlt3nwFJ5FFTDLu78wCbhm/gZuS2A874fO/c2QgGnjUdTv1CpVZU5ED5teH03c/r38/eF36/QVMbXsIhbp5bki7LGceYovTIhi4EWHJItDkCSLxbkBEtKcGL6HiPFWxdd+jKQ19JZzpOxA73BaSO6QijmOcztsPVzzY1iNHgJD+jcCXuTztxgdOShfGW4rS88L6LCkYAiR03iUjO3T5EdaSf4EMCqK3hfjLI/J8UDG6CNu6gc/p8jyPITpkE6mbsiqR8DEoTYIc2Mzap7uSnikgiNEuh06p8gYZjNgn0cRhLVmbUXVPxIIyDVX8+n9aMhdCdou6QHMOciBI2TJ45lgscGuTeHCWdlWz/XeKZRDulU7dnkIb0S6yKLRwWuPsILfN0DtSGay1V2bNrIfZyhxKR04E2VUt5HeI+oO9GCNd6N3i+s0E2rsU6XU+LZUEo"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Test2.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Test2.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Test2.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
Test2.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd488:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3cc:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3ea:$a4: encryptedPassword 0x2fd368:$a5: httpRealm
Test2.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2feab6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd488:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3cc:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3ea:$a4: encryptedPassword 0x2fd368:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2feab6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Test2.exe PID: 4196	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 1352	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 3648	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 2508	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 3652	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 5728	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 2292	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 3788	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 4832	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 6180	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 3452	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 2792	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 6164	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Test2.exe.460000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.Test2.exe.460000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Test2.exe.460000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef12:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.Test2.exe.460000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd488:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd3cc:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd3ea:$a4: encryptedPassword 0x2fd368:$a5: httpRealm
0.0.Test2.exe.460000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec11:$s4: get_PotentiallyVulnerablePasswords 0x278ccd:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ec34:$s6: set_PotentiallyVulnerablePasswords 0x2feab6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Test2.exe

Avira: detected

Antivirus detection for URL or domain

Source: llordiWasHere-55715.portmap.host

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: Test2.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "llordiWasHere-55715.portmap.host:55715;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "124c5996-13c0-46a2-804a-191042a109db", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "h+dzM/IShDOI6hVmZ5ntXLjXZf8jpZkAvCs+CmrfKrj7tcZntlmmf2Qj2W/+j2oFUm+TWbjrMuVRxAPpMBoPtjpiCuGijITPeNNHm0jwhRjtOpx/FBZM1PpUT/+IsQogH/+nGF5XpLnBPjypUcac7XDx8Q3zxcpD9zdedz8YIArNSfxhCi0uSQvaNxghZrF+RhedHBuOxaxVK6IB+yd8CyZ0buvpmZH7EEXjDSMCo1MigtrkP69AB4zKQW83vbIPb8xXLn/5t1EvEMwFHhjzVHad4uvxjcgXAFOMoLb1LRraa3LfX13MXyv6wC7Zh89XvT+T+yggBI+WDhYEFm4KVf3yxAGHb052Yi0JFdukbdBAwrJHg9+dyOuBUgQXf+2xfNZsUimkS2NCY4loQDodZ2kTtfw2HayTNgfF4WF+8OmvDEC4HMS58cfJ8EjhmI9hLc+nGkjpSM71rxGTS0VGxHivN7g3QZCvxSgWSOg0VPOrMa2nPgB/TnTaosM3VOAPHUST3WjQt40mY3JuYLFEccKTD5MwrcibfkJH5NriUKf0eoQhEs6Y51ZEOqSso55sj/r4XEbX+2RKpqsrWLyLxZzHxJYm78WW4pFXWlOK+g4eYHAyF81zbBk+OsSEF4mNwmp3QGVPxj6x+v2FUkqugWDlNC1zGHXBL32ADJ/6pG0=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIXaYfZoCIPsDpKUPnOqtzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxNDA3NDkwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmNv4AwGc2deuTPhlF91PiC5mS1wdYg37TLdFL1gNRVcSRHPoOIUNVRgwbAvtxBAA2aG59CB8qjoeKV21Q0hEiKxzvKLhQk+98tK8xreioswEmQXPPrujjnWyIDrozdDFbjYBFnNOUK7IepZYpXW02HLz6gP6rKau5a/wcp7xiThdcp8Ba8L0cPHfDlgrHx8WLkj+8kGCRUxeEgWYYPc2a6pN5hZeQgRY31jmNtYVAt7JQzFcjGhkP5fEm4aDifaR5hLN9ZfCHE2V16l4Yg45cDbodmQ4bWFL3Uo20/6ADbOE+ASUQ347MyWqeoaDVCkiPxE2NAUom4+AJJVDBNLmqsxKornIMG3XFFtTAeiYVwNqeDZ4fe5+YnZ0NLjSOPm4DYZotykKsZZ+RBJ5Q2pKKc4dnwoMa+890CTPd7ivMmgSYKSdukQTTUsczc0tS4SetaRkSpCcHQhS07xKd+65lZkABdNEPQkN4V+lU3B+9VZaXDebQDrHaMpQa3rVOYs0DG4J420cQ5gSUgjNUiIme2f3nvYSiMAsHvOz798ChCuTK5+f23LEP7rJA9+8yBe/G6P7XCTatwoXYjlEV2U1ZKkAnSSJ1TIQf7yfVQ0bT2By5VpThlzpODeI5p+CMAQMVsyOxBQcsalP2CqfL/wc/3FmJEVnGh9YrramS22WWAcCAwEAAaMyMDAwHQYDVR0OBBYEFLbdC8wNaCuvbyePDaHlRb+pIzsEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAHi/FdNFmeIXieoGwyx3R/aL3J8RPwIZWyAvAme/s/cBiuxrdX4LrndawqfL8BahyPbtxcDLrON3IyY+VbZB4TsTSddzF/BEJlFJPvjjvrHLs3V/K3o7ni/lDOA9/PySUNTZB5roOt3vl7IANIL2ztmpsDWUgXahEVKDpN1i7yukuEC0U5XGG0TVbHGdpR9T6lMnf5t3giAYY/WydAlIglVqVEruijWfj1K2jBJwkgoptlt3nwFJ5FFTDLu78wCbhm/gZuS2A874fO/c2QgGnjUdTv1CpVZU5ED5teH03c/r38/eF36/QVMbXsIhbp5bki7LGceYovTIhi4EWHJItDkCSLxbkBEtKcGL6HiPFWxdd+jKQ19JZzpOxA73BaSO6QijmOcztsPVzzY1iNHgJD+jcCXuTztxgdOShfGW4rS88L6LCkYAiR03iUjO3T5EdaSf4EMCqK3hfjLI/J8UDG6CNu6gc/p8jyPITpkE6mbsiqR8DEoTYIc2Mzap7uSnikgiNEuh06p8gYZjNgn0cRhLVmbUXVPxIIyDVX8+n9aMhdCdou6QHMOciBI2TJ45lgscGuTeHCWdlWz/XeKZRDulU7dnkIb0S6yKLRwWuPsILfN0DtSGay1V2bNrIfZyhxKR04E2VUt5HeI+oO9GCNd6N3i+s0E2rsU6XU+LZUEo"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: Test2.exe	Virustotal: Detection: 82%			Perma Link
Source: Test2.exe	ReversingLabs: Detection: 78%

Yara detected Quasar RAT

Source: Yara match	File source: Test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Test2.exe

Joe Sandbox ML: detected

Source: Test2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Test2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: llordiWasHere-55715.portmap.host

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Yara detected Generic Downloader

Source: Yara match	File source: Test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: unknown

DNS traffic detected: query: llordiWasHere-55715.portmap.host replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: llordiWasHere-55715.portmap.host

Source: Test2.exe, 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Test2.exe, Client.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Test2.exe, Client.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: Test2.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Test2.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Test2.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: Test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Test2.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Test2.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Test2.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF848F095F2	2_2_00007FF848F095F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF849178A61	2_2_00007FF849178A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF849174D50	2_2_00007FF849174D50
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF849175BE1	2_2_00007FF849175BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF8491793C1	2_2_00007FF8491793C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF84917A7CD	2_2_00007FF84917A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF8491710D1	2_2_00007FF8491710D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF848F295F2	7_2_00007FF848F295F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF849198A61	7_2_00007FF849198A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF849194DC6	7_2_00007FF849194DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF849195BE1	7_2_00007FF849195BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF8491993C1	7_2_00007FF8491993C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF84919A7CD	7_2_00007FF84919A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF8491910D1	7_2_00007FF8491910D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF849198A61	18_2_00007FF849198A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF849195BE1	18_2_00007FF849195BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF8491993C1	18_2_00007FF8491993C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF849194DC6	18_2_00007FF849194DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF84919A7CD	18_2_00007FF84919A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF848F395F2	24_2_00007FF848F395F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF848F394F2	24_2_00007FF848F394F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A8A61	24_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A4DC6	24_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A5BE1	24_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A93C1	24_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491AA7CD	24_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A10D1	24_2_00007FF8491A10D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491A8A61	29_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491A5BE1	29_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491A93C1	29_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491A4DC6	29_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491AA7CD	29_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491A8A61	34_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491A5BE1	34_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491A93C1	34_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491A4DC6	34_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491AA7CD	34_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF848F495F2	39_2_00007FF848F495F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF848F494F2	39_2_00007FF848F494F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B8A61	39_2_00007FF8491B8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B4DC6	39_2_00007FF8491B4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B5BE1	39_2_00007FF8491B5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B93C1	39_2_00007FF8491B93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491BA7CD	39_2_00007FF8491BA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B11F2	39_2_00007FF8491B11F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B10D1	39_2_00007FF8491B10D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491B8A61	44_2_00007FF8491B8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491B5BE1	44_2_00007FF8491B5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491B93C1	44_2_00007FF8491B93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491B4DC6	44_2_00007FF8491B4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491BA7CD	44_2_00007FF8491BA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491A8A61	49_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491A5BE1	49_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491A93C1	49_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491A4DC6	49_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491AA7CD	49_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF849178A61	54_2_00007FF849178A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF849174D50	54_2_00007FF849174D50
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF849175BE1	54_2_00007FF849175BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF8491793C1	54_2_00007FF8491793C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF84917A7CD	54_2_00007FF84917A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491A8A61	59_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491A5BE1	59_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491A93C1	59_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491A4DC6	59_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491AA7CD	59_2_00007FF8491AA7CD

Source: Test2.exe, 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe
Source: Test2.exe, 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe
Source: Test2.exe	Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe

Source: Test2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Test2.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Test2.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Test2.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@122/27@23/0

Source: C:\Users\user\Desktop\Test2.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\124c5996-13c0-46a2-804a-191042a109db
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

File created: C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "

Source: Test2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Test2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Test2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Test2.exe	Virustotal: Detection: 82%
Source: Test2.exe	ReversingLabs: Detection: 78%

Source: Test2.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Test2.exe

File read: C:\Users\user\Desktop\Test2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Test2.exe "C:\Users\user\Desktop\Test2.exe"
Source: C:\Users\user\Desktop\Test2.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\chcp.com	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Test2.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Test2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: edputil.dll

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Test2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Test2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Test2.exe

Static file information: File size 3266048 > 1048576

Source: Test2.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: Test2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF848F07569 push ebx; iretd	2_2_00007FF848F0756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF848F08163 push ebx; ret	2_2_00007FF848F0816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 2_2_00007FF849172A42 push eax; ret	2_2_00007FF849172BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF848F28163 push ebx; ret	7_2_00007FF848F2816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF848F27569 push ebx; iretd	7_2_00007FF848F2756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 7_2_00007FF849192A42 push eax; ret	7_2_00007FF849192BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 18_2_00007FF849192A42 push eax; ret	18_2_00007FF849192BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF848F38163 push ebx; ret	24_2_00007FF848F3816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF848F37569 push ebx; iretd	24_2_00007FF848F3756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 24_2_00007FF8491A2B90 push eax; ret	24_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 29_2_00007FF8491A2B90 push eax; ret	29_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 34_2_00007FF8491A2B90 push eax; ret	34_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF848F48163 push ebx; ret	39_2_00007FF848F4816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF848F47569 push ebx; iretd	39_2_00007FF848F4756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 39_2_00007FF8491B2A42 push eax; ret	39_2_00007FF8491B2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 44_2_00007FF8491B2A42 push eax; ret	44_2_00007FF8491B2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 49_2_00007FF8491A2B90 push eax; ret	49_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 54_2_00007FF849172A42 push eax; ret	54_2_00007FF849172BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 59_2_00007FF8491A2B90 push eax; ret	59_2_00007FF8491A2BFC

Source: C:\Users\user\Desktop\Test2.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Test2.exe	File opened: C:\Users\user\Desktop\Test2.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\Test2.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe	Memory allocated: 1AA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 17D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B4C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AC80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AB70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B5D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Test2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Test2.exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 3228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 940	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5776	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Test2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477

Source: Client.exe, 00000036.00000002.3280560936.000000001B6EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: Client.exe, 0000000D.00000002.2316579347.000000001B950000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000012.00000002.2432299693.000000001C0D0000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000003B.00000002.3387715618.000000001BEE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Client.exe, 0000003B.00000002.3390622435.000000001C153000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Client.exe, 00000002.00000002.2089954592.000000001BD34000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000007.00000002.2201234655.000000001B8EF000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.2316579347.000000001B950000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000018.00000002.2552531345.000000001B91C000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000001D.00000002.2676671848.000000001B212000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000002.2784995626.000000001B5AD000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000027.00000002.2917004821.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000002C.00000002.3022842266.000000001B105000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000031.00000002.3145957903.000000001B4AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Test2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Test2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Test2.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Test2.exe	Queries volume information: C:\Users\user\Desktop\Test2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation

Source: C:\Users\user\Desktop\Test2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: Test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: Test2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Test2.exe	83%	Virustotal		Browse
Test2.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Test2.exe	100%	Avira	HEUR/AGEN.1307453
Test2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
llordiWasHere-55715.portmap.host	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
llordiWasHere-55715.portmap.host	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
llordiWasHere-55715.portmap.host	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Test2.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	Test2.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Test2.exe, Client.exe.0.dr	false	high
https://ipwho.is/	Test2.exe, Client.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Test2.exe, 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Test2.exe, Client.exe.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581170
Start date and time:	2024-12-27 06:46:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	74
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Test2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@122/27@23/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 266 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2134
Entropy (8bit):	5.369466463144928
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT4NJH3HtbpHKs:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZe
MD5:	034569213C23E9CD691260B5AEACED74
SHA1:	8D6380383DF7F23E39D50C521AA30DF076BF9ED4
SHA-256:	D4E8B779A407DB36AF3B30CE1FA53DF7D4FE500571FE475C8D5C889BB09B37DC
SHA-512:	1380AA70E23D74651D3EDDEAE4B2972B867BF5A1DC436F21C6A883E475DFFF015257AACCF18442AFD52D85B1263E34D8458E4E900E17166EFE74F577BD759D95
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Test2.exe.log

Download File

Process:	C:\Users\user\Desktop\Test2.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.3190374254404125
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fL9GcH:d5r+uVEOCDEmH3MdH
MD5:	8F1ED928865715216A32B346615E944A
SHA1:	8B92E6CE509757D3A39508BA36EDE829C16D348D
SHA-256:	12C3A561BEE3ED8C1C8F46D63D5EDACB35FFD96B83970ED39FD1B7588E8DEB5E
SHA-512:	4BF410F27B72846B3EFB3500274C1094F20FD8BC36FAC528C881AF346CE778A11702A85155E182F8DC1FE9746763E225E2B4069B618320B45D6B36CB38362D23
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat"

C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.3156950772859854
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fxf:d5r+uVEOCDEmH3MB
MD5:	A8D8FF11066E3AFC4C30D3F2E1241885
SHA1:	C8927E317E10F90206B776328E3FD66A70A0261F
SHA-256:	F14B68B39616E04D6BDBD16B9B38E4756817916795F6839144E50B5AF6CAE9B0
SHA-512:	564CCE78A0FB939661A0BC3226284E92EF7314D127F41786DA7F15E7C74DC31F54CBFA54BDC4C2470B7F273CD33E8D583F1881BC39797DFEEFD3E489624DA002
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat"

C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.322759794284757
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fReFn:d5r+uVEOCDEmH3MpeF
MD5:	D6FB6C8C256D3DE89D2D9E583713385B
SHA1:	1076B2425948E863A965419D4C8818EB45A1EFD3
SHA-256:	2892F69DC2AF5987255551991A4E993EB297F1A3419F4FC5785723414248C0D1
SHA-512:	5EFD990AD85065EB2A48CBDEFC2DCE03B7FBAF8E76B31F0A5CAE021C5722B0532D5020EF8E8849E61E28F5F1D0DD0D38081C749564C5B8D77CCFD1EDAE85E81A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat"

C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.327160198775398
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fqykRH:d5r+uVEOCDEmH3MyTH
MD5:	3C1BE3BFE8D53959EF5A03F5CFB3AC11
SHA1:	5B16F9530715A5253BEA1AB330980A87C3630A38
SHA-256:	4C0AFE3111ECD25D3E309E86EA25712A5BE747376792C6CEDBB12A90BFD336B3
SHA-512:	2EE3C2AA31D501BF7CBD1FF622DDBC18740714FFFBBF6E28860220B4672585FEF46BDE88543B079FE884A54A90935D8D310C12F4A09200306543458835D0A8C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat"

C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.306325909726014
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fpauK:d5r+uVEOCDEmH3MBfK
MD5:	88DEEFC115AA416C483669C22F62C7D0
SHA1:	13888A18E450EFC89975BB6C5CC6203F55E18B4F
SHA-256:	45DEB95449C155950F24E66B7856C68EB29BAD5299597DF0AA2D8F191FFA15F1
SHA-512:	169192BD85E87C028D271E623847404F44BF09CBEE160A9B3ADEF5730437A7D193037E139383B11FA2926B05351EBB6F8D4F8D00FEB09FBB7C557A9C02F072EA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat"

C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.29266680459552
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fK4H:d5r+uVEOCDEmH3Mr
MD5:	E3023EB2EBE1DD3C4FF4FBE4C9E06093
SHA1:	7747726F95640B9B73D44E32D304552B76534CE6
SHA-256:	EFF321F756FC334CFCCAD1116E588906231BD92C5C631F478AA676F42CC6DC6F
SHA-512:	7A644F5793A7A585A6E42476FB041FC76BFDCE0164815E22B3560DDFD08DF7C06EE4636F964F166C79030BA907034C90148CFF25FA46B25D66F1522A53EE8809
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat"

C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.252486052786029
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fp:d5r+uVEOCDEmH3Mx
MD5:	BB774B0593FC0AB62DE4E9C5B03208EB
SHA1:	8627C451779D7BECC570F9F0836FA1B041BDC107
SHA-256:	42EE3E2111AEE2666B9ABAD96845DF863F1DD238A440D2CE85071CC77B4A9B4C
SHA-512:	BB7A5EBB6B6724D289C7AE5BE510B2E6C4F4FE1F7192451719806C641A28D8E6AA71DA1234565F065D2C6AEA7766AD5A6FA792E4156D345CEAC18C5EC1A77ADD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat"

C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.318159179363655
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923f60:d5r+uVEOCDEmH3MS0
MD5:	BF2A49006105B273E1D2BB37FB195BD7
SHA1:	AF9B87591523A80E2F725098B7E77379F848FCEE
SHA-256:	434A6AA9FAC4AE5A23A28C07FC36AADFC134E28C3401DBB65390CA97906783EB
SHA-512:	D5CDA9C99225E514602B79BA596429F167C22A064CE9475351048669B0B2A677F61772206992B42C93822D41E19D052417F3757936927F470F09BEFCC9F3E28C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat"

C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.261621157497829
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923ftRLYH:d5r+uVEOCDEmH3M6
MD5:	D789DAA5C5DF84469ADCFE7E2D30F22C
SHA1:	EFFABF6BFD140B6EA72D598780328DD002BDDE16
SHA-256:	ED89F71BA3260D8A4D5C84A4FCE3A4BC3B2760EA4EF39BE19CA4A76FF70BE96C
SHA-512:	3EBDD642853F7D7BC776D7271B7C672807885D8BA9E7DBE4C80129B40C361568BDD038C5BB9C6E92ED8B14C87C90DC5A2A7BC2E35AB0C613340C3A05DCEEA4AA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat"

C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.296397234455441
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fO:d5r+uVEOCDEmH3MW
MD5:	F4A29D4565A23B10FF595B7F2F8FB033
SHA1:	87CB4074D40A36E70BC3C171B1BA58129BC83AA7
SHA-256:	C6BA5726AC73798970DD1039D1134D51007E5E864806109D1373933E42775082
SHA-512:	781381FCF53019F2FF96614989874DA719DE07CF38D68C4B042D685B68F09CB5D1ACBF2BD19A867BE95275E012D37012CAFD62C2FB27B3C551E05F0AC6A2CFC7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat"

C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.232158373377831
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fFyKq:d5r+uVEOCDEmH3MAKq
MD5:	E4AD8038157B7C0EF8CC9758768C6536
SHA1:	4732DFF2DCB4807A0EFA3AB8CB56DD9A195CC4EF
SHA-256:	2AA053749DDF02F2CB62F5445E5D96260DB7534F5C54187C2CBDF3D49CA83612
SHA-512:	23E4FCA4A5E286C7ACFFB5A1825BF204C720B23BE144A164C1CD4E05F5DA2A64A93F73CDEAA8DEAFB057126CEBDAA1713236098383E73D8052EF56D7C4481680
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat"

C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.296847065098435
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DE19aZ53ZNSKOZG1923fk:d5r+uVEOCDEmH3MM
MD5:	020E5C2662A0781307AA3DD518174B1C
SHA1:	2E3745BD228F05FC2E7A671B228498E3F8881E35
SHA-256:	C94B8E4CB2EEB49556C03A019175AA1AAC17C10DC1F909CAEB9E7E6C80063495
SHA-512:	A9CE805DC7B64E98B594D9A5CE6F2DAD1A81A8144E24D98166F5028A317719FBD9B5EC91137DC19CBACD7FCCFE5683A8A27870F684A26AFD7AC346C87D9C9F1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\SubDir\Client.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat"

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\Test2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3266048
Entropy (8bit):	6.0751351573376215
Encrypted:	false
SSDEEP:	49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq
MD5:	7F888B6CBD5062A7558EEA61EB9A9CA2
SHA1:	2ACFB5C3E7B8E569EA52397154B9B3FFB44E7D87
SHA-256:	864BEC690DA391F258DE447606AC18BAA79672B665BA321A4DA67ED59D567CAD
SHA-512:	7DA70E844E0FCE4B4BBC70DB89503B95B6514CABF9CE9CF66FED643F6C11AAFC5E7A8F385B5D16F7FA802CC47C9200BF486030834551D14C55078307EF7E93D8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1.........>.1.. ........@.. .......................@2...........@...................................1.K.....2...................... 2...................................................... ............... ..H............text...D.1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B................ .1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.630609828667227
Encrypted:	false
SSDEEP:	12:PF5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:3dUOAokItULVDv
MD5:	AD895E21D0D519A86FAF4781C06E40AD
SHA1:	E1117E8118B19001664288AB0C32E32CD0FB6C6D
SHA-256:	24B06C18C14E5F86DAB472772B3903A77CBE9549B3F4C4AAED1E86B509A1D44B
SHA-512:	617AE584FB3CA7D1BD5035C80B003F4A3BD2520CA12A1A3031F136D17DE418ECEC754BCC054B23EC19CABACEE6D8B5EEA79244B724C6BCE7F14C646FB2088548
Malicious:	false
Preview:	..Pinging 468325 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.0751351573376215
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Test2.exe
File size:	3'266'048 bytes
MD5:	7f888b6cbd5062a7558eea61eb9a9ca2
SHA1:	2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256:	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
SHA512:	7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8
SSDEEP:	49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq
TLSH:	AFE55A0477F85E62E5AAD3B3D5F0541363F0F82AF3A3EB0B5191677A1C93B4098426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1.........>.1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e43e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e3f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c444	0x31c600	880ba636326a953ae74844df8215cb7f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	82af84a97c26dde1ee285c565894879a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 06:47:10.434401989 CET	52175	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:47:10.848803997 CET	53	52175	1.1.1.1	192.168.2.5
Dec 27, 2024 06:47:21.876594067 CET	64167	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:47:22.015328884 CET	53	64167	1.1.1.1	192.168.2.5
Dec 27, 2024 06:47:32.977411032 CET	63415	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:47:33.115261078 CET	53	63415	1.1.1.1	192.168.2.5
Dec 27, 2024 06:47:44.535075903 CET	61312	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:47:44.674062967 CET	53	61312	1.1.1.1	192.168.2.5
Dec 27, 2024 06:47:56.002815962 CET	50062	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:47:56.140671015 CET	53	50062	1.1.1.1	192.168.2.5
Dec 27, 2024 06:48:07.360058069 CET	51857	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:48:07.714904070 CET	53	51857	1.1.1.1	192.168.2.5
Dec 27, 2024 06:48:19.060259104 CET	59019	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:48:19.196938992 CET	53	59019	1.1.1.1	192.168.2.5
Dec 27, 2024 06:48:31.386117935 CET	50768	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:48:31.523041010 CET	53	50768	1.1.1.1	192.168.2.5
Dec 27, 2024 06:48:42.281372070 CET	57138	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:48:42.582626104 CET	53	57138	1.1.1.1	192.168.2.5
Dec 27, 2024 06:48:53.472259045 CET	63774	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:48:53.610065937 CET	53	63774	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:05.570930958 CET	49241	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:05.707827091 CET	53	49241	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:16.699248075 CET	55624	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:17.201442957 CET	53	55624	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:28.726604939 CET	52717	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:28.864137888 CET	53	52717	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:39.128494024 CET	64343	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:39.265472889 CET	53	64343	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:49.483700991 CET	51316	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:49.621309042 CET	53	51316	1.1.1.1	192.168.2.5
Dec 27, 2024 06:49:59.810256958 CET	54023	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:49:59.948362112 CET	53	54023	1.1.1.1	192.168.2.5
Dec 27, 2024 06:50:10.167757988 CET	56506	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:50:10.305295944 CET	53	56506	1.1.1.1	192.168.2.5
Dec 27, 2024 06:50:20.455073118 CET	58839	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:50:20.592583895 CET	53	58839	1.1.1.1	192.168.2.5
Dec 27, 2024 06:50:30.997086048 CET	56719	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:50:31.133971930 CET	53	56719	1.1.1.1	192.168.2.5
Dec 27, 2024 06:50:41.785559893 CET	56933	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:50:41.922771931 CET	53	56933	1.1.1.1	192.168.2.5
Dec 27, 2024 06:50:52.170691967 CET	63777	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:50:52.307748079 CET	53	63777	1.1.1.1	192.168.2.5
Dec 27, 2024 06:51:02.648930073 CET	49344	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:51:02.786406040 CET	53	49344	1.1.1.1	192.168.2.5
Dec 27, 2024 06:51:13.294262886 CET	57627	53	192.168.2.5	1.1.1.1
Dec 27, 2024 06:51:13.434181929 CET	53	57627	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 06:47:10.434401989 CET	192.168.2.5	1.1.1.1	0xc33d	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:21.876594067 CET	192.168.2.5	1.1.1.1	0x92b9	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:32.977411032 CET	192.168.2.5	1.1.1.1	0xf1b4	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:44.535075903 CET	192.168.2.5	1.1.1.1	0xd37f	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:56.002815962 CET	192.168.2.5	1.1.1.1	0x3ec2	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:07.360058069 CET	192.168.2.5	1.1.1.1	0x3dbc	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:19.060259104 CET	192.168.2.5	1.1.1.1	0xe363	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:31.386117935 CET	192.168.2.5	1.1.1.1	0xfcf2	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:42.281372070 CET	192.168.2.5	1.1.1.1	0xd43	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:53.472259045 CET	192.168.2.5	1.1.1.1	0xbb2f	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:05.570930958 CET	192.168.2.5	1.1.1.1	0x479d	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:16.699248075 CET	192.168.2.5	1.1.1.1	0x8ac6	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:28.726604939 CET	192.168.2.5	1.1.1.1	0x2965	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:39.128494024 CET	192.168.2.5	1.1.1.1	0xa452	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:49.483700991 CET	192.168.2.5	1.1.1.1	0x33e	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:59.810256958 CET	192.168.2.5	1.1.1.1	0x60b2	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:10.167757988 CET	192.168.2.5	1.1.1.1	0x8307	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:20.455073118 CET	192.168.2.5	1.1.1.1	0x5bb6	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:30.997086048 CET	192.168.2.5	1.1.1.1	0xddc4	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:41.785559893 CET	192.168.2.5	1.1.1.1	0x1274	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:52.170691967 CET	192.168.2.5	1.1.1.1	0x55ca	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:51:02.648930073 CET	192.168.2.5	1.1.1.1	0x380	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:51:13.294262886 CET	192.168.2.5	1.1.1.1	0x8e97	Standard query (0)	llordiWasHere-55715.portmap.host	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 06:47:10.848803997 CET	1.1.1.1	192.168.2.5	0xc33d	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:22.015328884 CET	1.1.1.1	192.168.2.5	0x92b9	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:33.115261078 CET	1.1.1.1	192.168.2.5	0xf1b4	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:44.674062967 CET	1.1.1.1	192.168.2.5	0xd37f	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:47:56.140671015 CET	1.1.1.1	192.168.2.5	0x3ec2	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:07.714904070 CET	1.1.1.1	192.168.2.5	0x3dbc	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:19.196938992 CET	1.1.1.1	192.168.2.5	0xe363	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:31.523041010 CET	1.1.1.1	192.168.2.5	0xfcf2	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:42.582626104 CET	1.1.1.1	192.168.2.5	0xd43	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:48:53.610065937 CET	1.1.1.1	192.168.2.5	0xbb2f	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:05.707827091 CET	1.1.1.1	192.168.2.5	0x479d	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:17.201442957 CET	1.1.1.1	192.168.2.5	0x8ac6	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:28.864137888 CET	1.1.1.1	192.168.2.5	0x2965	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:39.265472889 CET	1.1.1.1	192.168.2.5	0xa452	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:49.621309042 CET	1.1.1.1	192.168.2.5	0x33e	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:49:59.948362112 CET	1.1.1.1	192.168.2.5	0x60b2	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:10.305295944 CET	1.1.1.1	192.168.2.5	0x8307	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:20.592583895 CET	1.1.1.1	192.168.2.5	0x5bb6	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:31.133971930 CET	1.1.1.1	192.168.2.5	0xddc4	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:41.922771931 CET	1.1.1.1	192.168.2.5	0x1274	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:50:52.307748079 CET	1.1.1.1	192.168.2.5	0x55ca	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:51:02.786406040 CET	1.1.1.1	192.168.2.5	0x380	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:51:13.434181929 CET	1.1.1.1	192.168.2.5	0x8e97	Name error (3)	llordiWasHere-55715.portmap.host	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:47:05
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Test2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Test2.exe"
Imagebase:	0x460000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:47:07
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0xeb0000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:47:10
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:47:10
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:47:10
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:47:10
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:47:19
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x8a0000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:47:21
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:47:21
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:47:21
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:47:21
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:47:30
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x890000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:47:32
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:47:32
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:47:32
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:47:32
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:47:41
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0xe80000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:47:43
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:47:43
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:47:44
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:47:44
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:47:53
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x9b0000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:47:55
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	00:47:55
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:47:55
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:47:55
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff632ac0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:48:05
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x130000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:48:06
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	00:48:06
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	00:48:07
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:48:07
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	00:48:16
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x640000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	00:48:18
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:48:18
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:48:18
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:48:18
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	00:48:28
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x4c0000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	00:48:30
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	00:48:30
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	00:48:30
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:48:31
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	00:48:40
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x300000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	00:48:41
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	00:48:41
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	00:48:42
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	00:48:42
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	00:48:51
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x650000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	00:48:53
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	00:48:53
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	00:48:53
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	00:48:53
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	00:49:03
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x590000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	00:49:04
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	00:49:04
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	00:49:05
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	00:49:05
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	00:49:14
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0xff0000
File size:	3'266'048 bytes
MD5 hash:	7F888B6CBD5062A7558EEA61EB9A9CA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	00:49:16
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Imagebase:	0x7ff70ade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	00:49:16
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	00:49:17
Start date:	27/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff790b80000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	00:49:17
Start date:	27/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff77d000000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	00:50:41
Start date:	27/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F23525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F23607

Memory Dump Source

Source File: 00000000.00000002.2064325956.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_Test2.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d6b3dc1de286b365e93921be7eff55d86a4bfad882c9025c39155beffcd3e805
Instruction ID: 32c4b7410c7a5dc19b08ee4714aca34e11199ae9839807a67ab3d1c1fabba9a1
Opcode Fuzzy Hash: d6b3dc1de286b365e93921be7eff55d86a4bfad882c9025c39155beffcd3e805
Instruction Fuzzy Hash: 1C41047180DB8C9FDB05DB6C98596E9BFF0FF56310F0441AFC049C75A2DB2968498752

Function 00007FF848F23569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848F23607

Memory Dump Source

Source File: 00000000.00000002.2064325956.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_Test2.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction ID: abc54ccf21843c473a4d7dff86577630fd02a3549c39ea79b2012866f3849d86
Opcode Fuzzy Hash: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction Fuzzy Hash: 1131F07180CB5C9FDB19DB5888496E9BBF0FF65310F04426BC049D3292DB79A846CB91

Analysis Process: Client.exePID: 1352, Parent PID: 4196COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF849175BE1 Relevance: 1.9, Strings: 1, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*#I, xrefs: 00007FF849176070

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: *#I
API String ID: 0-2219797031
Opcode ID: 783765f4a4f3ab2bafcb849de44ab3ad6181c957e73d70ee20bb41bdcdd19785
Instruction ID: 2b8cf162cb6ae144a83f953d3b19d92dd15d08ea8cdade0d186ef45155fa44dc
Opcode Fuzzy Hash: 783765f4a4f3ab2bafcb849de44ab3ad6181c957e73d70ee20bb41bdcdd19785
Instruction Fuzzy Hash: 51324F30A18A5A8FDBA4EF18C8857A9B7E1FF98341F5045B9D04ED3295DB38E9818F41

Function 00007FF8491793C1 Relevance: 1.4, Instructions: 1418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ded5c034f0ffb99bb46a76d8e3ee3a3128e60582064b405bce6851afa2d0ddc
Instruction ID: dd3944de64c34c3ad75c572e604f58dd29aa8e5d1c8281413af9852a36157a9b
Opcode Fuzzy Hash: 0ded5c034f0ffb99bb46a76d8e3ee3a3128e60582064b405bce6851afa2d0ddc
Instruction Fuzzy Hash: AA92E430B1C94A4FEBA8EF2C945977577D1FF99390F0401BAD44EC72A6DE28AC468B41

Function 00007FF849174D50 Relevance: 1.3, Instructions: 1336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386eac8a0b8daaddddfaba2a68af433a11ce7ebc620714a368c094ef88fdebf2
Instruction ID: bad2c2993e07f430f1e1b410b215454d051e3c475cfb26ba4d8411c02907e6b3
Opcode Fuzzy Hash: 386eac8a0b8daaddddfaba2a68af433a11ce7ebc620714a368c094ef88fdebf2
Instruction Fuzzy Hash: 33A2A570A1CA4A8FDF98EF18C494BA977E2FF58340F5041A9D04ED7296DE39E885CB41

Function 00007FF84917A7CD Relevance: .9, Instructions: 929
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41316391230f3151997dbc2e36b461b8324faa27d3596eb801e1d77ae0011e51
Instruction ID: 3a02b9194f6077d34d9fd34e463ca852624e3f271d645d092752d220f923f015
Opcode Fuzzy Hash: 41316391230f3151997dbc2e36b461b8324faa27d3596eb801e1d77ae0011e51
Instruction Fuzzy Hash: 3262413061CA498FEBA8EF2CC454B6977E1FF99341F1445BAE04DC72A6DE39E8418B41

Function 00007FF849178A61 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3032f650d5c823a215c71f29b5148eee7a580143716f364798aa912d8f56d20
Instruction ID: 910b01101d35b93ed28a1464ee594d180fa855a8ad10caa4e3ff19a17663fbc7
Opcode Fuzzy Hash: d3032f650d5c823a215c71f29b5148eee7a580143716f364798aa912d8f56d20
Instruction Fuzzy Hash: CE228430A1C94A4FEBA8EF1884957B977E2FF98340F5441BDD44EC36D2DE38A8468B45

Function 00007FF84917C349 Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a(_H, xrefs: 00007FF84917C373
`"&I, xrefs: 00007FF84917C48E
X!&I, xrefs: 00007FF84917C40B

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: X!&I$`"&I$a(_H
API String ID: 0-269873546
Opcode ID: 0ecc13c994bf05324ac7c518c655dffd14f23d51350c8983753e5e7182afbd1f
Instruction ID: 3a0833ccfe48e77c5072bf8e15a4c57805c8bdb8fe52a9d1fc7bfdba92e58be7
Opcode Fuzzy Hash: 0ecc13c994bf05324ac7c518c655dffd14f23d51350c8983753e5e7182afbd1f
Instruction Fuzzy Hash: E951D472E1DECA5FE7A9EA3840556B577D1FFA9780B5404BEC04EC3286DE2DB8428740

Function 00007FF849173F38 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF849174457

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f3bca7fda69ee83c0e9f110d933da563467826f7f3a0ef570960d97990002747
Instruction ID: 8917fcca6fb6fe9f6da92f2a9e22bc2b00ac1a20f6306a6316a213713ecfa139
Opcode Fuzzy Hash: f3bca7fda69ee83c0e9f110d933da563467826f7f3a0ef570960d97990002747
Instruction Fuzzy Hash: 5AD1C631A0DA8B4FE7A5AF28945537477D2EF56350F1402FAD48EC72D2DE1CAC468B42

Function 00007FF848F03525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F03607

Memory Dump Source

Source File: 00000002.00000002.2091474985.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d9deec097cf24c0e392a23d1899d8dbec3504a6233651111a6d0eada148bf2f8
Instruction ID: 84acac8fea8b230bd88a2c5eb4362c578577870cfb8759f82ecd6b599c875704
Opcode Fuzzy Hash: d9deec097cf24c0e392a23d1899d8dbec3504a6233651111a6d0eada148bf2f8
Instruction Fuzzy Hash: 1741F33180DB8D9FDB19EB6C88496F9BFF0EF66310F0441AFC049C71A2DB2868458791

Function 00007FF848F03569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F03607

Memory Dump Source

Source File: 00000002.00000002.2091474985.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4c4ec7509d5ebdfb73c5a9f8e84b4ae8fd9b005a11df5ed1b1f830db3dbfd904
Instruction ID: cb601d1e1e79d94479514162f190b514817e8a8305760d4ccb552d4efed233d6
Opcode Fuzzy Hash: 4c4ec7509d5ebdfb73c5a9f8e84b4ae8fd9b005a11df5ed1b1f830db3dbfd904
Instruction Fuzzy Hash: 7D31F03180DB5C8FDB19DB5888496F9BBF0FF66310F04426BC049D3292DB78A845CB91

Function 00007FF849173451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_L, xrefs: 00007FF849173673

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: (_L
API String ID: 0-1598577166
Opcode ID: 2769a74841dcbf03c91ffce47dba137fc783d94394c65173cbccd08908ceba4d
Instruction ID: e2135bdfb03d306d86c27982fbf7b5422e8b7c8f9ec3003a7f3b87adcc0112c0
Opcode Fuzzy Hash: 2769a74841dcbf03c91ffce47dba137fc783d94394c65173cbccd08908ceba4d
Instruction Fuzzy Hash: E191E931A0DA8A4FDBBAEF2894545B577E1FF55350F0501FAD04EC3292DE2DA846CB81

Function 00007FF8491720E2 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)_^, xrefs: 00007FF849172101

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: 74cd72ed9010e09b4ae03a4299f0f8a36e40d1a4a9af4e3aaaf14f1accd68026
Instruction ID: 2027f7e5dca8b3b9fe39a64be9c24882b6c674cfb6835a56400328c8fdb0f95c
Opcode Fuzzy Hash: 74cd72ed9010e09b4ae03a4299f0f8a36e40d1a4a9af4e3aaaf14f1accd68026
Instruction Fuzzy Hash: 7E41D73391E756AFD300BE79E8854E57360FF0132DB2846BAC088CE493DB2DA58187D9

Function 00007FF8491720D7 Relevance: 1.4, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)_^, xrefs: 00007FF849172101

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: 2141bfa97fa2db00638df0ab9c7342b5d7e349be871213a52ea059573f22ed71
Instruction ID: ffd3df1b766d8cd4bd24610bb7607d1c787172eeacaf536df50d95205cc3f99f
Opcode Fuzzy Hash: 2141bfa97fa2db00638df0ab9c7342b5d7e349be871213a52ea059573f22ed71
Instruction Fuzzy Hash: 1341E93391E756AFD310BE79E8854E57360FF01368B2846BAC088CA483DB2DA5858BD5

Function 00007FF8491720CF Relevance: 1.4, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)_^, xrefs: 00007FF849172101

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: e38b38ad83ec3426f96c113816076cb93ea7f2de223a43e9036cb2041e35d25e
Instruction ID: d99647b26097c172b6c7324ad347c02ce2b88585234c8b29e0db2445d17f345c
Opcode Fuzzy Hash: e38b38ad83ec3426f96c113816076cb93ea7f2de223a43e9036cb2041e35d25e
Instruction Fuzzy Hash: 4041E73391E75AAFD310BE79E8854E57360FF01368B2846BAC088CA483DB2DA58187D5

Function 00007FF84917C466 Relevance: 1.3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`"&I, xrefs: 00007FF84917C48E

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID: `"&I
API String ID: 0-3983917185
Opcode ID: a18a9b02d410cbb13bca03977e4ebb1ce48b09a476f30bfb9560f1bc5125daae
Instruction ID: 630fac469f92e988f3f863e5202639ac82849a75856c70f16767758acf9eb1e0
Opcode Fuzzy Hash: a18a9b02d410cbb13bca03977e4ebb1ce48b09a476f30bfb9560f1bc5125daae
Instruction Fuzzy Hash: B921D362A1D9CA2FE36AAA3844562B66BE1FF65340B4440FAC04EC3283DD1CF8054350

Function 00007FF849172C10 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eb345cb4fc63f02309fff94585e570610f27d5f0e8a93803fd0c2c43c4f830
Instruction ID: 3c8faeaf689c075a51afe46853d8d68e6ed4cb0a78f83f5f87f0edd77440288a
Opcode Fuzzy Hash: a8eb345cb4fc63f02309fff94585e570610f27d5f0e8a93803fd0c2c43c4f830
Instruction Fuzzy Hash: FEE11631E1DACA4FE775EA3888592A57BD0FF95380F1405FAD049C7292DE2CAC478B41

Function 00007FF849179764 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320f286c661fcb1ba50fb32393a2c99c08b20cf875565e2162236ac8fcf25b53
Instruction ID: fc4975d2cb046ce6c30e0d40d854577f44ef2036c1f195859596bc16e40e5ef8
Opcode Fuzzy Hash: 320f286c661fcb1ba50fb32393a2c99c08b20cf875565e2162236ac8fcf25b53
Instruction Fuzzy Hash: 3DD16E3061C9498FEB98FF2CC458A7973E1FF99351B1140B9E44EC72A6DE28EC468B41

Function 00007FF849178BD9 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1334c6be86e3bc0b189ff5d3f1ff8f222208d6df47a9882903eda115621f4673
Instruction ID: 0a838b7284165e606595d61f518d40adda2e23b20c900fa5d6d74a3adfe92960
Opcode Fuzzy Hash: 1334c6be86e3bc0b189ff5d3f1ff8f222208d6df47a9882903eda115621f4673
Instruction Fuzzy Hash: 8FD1C130A0DA8A4FE765EB2884957B877D1FF55384F1401F9D58EC76D3EE2CA8468B04

Function 00007FF84917A3D9 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab186ecd48fcd3e477dd5a7567cf53e4c21a8ce117cdc60ce1439407a6726d83
Instruction ID: 5d23191509109ffa48e70867773dcbc842f23a1a6436ed09ed642a6c10fe2cb3
Opcode Fuzzy Hash: ab186ecd48fcd3e477dd5a7567cf53e4c21a8ce117cdc60ce1439407a6726d83
Instruction Fuzzy Hash: FBD1A534A1CA4A8FDBA8EF28D4457B977E1FF99350F1401BAD04EC7292DF39A8418B41

Function 00007FF849173125 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57f1c085975f7fa25053fdbf909d090770ef5428fed4f44e47ee3d292994803
Instruction ID: fa1f7d3a5e71160e3632640d5f0a52e4053ca3fae18d9ddb8cddc4a9a65d31fa
Opcode Fuzzy Hash: a57f1c085975f7fa25053fdbf909d090770ef5428fed4f44e47ee3d292994803
Instruction Fuzzy Hash: E7A17F31B1CA4A8FDB68EF28E4556B973E1FF89355F5041B9D44ED3282DE39E8028B44

Function 00007FF849178C28 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1bf502691e27250bfe11d104a2178b4b8fabd21c4f8be44137fea9728a5c909
Instruction ID: acb3e7f460b5d0cd71abd650563c19575a49849881ee814fd561aa65c2848f8c
Opcode Fuzzy Hash: e1bf502691e27250bfe11d104a2178b4b8fabd21c4f8be44137fea9728a5c909
Instruction Fuzzy Hash: 4EB19220A0C94A4FE7A8FA2884957B977D2FF58384F5041BDD48EC76D3DE2CA8468B44

Function 00007FF849178D58 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53291976b22be75d3a6c3d3279d8d5f471aab14c56870ea25891886cfa653aa1
Instruction ID: 2a3b8df87e464f6cdbc8ef892f426a54dabbe4e614830653934cf74b1d4b2a64
Opcode Fuzzy Hash: 53291976b22be75d3a6c3d3279d8d5f471aab14c56870ea25891886cfa653aa1
Instruction Fuzzy Hash: C8A16130B0C94A4FEBA8EA2D84957B877D2FF98384F5440B9D54EC36D3DE2DA8458B44

Function 00007FF849178D1D Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b7b36866192ae3e5b93addd96697741c87deedf3feaae15980c579a0384150
Instruction ID: 3a5671ddc40b11e3fd0a2e49c63ace20c66b3463f195441afabf0a7f5533e17d
Opcode Fuzzy Hash: 44b7b36866192ae3e5b93addd96697741c87deedf3feaae15980c579a0384150
Instruction Fuzzy Hash: 9BA15030B0C94A4FEB68EA2D84957B977D2FF98384F5041B9D58EC36D3DE2CA8458B44

Function 00007FF849178CE3 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0467a4b711c3c2d671a2eef34fae8441afe8d23097e55c3caba10176a5ce940e
Instruction ID: 0a0b9d607731f95c0745c148fd9229257463a309ba798ac3e2db8deeeef8330e
Opcode Fuzzy Hash: 0467a4b711c3c2d671a2eef34fae8441afe8d23097e55c3caba10176a5ce940e
Instruction Fuzzy Hash: E6915230B0C94A4FEBA8EA1D84957B977D2FF98384F5040B9D58EC36D3DE2DA8458744

Function 00007FF849178BBD Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79e7c1b9161086aaa7dae72ac3316f6326549a8110588cda3a3e7a964b3e910
Instruction ID: df8b19e8a686de99f36af9a9b17f3052e97ac397cdb6b8ea1dcbe14d96802809
Opcode Fuzzy Hash: d79e7c1b9161086aaa7dae72ac3316f6326549a8110588cda3a3e7a964b3e910
Instruction Fuzzy Hash: 00915230B0C94A4FEBA8EA2D84957B977D2FF98384F5041B9D58EC36D3DE2CA8458744

Function 00007FF849178D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0b7dc00bf17dc68167259dfbf5cad8d2e04ba818c8275505aa6921374f6218
Instruction ID: 5a21bb09280d3002f6a8828e7894ed4cc7d790ce903164d5599070f3d691dae9
Opcode Fuzzy Hash: 1d0b7dc00bf17dc68167259dfbf5cad8d2e04ba818c8275505aa6921374f6218
Instruction Fuzzy Hash: 08915030B0C94A4FEBA8EA1D84957B977D2FF98384F5041B9D58EC36D3DE2CA8458B44

Function 00007FF849176FC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3283cb493dbdf62989576844e808bcd836d183f8ee107adc85aeb5ebbb95818
Instruction ID: a72a686f97ba6d7e9db9c3e19d74a89a7928e789b086538fb2e3b24922bfa65e
Opcode Fuzzy Hash: c3283cb493dbdf62989576844e808bcd836d183f8ee107adc85aeb5ebbb95818
Instruction Fuzzy Hash: 53711631B1D98A4FE798FB2CE85967577D1EF9A360F0400BAD44EC7292DD29AC428781

Function 00007FF849176C31 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf8325cf20099b74f03b6d838ceefa45a2d866fa6e2e481d2a4ee20e8237b7b
Instruction ID: a40ca63ba61dbd1b8263bfba0340b3b598c753ba7e6a7d7fcd0a5689936c361d
Opcode Fuzzy Hash: eaf8325cf20099b74f03b6d838ceefa45a2d866fa6e2e481d2a4ee20e8237b7b
Instruction Fuzzy Hash: 8661E071A2DD8B8FE6A8FB28945627563D2FF997C0B4400F9D00EC32D6DE2DAC028741

Function 00007FF84917BD32 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f677bd84e53701e7e2357d11ef0afb5cc988f005f1905c06949ceb31b250934c
Instruction ID: 211ddd7dfdf3183789dd8fcdbd70364fa755e713af2e96f857a6bc98542da3a4
Opcode Fuzzy Hash: f677bd84e53701e7e2357d11ef0afb5cc988f005f1905c06949ceb31b250934c
Instruction Fuzzy Hash: 1E616E30A5DA8A4FEBA1EF28D858AB577E1EF49344F0504F6D459C72A2DF2CAC41CB41

Function 00007FF84917CACE Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d25abc40a9efb07f634478b2a66c3ac050bfc20255c2837f45ac92bfabeff7
Instruction ID: 5e373bdee35d8a0dfb06d79cbd0aeb812cb6e951a3f524511490aef6d811d101
Opcode Fuzzy Hash: 19d25abc40a9efb07f634478b2a66c3ac050bfc20255c2837f45ac92bfabeff7
Instruction Fuzzy Hash: CE51F432D0DECB4FD379AF2898551B57BD0EF553D0B0842BAD449C7292EE1CA98A8781

Function 00007FF84917C160 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5fe332717d5b8c8091d670ade2592219626653c014b19bd54bdd838d0d4fc5
Instruction ID: b5bd64d058c41c24eb23875eff2857b2339539b29ae16845543990561d6afca2
Opcode Fuzzy Hash: 9c5fe332717d5b8c8091d670ade2592219626653c014b19bd54bdd838d0d4fc5
Instruction Fuzzy Hash: D7517931F0DE8A9FE3E5AA3C90556B573D2EF99781B5005FAC40EC328ADD296852CB40

Function 00007FF8491736F5 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9137d2c5349f89afe7a83eb201a0c518fa150d964fe9ab155213354131e7c4
Instruction ID: 05da679b362fd994fb9010fadd29b182da81119b36d38b0fbbad9af34f54e857
Opcode Fuzzy Hash: 8f9137d2c5349f89afe7a83eb201a0c518fa150d964fe9ab155213354131e7c4
Instruction Fuzzy Hash: F9512A7161C68A5FEB64FB28A8446757BD0EF96364F1002BED48DC31D7EE2DA8038781

Function 00007FF84917D2E8 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a56a2d41c25d9810ea4f8dc1dee665bc88daab0868f6170c2e24d3187ddba73
Instruction ID: 19ea16c59a9aaada3d50fb02d4ba3c0f4312ac3d578020bb01c5c41edf24e6ee
Opcode Fuzzy Hash: 8a56a2d41c25d9810ea4f8dc1dee665bc88daab0868f6170c2e24d3187ddba73
Instruction Fuzzy Hash: 1441E020B1EA8A1FE755BB7858563F5B7D1EF88364F2401BAD00CC72C7DD1CA84683A2

Function 00007FF849174DC6 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ea5d5f30a5f7655bc9df12285abbdbfd091b371da6cbf433fda1762b6d082e
Instruction ID: c29fe964c8bb34d22b08b6a6de131b0eac63a314f394c002fe4a25e891260a92
Opcode Fuzzy Hash: 59ea5d5f30a5f7655bc9df12285abbdbfd091b371da6cbf433fda1762b6d082e
Instruction Fuzzy Hash: C941413060CA9A4FDBA8EF28D455AB633D2FF59350F1000A9E44EC7286DE39E852CB40

Function 00007FF849176E69 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d19bac8c2ddd8643773a7299ac56e401612839a39992f6bc75d61625f0a9fb
Instruction ID: 0a159338260bf14314bbc72518e9057afde0b380b195ac47405d23bb7c810518
Opcode Fuzzy Hash: d1d19bac8c2ddd8643773a7299ac56e401612839a39992f6bc75d61625f0a9fb
Instruction Fuzzy Hash: 0941E621A1DAC64FE755FB3C98686757FE1DFA6280B0C08FAD089C71A7D91D9C858702

Function 00007FF84917CD79 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c397f5b0c1a5fa413fa894de07bbad4e4690b2ea8b47907971ec883becbcbd5
Instruction ID: 5ae8cc2f94c17896c6316b614332e58e52a6f10377ed77e5c45feafaf9b94bac
Opcode Fuzzy Hash: 4c397f5b0c1a5fa413fa894de07bbad4e4690b2ea8b47907971ec883becbcbd5
Instruction Fuzzy Hash: 0841AF7190CA888FDB09DF68C8056A9BBE0FF99310F04426FD049D3252DB38A945CB91

Function 00007FF8491728F2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf8449e52de8279d6539f936d314239117d1b75bae40b91c401c894a09b2823
Instruction ID: 93ec176a294607ade39cb7354d9e4d73b7bff889564d7455b13b2d695905c1ef
Opcode Fuzzy Hash: 6bf8449e52de8279d6539f936d314239117d1b75bae40b91c401c894a09b2823
Instruction Fuzzy Hash: 7B31F221A2DADA4FE365BB2898611B67BB0EF5A340F4444B7C04EC31C3DD2D680A8751

Function 00007FF849172EC6 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384d237b960806c45752260ddf7a0b6cfe3e48aa7423cf5a77be5a060d575084
Instruction ID: d597e46fa9c0edbdffe99adc5a2a7140aabe98ee0ec132c7dcb387ffd5e628cf
Opcode Fuzzy Hash: 384d237b960806c45752260ddf7a0b6cfe3e48aa7423cf5a77be5a060d575084
Instruction Fuzzy Hash: 2331463291EAC65FE396AB3848546A17BE1EF5A250B0844FEC049CB197DD2DAC47C740

Function 00007FF849173730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271bee907c2a4b3dcaeaa8ee8e7a4482ce623ba07f276875a33c8ff24fe2e7c6
Instruction ID: 754deb66a2fd6c8d210508b22f3edb4b107b674045a3ecf33099f3e9b53806de
Opcode Fuzzy Hash: 271bee907c2a4b3dcaeaa8ee8e7a4482ce623ba07f276875a33c8ff24fe2e7c6
Instruction Fuzzy Hash: 3131D77161C90A5FEB98FF28E84967573C1EF993A4B1002BDE44DC3296EE2DE8024780

Function 00007FF84917D348 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336b4e6500f0bd45cff5b60a698864d28eb88ae4cb4fe5147a19e07f5246812b
Instruction ID: d78a32c9d0610c617b692b33caa6be7178640814980c0e0825df7898283bf80c
Opcode Fuzzy Hash: 336b4e6500f0bd45cff5b60a698864d28eb88ae4cb4fe5147a19e07f5246812b
Instruction Fuzzy Hash: 0A31E110B2E94A1FF794FB6C989A3B8A2C2EF98754F6401BAD00DC32C7DD2CAC454355

Function 00007FF84917D155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c90329d9b0e0f99fda8f97b1a8a91572abc121ba66800c40e63a62a583dfdd
Instruction ID: 75cde52e3d8683854fbe0851d3691b508b454d349d76bb1feec4add573a7a2cd
Opcode Fuzzy Hash: 65c90329d9b0e0f99fda8f97b1a8a91572abc121ba66800c40e63a62a583dfdd
Instruction Fuzzy Hash: 0D31FF3890DACB4FE3B9AA28985467176D0EF46390F5900FAC44FC7592DE1CE882CB41

Function 00007FF8491775E8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac3837a1c2a50edcdae5d6cc6edb69d5a5e4a88c2063a6c3a028877e92eeade
Instruction ID: 2c63a245485bafe87bb7653dc5a842775a32b342ffa157ba87e72c231dfad75a
Opcode Fuzzy Hash: 1ac3837a1c2a50edcdae5d6cc6edb69d5a5e4a88c2063a6c3a028877e92eeade
Instruction Fuzzy Hash: 70212922F1ED4A1FF2A8A92D684957177D1EFE4290B6501FAE00DC328ADD18AC424690

Function 00007FF849173140 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1a3e79326f8fcc857b461e80dd100158a50db5a23c5be14d37f96471c0bd50
Instruction ID: 85f102590223b22cf69fd3f0f8d515fd5024291b03086fd15944efadb38e8c40
Opcode Fuzzy Hash: 6a1a3e79326f8fcc857b461e80dd100158a50db5a23c5be14d37f96471c0bd50
Instruction Fuzzy Hash: 59218B31A18A4D8FDB98EF28D8456A977E1FF99315F10417EE40ED3282DB35E852CB40

Function 00007FF8491775F0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a07d612406a3525d16111fe617580a108c3784d60710935c2ec4a7ae174644f
Instruction ID: 130a530babe6d9b95c39819bddcda1fc658b70d582b97fe170bcd1f6b62495d3
Opcode Fuzzy Hash: 7a07d612406a3525d16111fe617580a108c3784d60710935c2ec4a7ae174644f
Instruction Fuzzy Hash: C3110D32B1DD4E1FF2B8A91D684957177D1EFD56A0B5501F9E00DC328AED18AC424690

Function 00007FF849177987 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b26243a7afb4d7b9eca0b51160737ff43434da2e9bcbc3cd2d3ad915a954d38
Instruction ID: ca143eb7860cfa8f407308c16e5271864df167dc2fcca301349aaf3247ea6b24
Opcode Fuzzy Hash: 0b26243a7afb4d7b9eca0b51160737ff43434da2e9bcbc3cd2d3ad915a954d38
Instruction Fuzzy Hash: FF21793061CA498FDB98EF1CD4456B9B7E1FF98321F10117EE48AD32A2CA35E8428B41

Function 00007FF84917D231 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5a28688dae0f4553e930e4bb16fefd187ae760da51fffb725ee6ba8ebdf126
Instruction ID: bbe5e7089e35f80f32c5aa1fe54aabd097e9fdd28139d84bd4880f8f23b65210
Opcode Fuzzy Hash: 1e5a28688dae0f4553e930e4bb16fefd187ae760da51fffb725ee6ba8ebdf126
Instruction Fuzzy Hash: 2121022692C99E5FEB25BB6884057FABBE0FF96350F0802B7E018C31C2DF1CA5558791

Function 00007FF849172944 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d13e45b431885349a6e9acf35589d1fee52036308faf77cb18ead4ff6fe1b1f
Instruction ID: 1c8294c1df393acaec92c4c3b46ebc04066ac6e0b2775f64bfe1ea1966803588
Opcode Fuzzy Hash: 0d13e45b431885349a6e9acf35589d1fee52036308faf77cb18ead4ff6fe1b1f
Instruction Fuzzy Hash: 3921C231B2CA5A4EE764BB28C4952F672E1FB58340F80447AD04FC36C7DE2DA8068780

Function 00007FF84917CCA5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fd496d8ec20c169cf21a65ae04608033b170b2f93670b79adabd12adb0e874
Instruction ID: 19d00dfa294ff3e8be9c84f02d0a1f95d8e132eac3d4bcf8e283bf0a6067a65f
Opcode Fuzzy Hash: 47fd496d8ec20c169cf21a65ae04608033b170b2f93670b79adabd12adb0e874
Instruction Fuzzy Hash: 9311A00148FAC61FE34667B48C295E23FA5DF8B19071E42E7E081CB5A3D84C498A83B2

Function 00007FF84917D0CD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3740dd95b6d6ba793c2bf30eed220effd7029de36a866634a4f4bce5d93839
Instruction ID: 69fb064408f3dc3e335f347a8ddb16b8408c5b3ef873f53973d825ea353f4cab
Opcode Fuzzy Hash: ae3740dd95b6d6ba793c2bf30eed220effd7029de36a866634a4f4bce5d93839
Instruction Fuzzy Hash: B511C43158E6C61FC3469B748C20AD27FE5DFCB19030941F6E089CB5A3C91D9987C761

Function 00007FF8491722A9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a6d699c15415a838f9e2dde61795adfc5ec7d052d7dcd8c12fbf9647741536
Instruction ID: 1d4479699f4537bdc70d9085208d1fe99309fdccfcd96cdf70f620a4fdab555a
Opcode Fuzzy Hash: 78a6d699c15415a838f9e2dde61795adfc5ec7d052d7dcd8c12fbf9647741536
Instruction Fuzzy Hash: AE110131A1DBC94FD356EB3488690E97FB0EF96220B4905FBC184CB193EB2C694A8751

Function 00007FF849174C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f68886cf8b93ac2a95ecd2f769413ee5512950e249228f907e1a5b571708516
Instruction ID: 7b7e9669360176e4c53ecfeb9f332faeeae319b7df3b585b5bd786d96ea36513
Opcode Fuzzy Hash: 6f68886cf8b93ac2a95ecd2f769413ee5512950e249228f907e1a5b571708516
Instruction Fuzzy Hash: 8E01283190DB954FE752F72888452B97FD1DF85260F084ABED08CC60E2DE684AC6C387

Function 00007FF84917223A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c537ed04acb8e85478a2a7a2508abc35e2e635a1c2eeb6e4199514921a75c6
Instruction ID: d6838a7a3487eed5f2b45fc43c4fb976cb19a8df715cc2e4b9932341a5282668
Opcode Fuzzy Hash: c2c537ed04acb8e85478a2a7a2508abc35e2e635a1c2eeb6e4199514921a75c6
Instruction Fuzzy Hash: 38F0C23180DAC96FEB11AB7898592EABFF0EF46300F4540E7D848D7293DA286A958741

Function 00007FF84917C766 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51226a47880c05c5a09d032a0858159fca9dc5aa199f5854efefe651face09b
Instruction ID: 894700fa2e9bb654fa6082f4fc902c59a42119b3916d090aebba7b4a81b2ca59
Opcode Fuzzy Hash: e51226a47880c05c5a09d032a0858159fca9dc5aa199f5854efefe651face09b
Instruction Fuzzy Hash: 92F0D621E19DC75FD2A8BE3804515BA62E2FFD8680B8445BCD01EC3286CF1CB9064B01

Function 00007FF8491721D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90db19d8fd4f875f29c22c70a91f0b7187a64b831f5c273156be62f4276c8880
Instruction ID: 48022dd74922a311e3ea29dd298bcfa7ff7fd49ce8df8774c0692c90ef785437
Opcode Fuzzy Hash: 90db19d8fd4f875f29c22c70a91f0b7187a64b831f5c273156be62f4276c8880
Instruction Fuzzy Hash: 83F0973668DE8F1FE350BD9E98C14F07380FB403B4B5801BAC909C3481DA8EA8530280

Function 00007FF849173020 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e8f475b2c671f66d3e2bf267a6af3831eecbdbf4112cb82820bfb5b2b96c98
Instruction ID: 7aa66cc4498c60c23065d05a3a2f3762807d4f665e045c52b087bdc773de905b
Opcode Fuzzy Hash: b2e8f475b2c671f66d3e2bf267a6af3831eecbdbf4112cb82820bfb5b2b96c98
Instruction Fuzzy Hash: 6DF0B430A2CA4A4FE755BA3C580427573D5FF45305F5409BDD889C7591DF28D8424741

Function 00007FF84917340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction ID: 6c8d1ecce4743a7c7779fabf787fa419379958b9f467e0ce99b578513b5a0e17
Opcode Fuzzy Hash: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction Fuzzy Hash: 3BF08C7190D60D6FDA18FF59EC469EA37A8FB86220F00013AF44D82192E6256862CB50

Function 00007FF84917CD35 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0684dd68ec0025d4e2429798ca093fdff1ca473fad36cd5fa825859e9077ad
Instruction ID: 7ba1382fcfb21367da4b8061a9b8d10ff3f8f56deeb494129ace7e77169c63f6
Opcode Fuzzy Hash: bf0684dd68ec0025d4e2429798ca093fdff1ca473fad36cd5fa825859e9077ad
Instruction Fuzzy Hash: 14E048A391F3C55FC752AA3889695953F609E1729131A48FFC045DB1B3F14D8C0DC712

Function 00007FF84917C439 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1166c6ff3804cd25489c47a985e9db0361672f986eb1ef1639711b6ffb183d8
Instruction ID: 27ba853327b417b3d7f54e4a0839c4eed0135128d4873486665ed5fbacc50591
Opcode Fuzzy Hash: b1166c6ff3804cd25489c47a985e9db0361672f986eb1ef1639711b6ffb183d8
Instruction Fuzzy Hash: 78D0A763E5C68F0EF5907D0878910F163C0FF562B4B5002B7C48AD2187DD2FB9870641

Non-executed Functions

Function 00007FF8491710D1 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2093675079.00007FF849170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff849170000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4578cca5cb98f4bfff19d11a49fae82358a2a3af9f544dbef2eaa708a7071a37
Instruction ID: 7a629bbc91013eb3bd7550812ad5c9442e1c19bebcf01f8b7a949bb6ad396672
Opcode Fuzzy Hash: 4578cca5cb98f4bfff19d11a49fae82358a2a3af9f544dbef2eaa708a7071a37
Instruction Fuzzy Hash: 73F18722D1F2E3AFE351BB78B4950E67B70EF0226DB1C42B7D08C4D0539E1D658686A9

Function 00007FF848F095F2 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2091474985.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca22ef0f090f4595479521507cc9f3f5533080623a5316787b906355cead8dd
Instruction ID: bc9cdb7ba2a4b5f5c065d45471071fec397d04d3478614ebe7a474add06bb084
Opcode Fuzzy Hash: fca22ef0f090f4595479521507cc9f3f5533080623a5316787b906355cead8dd
Instruction Fuzzy Hash: 6AB1E963E0EAC24FE257A73C28141756FA1EF93AA4F0845FFC2884F5D7B9485C468399

Analysis Process: Client.exePID: 3648, Parent PID: 760COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8491993C1 Relevance: 11.4, Strings: 8, Instructions: 1409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849199F8D
HAH, xrefs: 00007FF84919A292
HAH, xrefs: 00007FF84919A03A
HAH, xrefs: 00007FF849199FC7
HAH, xrefs: 00007FF84919A141
HAH, xrefs: 00007FF84919A107
HAH, xrefs: 00007FF84919A000
HAH, xrefs: 00007FF84919974B

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-4024470385
Opcode ID: 18e7aab77b058f7fcae9ecd3b4cbfa57e61e213bb24e277f2e906a924feb1981
Instruction ID: 17536e4ff0b9510d8743353485f2882be3947ac2b87d94ff0377e961f3b0aa26
Opcode Fuzzy Hash: 18e7aab77b058f7fcae9ecd3b4cbfa57e61e213bb24e277f2e906a924feb1981
Instruction Fuzzy Hash: 3192F330A1C9894FEBA8EF2C9459A7577D1FF99394F0400BAD44EC7296DE2DAC42CB41

Function 00007FF849194DC6 Relevance: 2.5, Strings: 1, Instructions: 1274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196226

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 50e423830797252b7462f863199c31a83f9fd6edc4e5c65c69deaa3f400b834a
Instruction ID: 5001a460aab2008c969c54fdd5686bb0f13a1b5c6ecca69454e70ff956366ed1
Opcode Fuzzy Hash: 50e423830797252b7462f863199c31a83f9fd6edc4e5c65c69deaa3f400b834a
Instruction Fuzzy Hash: 5492A570A1CA598FDF98EF18C494BA97BE2FF58344F5041A8D44ED7296CE39E885CB40

Function 00007FF849195BE1 Relevance: 1.9, Strings: 1, Instructions: 692
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*%I, xrefs: 00007FF849196070

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: *%I
API String ID: 0-3524644257
Opcode ID: 54808ccf77d4b549684ee25b3be00e0c1877cc42a23e15d4f7cb1167b8a36e4d
Instruction ID: 9208b29016d09c793de702c1e32cf8d6e2e688d31c855150a4ffe504d76f41c8
Opcode Fuzzy Hash: 54808ccf77d4b549684ee25b3be00e0c1877cc42a23e15d4f7cb1167b8a36e4d
Instruction Fuzzy Hash: A7325C30A18A598FEBA4EF18C8857A9B7E1FFA8344F5045B9D44ED3295DB34E981CF40

Function 00007FF84919A7CD Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027920c7c5276570b85542bc1f4e5587c43c4d9188c1bcd6d55685ace63d58a3
Instruction ID: 842fed6330de5f9945c6c152990b2d87f5aff33adc30a04d233292505c3b586b
Opcode Fuzzy Hash: 027920c7c5276570b85542bc1f4e5587c43c4d9188c1bcd6d55685ace63d58a3
Instruction Fuzzy Hash: BC62513060CA498FEB98EB2CC458B6977E1FF99344F1445BAE44DC72A6DE38E845CB41

Function 00007FF849198A61 Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36f49fabefe3aafc18d1720a463cdb0363d54fe11d5550dd0d5443fc43b1053
Instruction ID: 676c17c296b48ab9e479d26e86f8b7949ec009e37f966d89c9563676283539ff
Opcode Fuzzy Hash: b36f49fabefe3aafc18d1720a463cdb0363d54fe11d5550dd0d5443fc43b1053
Instruction Fuzzy Hash: 32228030A1CA494FEBA8EF1894957B973E2FF98344F5441BDD44EC3692DE39A842CB41

Function 00007FF849196C31 Relevance: 5.2, Strings: 4, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196D9C
HAH, xrefs: 00007FF849196E58
HAH, xrefs: 00007FF849196E0F
HAH, xrefs: 00007FF849196DD6

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: d65be5e795112607ac6ba079b9986816e2200c042e787d65140ca06c49c75d03
Instruction ID: a7015334e991d6f4f21ac8a120a93598c26d8183b7c9017dbd106e40912bdb6d
Opcode Fuzzy Hash: d65be5e795112607ac6ba079b9986816e2200c042e787d65140ca06c49c75d03
Instruction Fuzzy Hash: 1061C171A2DD8A4FE6A9EB2CD45667563D2FF987D4B4800B9D00EC32D6DE2DAC02C750

Function 00007FF84919C349 Relevance: 4.0, Strings: 3, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`"(I, xrefs: 00007FF84919C48E
X!(I, xrefs: 00007FF84919C40B
a&_H, xrefs: 00007FF84919C373

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: X!(I$`"(I$a&_H
API String ID: 0-2743432387
Opcode ID: 2f6be554e39ffe5b0b940c082e17de6ce9dead3fa9b6295eb0173b8a7a45fcba
Instruction ID: d85c1ea4ee8b84674dbd499e331d2457e23414a15258922e965f26f8dac5797c
Opcode Fuzzy Hash: 2f6be554e39ffe5b0b940c082e17de6ce9dead3fa9b6295eb0173b8a7a45fcba
Instruction Fuzzy Hash: D651D472F1CE8A5FE3A9EA2C50556B573D1FFA8794B50057AC08EC32C6DE2DA9428740

Function 00007FF84919A3D9 Relevance: 2.9, Strings: 2, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF84919A70E
HAH, xrefs: 00007FF84919A41A

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 2b91ac9e68fa1ccd56e733f45d1593e1f074c44b4387ba584da70abee1e0b60d
Instruction ID: 258e5f35d57c748949129334e41e417a750fe013c0daee3fd2e064e18f350db1
Opcode Fuzzy Hash: 2b91ac9e68fa1ccd56e733f45d1593e1f074c44b4387ba584da70abee1e0b60d
Instruction Fuzzy Hash: 29C18130A1CA498FEBA8EF28D4457B9B7E1FF98344F54417AD04EC7292DE38A845CB41

Function 00007FF849192C10 Relevance: 1.7, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849192C63

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 0f2baf96655ccebf738db9fb067d2e925775fc1835d4a79bfa51985212993bbf
Instruction ID: 2f9d1b58a8b637905b3a27458d2610d219a11ec1a937dcc2be2e6608412ca790
Opcode Fuzzy Hash: 0f2baf96655ccebf738db9fb067d2e925775fc1835d4a79bfa51985212993bbf
Instruction Fuzzy Hash: 4CE13632E1D9CA4FE7B5FA2C98492B57BD0EF95394F0405BAD049C7292DE2CAC46CB41

Function 00007FF849193F19 Relevance: 1.7, Strings: 1, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF849194457

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 488f0b8c438b12fea8e419c8a5df85de028107d76c438eea67ecc784aae0fc38
Instruction ID: 1b150359fe1fb0c15d211ee5d6a5b1789a60c85158ef2aa24a026fea785a44cc
Opcode Fuzzy Hash: 488f0b8c438b12fea8e419c8a5df85de028107d76c438eea67ecc784aae0fc38
Instruction Fuzzy Hash: 86E12731A0CA9A4FE7A5AF28985537937D1EF56354F0402BAD48EC72D2DE1CAC46C782

Function 00007FF848F23525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 00000007.00000002.2205422456.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 621667b5e92df981a467c3468a716cdc75b405d6f3084c27cd931e2e74ebe20d
Instruction ID: 94eeb3ceba49940d97bc64828f464bc8390313a7bdfe520e21ef9d0706a0c236
Opcode Fuzzy Hash: 621667b5e92df981a467c3468a716cdc75b405d6f3084c27cd931e2e74ebe20d
Instruction Fuzzy Hash: DC41F57180DB8C5FDB15EB6C98496E9BFF0EF56310F0441AFC049C71A2DB2968058751

Function 00007FF848F23569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 00000007.00000002.2205422456.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction ID: abc54ccf21843c473a4d7dff86577630fd02a3549c39ea79b2012866f3849d86
Opcode Fuzzy Hash: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction Fuzzy Hash: 1131F07180CB5C9FDB19DB5888496E9BBF0FF65310F04426BC049D3292DB79A846CB91

Function 00007FF849193451 Relevance: 1.5, Strings: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&_L, xrefs: 00007FF849193673

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: &_L
API String ID: 0-1440118532
Opcode ID: 76b847f4644dc8f40dd6562ab8df880306e5a34ffa5bd1687f37683f6b9cacf6
Instruction ID: 8be88a50018b1547991fdbe2a04a78b2c9c5da92ccae12d55ca2e014cfcb6b71
Opcode Fuzzy Hash: 76b847f4644dc8f40dd6562ab8df880306e5a34ffa5bd1687f37683f6b9cacf6
Instruction Fuzzy Hash: D0911830A0DA894FDBA6EF2894546B577E1FF59354F0501BAD00EC32A2DE2DE846CB81

Function 00007FF849196E69 Relevance: 1.4, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196E8E

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 85def69c15dd46047042b0f1177cc2038a9893a7ac094799d4475ce46eaeb03c
Instruction ID: e0689052aa82c02ff15ac8e87c6a607890b564495be8fdbed7f108446e3a131e
Opcode Fuzzy Hash: 85def69c15dd46047042b0f1177cc2038a9893a7ac094799d4475ce46eaeb03c
Instruction Fuzzy Hash: C2412721A1EAC54FE796AB3C98686757FE1DFA6384B0804FAD089C71A3D91D9885C701

Function 00007FF8491920E2 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: 1b12e625d07d778b83150386e6fb02b39c85607b16371d8ed9d06258134584e2
Instruction ID: f50f03f9b3e44deff4f7b11bc3b965d452f695278f4a653962641dd99ad1012f
Opcode Fuzzy Hash: 1b12e625d07d778b83150386e6fb02b39c85607b16371d8ed9d06258134584e2
Instruction Fuzzy Hash: C5410E37E1A5269EC311BEBDF4864D9B3B0EF85379B084677C188CE093DB1C544586E9

Function 00007FF8491920D7 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: da19acb61aec4956819ddf830d09c5ce2f1545100b7d4c59c46fcb4c551777a3
Instruction ID: 8896d64552868fc34030e801095ad9f07f2a7e3fb9bed2cb6d469f7f411aafae
Opcode Fuzzy Hash: da19acb61aec4956819ddf830d09c5ce2f1545100b7d4c59c46fcb4c551777a3
Instruction Fuzzy Hash: 63313D27F1E5259ED310BEBDF4864EAB3A0EF85379B0C4677C188CE083DA1C644586E8

Function 00007FF8491920CF Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: b6785d5bfe575b9a9b4ea9d9429d74f49a92da007baf977676ab808a6e8e139f
Instruction ID: a7d5dbeb470b70c4e61a75ed4f64e325159e7a837f88e226ad12b0c94fe1a245
Opcode Fuzzy Hash: b6785d5bfe575b9a9b4ea9d9429d74f49a92da007baf977676ab808a6e8e139f
Instruction Fuzzy Hash: DF310D27E5E52A9EC311BEBDF4864E9B3A0EF85379B0C4677C188CE183DA1C544586E4

Function 00007FF84919C466 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

`"(I, xrefs: 00007FF84919C48E

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: `"(I
API String ID: 0-1945562383
Opcode ID: 450a14919b0a85711d6fffc8e02c4a5ee4438a6b7ae98420067902bdbbc9e71d
Instruction ID: 858f33006d9b2d037623cc0ecc49c5ef280719a9ceeb9d757b1f0a4a23fb0cc5
Opcode Fuzzy Hash: 450a14919b0a85711d6fffc8e02c4a5ee4438a6b7ae98420067902bdbbc9e71d
Instruction Fuzzy Hash: BD2128A2B1DDCA1FE399EA3C44553B567E1FFA8350B0401BAC08EC72C7DD1CA8058350

Function 00007FF849199763 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7314310cb6929b9ae138ba4ce3d2e202baf1394032c268b45525031f160886bf
Instruction ID: 0dd6c70585c1a8f0df5bf8f7e17c6e358b7334e7e93abd9755afbb7ef882112f
Opcode Fuzzy Hash: 7314310cb6929b9ae138ba4ce3d2e202baf1394032c268b45525031f160886bf
Instruction Fuzzy Hash: 0ED14B306189498FEB98EF2CD499A7973E1FF59345B1140B9E44EC72A6DE28EC42CB41

Function 00007FF849198BD9 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913f4818d3ca3534a14d7fc172c69bec00404cbdf62e966faf66e42b9dac6b36
Instruction ID: 7a6826d5d72ff479789f95c4d73e2ba21d4f6da8fd732b196e88246a4222a83d
Opcode Fuzzy Hash: 913f4818d3ca3534a14d7fc172c69bec00404cbdf62e966faf66e42b9dac6b36
Instruction Fuzzy Hash: 2CC1BF20A0CA4A4FEB68EB2C94557B877D1FF54388F5441B9D48EC72D2DE2DA846CB04

Function 00007FF849193125 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64478ad9fd5205c25e393929d3fafa858a0642a1925e2bf44fdb01f4d2f258a
Instruction ID: 35096003fd484967f57f1684055d1907151cbca31ddb9e69309ac24082fbfaf9
Opcode Fuzzy Hash: a64478ad9fd5205c25e393929d3fafa858a0642a1925e2bf44fdb01f4d2f258a
Instruction Fuzzy Hash: 45A17E31A1CA498FDBA8EF28D4556B973E1FF88355F504179E45ED32D2CF39A8028B44

Function 00007FF849198C28 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c309ae073ce051f5073c48e10176c89a1e2b58e65660e2ad6c1c22c6a24810af
Instruction ID: 2fc4457616909eefa62dd2bf0dfa807abc2aecb246cdef58f401734ec26ff13d
Opcode Fuzzy Hash: c309ae073ce051f5073c48e10176c89a1e2b58e65660e2ad6c1c22c6a24810af
Instruction Fuzzy Hash: D4A1AF30A0CA494FEB68EB2994557B877D2FF58388F5041BCD48EC36D2DE2DA8468B44

Function 00007FF849198CA8 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9144c0d6284ee2335248b67c84759043225644d19694353acfa76dbfe7094b39
Instruction ID: fb8c5e64b94bd3b9f5d53a14debd9231f576698aef5181bfa1c29b7933ec1c4d
Opcode Fuzzy Hash: 9144c0d6284ee2335248b67c84759043225644d19694353acfa76dbfe7094b39
Instruction Fuzzy Hash: B4A19030A0C9494FEB68EB2D94557B877D1FF58384F5041B8D48EC36D2DE2DA8468B44

Function 00007FF849198D58 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d1acb9e788213accce6f5d18633eb39f2eb5446c23643f327f71681b2dbfab
Instruction ID: 6d130e9ca2a999c81133d5d4478c451e1aca0f202d42f56a2d84dcec56870a52
Opcode Fuzzy Hash: 82d1acb9e788213accce6f5d18633eb39f2eb5446c23643f327f71681b2dbfab
Instruction Fuzzy Hash: 4B916030B0C9494FEBA8EB2D94957B873D2FF98384F504179D48EC36D6DE29A8468B44

Function 00007FF849198CE3 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74579974ad64606443bb7e5523b9954360764574d3927f56dfb092c0208466f7
Instruction ID: 78d5aa5ed4294918cc45339d42b80779d84e854fbe7aa73ae04e887dba513fa8
Opcode Fuzzy Hash: 74579974ad64606443bb7e5523b9954360764574d3927f56dfb092c0208466f7
Instruction Fuzzy Hash: 3D915030A0C9494FEBA8EB1D94957B873D2FF98384F504179D48EC36D7DE29A8468B44

Function 00007FF849198CC6 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d152a46da08d637e65fb56121e04c6f354acf20a23990b9d81497be19b289d9
Instruction ID: efd606582ac007c5939f115e6bcb886ede48e13379bf23cb9e2e56c8c659838b
Opcode Fuzzy Hash: 6d152a46da08d637e65fb56121e04c6f354acf20a23990b9d81497be19b289d9
Instruction Fuzzy Hash: 4D915030A0C9494FEB68EB2D94957B873D2FF98384F504179D48EC36C7DE29A8868B44

Function 00007FF849198D3B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0227b86016d52ab2e1d446ef4ee4558d2737ae5b0b1d44020d5da512a6c52257
Instruction ID: d9ed101c386671a61b75be1e538f23d7d2487d4f838aeb6abf9477505c173822
Opcode Fuzzy Hash: 0227b86016d52ab2e1d446ef4ee4558d2737ae5b0b1d44020d5da512a6c52257
Instruction Fuzzy Hash: 15915030B0C9494FEBA8EB1D94957B873D2FF98384F504179D48EC36D6DE2DA8868B44

Function 00007FF849198D1D Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90609fb0b01fd9738fda38446314bf2a861349021838002008dd82c0cf770551
Instruction ID: ca90f547531a7f680cb9b382251532d55f0526b9b5ea297d0b435217d4b7782c
Opcode Fuzzy Hash: 90609fb0b01fd9738fda38446314bf2a861349021838002008dd82c0cf770551
Instruction Fuzzy Hash: 59915030A0C9494FEB68EB1D94957B873D2FF98384F504179D48EC36D7DE2DA8868B44

Function 00007FF849198BBD Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f527879e0ebb147d57d6b3e453bb1208a098ad4ed3151b047fa60e305eca8e3b
Instruction ID: d8522c5be28bb79ecef639e30a40b992505aff855e95bfb436830469ac2efb12
Opcode Fuzzy Hash: f527879e0ebb147d57d6b3e453bb1208a098ad4ed3151b047fa60e305eca8e3b
Instruction Fuzzy Hash: B2916030A0C9494FEB68EB1D94957B873D2FF98384F5441B9D48EC36C7DE2DA8468B44

Function 00007FF849198D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7dc5837b27b723a6dfc24b481fc380de4996782a6568f0b32aa2643ce264b0
Instruction ID: 6ecd3398aefde7188b000d0964bc16644c2d8a4602036f475d2865b9ec9fc5c3
Opcode Fuzzy Hash: 6c7dc5837b27b723a6dfc24b481fc380de4996782a6568f0b32aa2643ce264b0
Instruction Fuzzy Hash: 47915130A0C9494FEB68EB1D94957B877D2FF98384F5041B9D48EC36C7DE29A8468B44

Function 00007FF849196FC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9a184db423af3b59908a38139c27f1ae00750b7f0b071ef01df58ca5299203
Instruction ID: fc4a0a4e82893be7bedb6586efd57d664ae38073bc4f66947d709f61e8f344e9
Opcode Fuzzy Hash: 7c9a184db423af3b59908a38139c27f1ae00750b7f0b071ef01df58ca5299203
Instruction Fuzzy Hash: 1A713731B1C9494FEBA8FB2CE84967577D1EF9A364B0401BAD44EC7293DD29EC428781

Function 00007FF84919BD32 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952e0f008315306dbf9392a97c290a951aeec02139977c5825941f2f8217f6dc
Instruction ID: a9442ed3fa12d579a612266feb157994e7b4a9cd9e311272e3fd0153ccdd096c
Opcode Fuzzy Hash: 952e0f008315306dbf9392a97c290a951aeec02139977c5825941f2f8217f6dc
Instruction Fuzzy Hash: 6A619230A4DA898FEBA5EF28D858AB577E1FF45348F0504BAD45DC71A2DA2CEC41CB41

Function 00007FF84919CACE Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584bd8e9a985696f3331e015902a2b8ae42c867dcc08a522f1a2c042d562235e
Instruction ID: d7eec369e0cbaa2ad0daf6646d5c0d8b2069bd14f40728be77eb499b1c158c0a
Opcode Fuzzy Hash: 584bd8e9a985696f3331e015902a2b8ae42c867dcc08a522f1a2c042d562235e
Instruction Fuzzy Hash: 26511672D0CACA4FE379EE2CA8151B57BD0EF556D4B04427AC48EC71D2DD1DA885C781

Function 00007FF84919C15F Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ff7c5b833382391642a9fe1342db0aee9fe3742c56d61244a7c508b055872b
Instruction ID: 28e17837f1213ac985cd79ed8d67861fdce928b7108f453edbae97dddcb9a73c
Opcode Fuzzy Hash: 25ff7c5b833382391642a9fe1342db0aee9fe3742c56d61244a7c508b055872b
Instruction Fuzzy Hash: 29519B71F0CE8A9FE3E4EA7C90556B473D2EF98794B5005BEC44EC328ADD296842CB40

Function 00007FF8491936F5 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a7186164cd7bf150320a120b48d473827f0a8c9a45f710900a501ffda07b08
Instruction ID: abb76c9021bb3e5650a5fc68adec04447b43f026f043509fe4d608d167b2fb62
Opcode Fuzzy Hash: 39a7186164cd7bf150320a120b48d473827f0a8c9a45f710900a501ffda07b08
Instruction Fuzzy Hash: E151083151CA894FEB68FB2898456767BD0EF563A8F10067ED48DC31E6EE1DA843C781

Function 00007FF84919D2E8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620506d7f55f44c3311f95ebdacd227603a699825450fcfd519e2c6aa22701d1
Instruction ID: b7dddc1128b5e9ce90c570e19e9a5be8736aeb543fa135ad934443952026e75e
Opcode Fuzzy Hash: 620506d7f55f44c3311f95ebdacd227603a699825450fcfd519e2c6aa22701d1
Instruction Fuzzy Hash: 75411220B1EA865FE754BB7C58463B5B7D1EF98755F2401BAE40CC32C7DD2CA84683A2

Function 00007FF849192EC6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635d58790f4f2fc4d9f1eb2e0b2be033e36bd2af7cfef1caac394802b81c23ab
Instruction ID: 5ecc20bc4304da26972d093ede95a2197fff7b0e66a0352b0a56b59b8b98f1b5
Opcode Fuzzy Hash: 635d58790f4f2fc4d9f1eb2e0b2be033e36bd2af7cfef1caac394802b81c23ab
Instruction Fuzzy Hash: 25317A3291D9C64FE39AAB3894452B13BE1EF9B35470444FAC009CB293CD2D9C47C740

Function 00007FF8491928F2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b92074d423c848063a17dd06a3aced4af8941c004e6324df9b8009342c2dc10
Instruction ID: 1a20cf2d43772aee813ee96f88a7fcfbe54a9378c253144637377db472ef9671
Opcode Fuzzy Hash: 7b92074d423c848063a17dd06a3aced4af8941c004e6324df9b8009342c2dc10
Instruction Fuzzy Hash: 0431E221A2DADA4FE765BB2894651F67BF0EF5A344F4004B7D04AC31C7DE2D6806C791

Function 00007FF849193730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17207ba3023ceb273b0f3b584b5154f041d76f88de1ffb4a1ab141f41781fa36
Instruction ID: 63173fb47b8f30940e5840dd3e927b370264a3eda066046354867706ea56fbf6
Opcode Fuzzy Hash: 17207ba3023ceb273b0f3b584b5154f041d76f88de1ffb4a1ab141f41781fa36
Instruction Fuzzy Hash: 1231D73161C9495FEB98FF28D449A7633D1EF99394B10067DD44EC32A6EE29A8028781

Function 00007FF84919D155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f853f2670ac78b683cea1c34d0b72235c83fd7fac0cbc4eef035b73b17560d61
Instruction ID: 3c49bf979db5bc15f8bea14ebcc778c9d75f46524d03a0db64b7b0e8007fd354
Opcode Fuzzy Hash: f853f2670ac78b683cea1c34d0b72235c83fd7fac0cbc4eef035b73b17560d61
Instruction Fuzzy Hash: CD31033A90DAC74FE7B9AA2C94542717BD0EF45398F1800B9E44FC7192DE1CE881CB41

Function 00007FF8491975E8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f20176eab9b213672abddc3069fc86d3b620a8c67c1a989393514d4eb2d18
Instruction ID: 59b572fc492cc3fa5b961acc1297b83cd9b91388b694a9f279fe28e5cf703416
Opcode Fuzzy Hash: 7c5f20176eab9b213672abddc3069fc86d3b620a8c67c1a989393514d4eb2d18
Instruction Fuzzy Hash: D9113A33F1ED4A5FF2B8A91C68495B537D1EFE87A475502BAD00DC3286ED1CAC42C690

Function 00007FF849193140 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617480ec8379741bdbcc26516d4a8ad12cf611d24e87577959cd10e7ab68d7ca
Instruction ID: f15d14fe100184bc4c1872538f046a0903b15e530964e0fa1aae5b08da50eedc
Opcode Fuzzy Hash: 617480ec8379741bdbcc26516d4a8ad12cf611d24e87577959cd10e7ab68d7ca
Instruction Fuzzy Hash: D221AB31A18A4D8FDB98EF28D4456AA77E1FF99319F10017EE40ED3292CB35E852CB40

Function 00007FF8491975F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc23f08f062537f57da25aa846b3bd4b5b6b8f580fa459cdc76326926ae3f0b
Instruction ID: f9632734babef89120cfc4a56455d58702f02a6fd1ee84b9a917fb85ef0d7222
Opcode Fuzzy Hash: 4cc23f08f062537f57da25aa846b3bd4b5b6b8f580fa459cdc76326926ae3f0b
Instruction Fuzzy Hash: 9A112932F1DD4A1FF2B8A91CA84A5B537D1EFE97A475502BAD00DC3286ED1CBC42C690

Function 00007FF849197987 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8d749adcc35a90960060d05e621b05a4eb57cceac6aa0f1f7cb931412474c2
Instruction ID: e1344c576649195c80d93808864a628027ea46dd323f1e1b0aaf89acf08b42cd
Opcode Fuzzy Hash: ca8d749adcc35a90960060d05e621b05a4eb57cceac6aa0f1f7cb931412474c2
Instruction Fuzzy Hash: ED216A3061CA498FDB98EF1DD4456A9B7E1FF98321F10117EE48AD32A1CA35E842CB41

Function 00007FF84919D231 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e3c9fd302e7ce5f1e32d101ac83386c64d8d65977a4f3d027c69550898d1ec
Instruction ID: e285601e8082b6f5d3ca7456fba95ec737e4e21e235793dac843f88e1a438a57
Opcode Fuzzy Hash: 30e3c9fd302e7ce5f1e32d101ac83386c64d8d65977a4f3d027c69550898d1ec
Instruction Fuzzy Hash: D921322691C99D5FE765BB6894017FAB7E0FF96354F0802B6E00CC30C2CF1CA91487A1

Function 00007FF849192943 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5b8531caa20ba977c609587fb2d875a79ae07f340d30521c08a12c33ff01e2
Instruction ID: 982bad26c3e52cf9ce80d7897e09ee4c1eaccc6dfdd57b7902e4b7928823c8f6
Opcode Fuzzy Hash: 6f5b8531caa20ba977c609587fb2d875a79ae07f340d30521c08a12c33ff01e2
Instruction Fuzzy Hash: C4219231B3995A4EE764BB28D0552FA72E1FB58344F804576D44FC32C7DE2DA8468781

Function 00007FF84919CCA5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04543487c11183bd29f2be614a3aebb49d17fcc8325ec81624ed478006f36048
Instruction ID: 4446d0fe66a21aa45b216bd03f6e9dc9d9ea8d14a6c42db422093f6e69e05dee
Opcode Fuzzy Hash: 04543487c11183bd29f2be614a3aebb49d17fcc8325ec81624ed478006f36048
Instruction Fuzzy Hash: A211A31148EAC60FE34A6BB44C295E13FE5DF9B59071D42EBE0C5CB4A3D85C498BC3A1

Function 00007FF84919D0CD Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388f6dc0d0931debd34a59f4572515a07ca7372fdfecbd8b9c5f0c81777c176c
Instruction ID: 6335dc559a245b1b68ced56663220aaef59cc89c56491f2fa80ac394861f987f
Opcode Fuzzy Hash: 388f6dc0d0931debd34a59f4572515a07ca7372fdfecbd8b9c5f0c81777c176c
Instruction Fuzzy Hash: A711A53158E6C65FC3469BB48814AD17BE1EF8B15030941FAD089CB593C96C9887C761

Function 00007FF8491922A9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0aca70f4caff74a7da22dc25e8941fe8ad42601fac7d8f2547d00557000eb1
Instruction ID: 5f3fa7ddc394a8e96e6106df0d3b39e4ddc4a8548c6a85c8e1afb0ca2e913d33
Opcode Fuzzy Hash: 1f0aca70f4caff74a7da22dc25e8941fe8ad42601fac7d8f2547d00557000eb1
Instruction Fuzzy Hash: CE11323291E7C94FD356AB3498150E97FB0EF46210B4A05FBC144CB1A3DF2C594AC351

Function 00007FF849194C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30aa03f9ebd3b243a2f2912e4991a16a04de79a8b383222cda0942732e343144
Instruction ID: 2991edce58318fe24afe76c9aa8fdf45d9c10673b2fbded0936309cb47e91d12
Opcode Fuzzy Hash: 30aa03f9ebd3b243a2f2912e4991a16a04de79a8b383222cda0942732e343144
Instruction Fuzzy Hash: CC01F53190DA954FE752E72894452A97FD1DF85264F080A6ED088C61E2CA684A86C386

Function 00007FF84919223A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e9c81a7a3874f985da31ff2a67fa59900deff2e94a1d53eedb6ce3d1bfd332
Instruction ID: 8e16371ef11843a4a65a9b8c125e0836fb37a27d43fd805e9d0ebc0a6dcba6ab
Opcode Fuzzy Hash: 22e9c81a7a3874f985da31ff2a67fa59900deff2e94a1d53eedb6ce3d1bfd332
Instruction Fuzzy Hash: 44F0C23180DAC82FEB51AB78A4496EABFF0EF46310F4544E7D848DA193CE286645CB51

Function 00007FF84919C766 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008e25f5b8e082badb337c0a234f77ff7680e7e58a5e89e42d955fa0517cd11e
Instruction ID: bb41a19233668a7f786590f8999e9994f1899deac7c237ed25a497f227ce3109
Opcode Fuzzy Hash: 008e25f5b8e082badb337c0a234f77ff7680e7e58a5e89e42d955fa0517cd11e
Instruction Fuzzy Hash: EB01D671E1DEC64FE3A8FE3844515BA63E2FFD8684B444578C04EC3286CE1DB9068B10

Function 00007FF8491921D3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101badfb939290e4272dba7a2347a3336ba70ca66ac3b914a9317be90a2dac1f
Instruction ID: aca2c59662c9e666fb17bb8fb00c30c55683654bea72ad0605772e343720c6a1
Opcode Fuzzy Hash: 101badfb939290e4272dba7a2347a3336ba70ca66ac3b914a9317be90a2dac1f
Instruction Fuzzy Hash: 02F0542778DD4E0FD364BD9D7CC15F17380F780379B58013ACA1EC3585D54D68664290

Function 00007FF849193020 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49138bda0a58c861e825fb19f86c2fa74a8dfd61baf0aca26c4ae1dcb5d84b13
Instruction ID: f9288b2d012b362c74ebd4f7b897d01ac920a468624749927c4a1c21f2951529
Opcode Fuzzy Hash: 49138bda0a58c861e825fb19f86c2fa74a8dfd61baf0aca26c4ae1dcb5d84b13
Instruction Fuzzy Hash: 7BF0E920E6C9490BE754BB3C640527573D5EF45309F5409B9D84DC71E5DF29DC524781

Function 00007FF84919340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction ID: 684a1ce79898f5fbc51e78b3a0f55f7fb8d09b6de72f39530501dd7690f4f013
Opcode Fuzzy Hash: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction Fuzzy Hash: B1F0A07190D60C6FDB18FF59EC4AAEB37A8FF85224F00013AF44D82192E6356863CB50

Function 00007FF84919C439 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34db2c87c02bdc3fa2be3b67f77d40251e855d98913ab74af7c4a9abfe9530f
Instruction ID: 09fe943120623a5550ef0c4316288c454063daa7019782820bc016c59263a29e
Opcode Fuzzy Hash: c34db2c87c02bdc3fa2be3b67f77d40251e855d98913ab74af7c4a9abfe9530f
Instruction Fuzzy Hash: 2CD05E53B9C58E0BE590B94878911F1A380EB542B9B500373C58D830C6CD2F65464641

Function 00007FF84919CEB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d46be57608a414555087a9ff69b87ce9620efef7e9042b253813855672e1df
Instruction ID: 8e66ae1f85a45fcdc88f96f552331475f1a95b3ad1d0e0bdb1f1df88fcdd09f1
Opcode Fuzzy Hash: 21d46be57608a414555087a9ff69b87ce9620efef7e9042b253813855672e1df
Instruction Fuzzy Hash: 23D02331C0D589CFD348BB3C40051643650FF08388F5404BDD00ECB1D1D557540EC302

Non-executed Functions

Function 00007FF84919B0F1 Relevance: 10.3, Strings: 8, Instructions: 330COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF84919B166
HAH, xrefs: 00007FF84919B1A0
r&_H, xrefs: 00007FF84919B271
HAH, xrefs: 00007FF84919B319
HAH, xrefs: 00007FF84919B240
HAH, xrefs: 00007FF84919B2A6
HAH, xrefs: 00007FF84919B2F1
HAH, xrefs: 00007FF84919B27E

Memory Dump Source

Source File: 00000007.00000002.2208208602.00007FF849190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff849190000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$r&_H
API String ID: 0-1577230237
Opcode ID: b16bf41d030f5ff01f1545e3f6f2ce5717cbac58bb400a0b3b4c5e5049ebea41
Instruction ID: be846a6027a42d52494a3028f75d70838d4bd7f5308db5d5e6f1f7d848a68569
Opcode Fuzzy Hash: b16bf41d030f5ff01f1545e3f6f2ce5717cbac58bb400a0b3b4c5e5049ebea41
Instruction Fuzzy Hash: 4B914821E1D98A4FE794EB38A459AB477D1FF98694B0841BAC04EC7293EE1CAC47C741

Analysis Process: Client.exePID: 2508, Parent PID: 5972COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF849196C31 Relevance: 5.2, Strings: 4, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196E58
HAH, xrefs: 00007FF849196DD6
HAH, xrefs: 00007FF849196E0F
HAH, xrefs: 00007FF849196D9C

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849196000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849196000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849196000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: e8f416d4531874c0629cc035014bfc413fb60d4a9b11e12e4024f440d62f1fe4
Instruction ID: 0c0918c0e7633196157fc9702d8b39115d6360fa559396b9781b2102feb474b7
Opcode Fuzzy Hash: e8f416d4531874c0629cc035014bfc413fb60d4a9b11e12e4024f440d62f1fe4
Instruction Fuzzy Hash: 1B61C171A2DD8A4FE6A9EB2CD45667563D2FF987D4B4800B9D00EC32D6DE2DAC02C750

Function 00007FF848F23525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 0000000D.00000002.2318993306.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 621667b5e92df981a467c3468a716cdc75b405d6f3084c27cd931e2e74ebe20d
Instruction ID: 94eeb3ceba49940d97bc64828f464bc8390313a7bdfe520e21ef9d0706a0c236
Opcode Fuzzy Hash: 621667b5e92df981a467c3468a716cdc75b405d6f3084c27cd931e2e74ebe20d
Instruction Fuzzy Hash: DC41F57180DB8C5FDB15EB6C98496E9BFF0EF56310F0441AFC049C71A2DB2968058751

Function 00007FF848F23569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 0000000D.00000002.2318993306.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction ID: abc54ccf21843c473a4d7dff86577630fd02a3549c39ea79b2012866f3849d86
Opcode Fuzzy Hash: 8d358f59e70f7231e6e6bd0a2b47db04b79cc063e6a771c1c1136b43fece1bad
Instruction Fuzzy Hash: 1131F07180CB5C9FDB19DB5888496E9BBF0FF65310F04426BC049D3292DB79A846CB91

Function 00007FF849193451 Relevance: 1.5, Strings: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&_L, xrefs: 00007FF849193673

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849193000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849193000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849193000_Client.jbxd

Similarity

API ID:
String ID: &_L
API String ID: 0-1440118532
Opcode ID: 8362a2d8e6f34d011ce4d72c487b6986664761d2fd1244bb452726f0f05baf66
Instruction ID: 8be88a50018b1547991fdbe2a04a78b2c9c5da92ccae12d55ca2e014cfcb6b71
Opcode Fuzzy Hash: 8362a2d8e6f34d011ce4d72c487b6986664761d2fd1244bb452726f0f05baf66
Instruction Fuzzy Hash: D0911830A0DA894FDBA6EF2894546B577E1FF59354F0501BAD00EC32A2DE2DE846CB81

Function 00007FF849196E69 Relevance: 1.4, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196E8E

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849196000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849196000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849196000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: cf05f286b154616a46ef704f4e5e7f74175c12d0d43d3a5a11ddf576a3731923
Instruction ID: e0689052aa82c02ff15ac8e87c6a607890b564495be8fdbed7f108446e3a131e
Opcode Fuzzy Hash: cf05f286b154616a46ef704f4e5e7f74175c12d0d43d3a5a11ddf576a3731923
Instruction Fuzzy Hash: C2412721A1EAC54FE796AB3C98686757FE1DFA6384B0804FAD089C71A3D91D9885C701

Function 00007FF849193125 Relevance: .3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849193000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849193000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849193000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41f587340b936d901126003d427b5394f8bda40fbc2c769bf7aac4cee7b98ed
Instruction ID: 35096003fd484967f57f1684055d1907151cbca31ddb9e69309ac24082fbfaf9
Opcode Fuzzy Hash: c41f587340b936d901126003d427b5394f8bda40fbc2c769bf7aac4cee7b98ed
Instruction Fuzzy Hash: 45A17E31A1CA498FDBA8EF28D4556B973E1FF88355F504179E45ED32D2CF39A8028B44

Function 00007FF8491936F5 Relevance: .2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849193000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849193000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849193000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eabb466e9545a40fca465bba63f9adf8b9467cfdadac2d0db7f6c343a0db49f
Instruction ID: d2172a7c06b47a1a4cddeac1978bda1ec12ed943a5bf27dc14a094ceebe33660
Opcode Fuzzy Hash: 2eabb466e9545a40fca465bba63f9adf8b9467cfdadac2d0db7f6c343a0db49f
Instruction Fuzzy Hash: 4F51F73161CA894FEB69BB2898446767BD0EF563A8F10067ED48DC31E6DE1DA843C781

Function 00007FF8491960F5 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849196000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849196000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849196000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b04bf2984b8e1262b8439f7a714d9e9165ac256c7914c4a453e1823c92b0ba9
Instruction ID: 7a8b92252492d472532d89db176db2c8e891136c28f995273033eb42c817b0a0
Opcode Fuzzy Hash: 2b04bf2984b8e1262b8439f7a714d9e9165ac256c7914c4a453e1823c92b0ba9
Instruction Fuzzy Hash: F341B030D1CA4A9FEBB4EF1988415BA73E2FF85398F444439D46A93586CA39F845CB90

Function 00007FF84919D30D Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF84919D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84919D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff84919d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d7d1ea24763cefa1e4ff4fb3e058ab1fff83d87de0be24a017dad7d721f23e
Instruction ID: 12fe264369a44b8c18dcd5868cc1323619b433608a984a70521243ebee76995c
Opcode Fuzzy Hash: f7d7d1ea24763cefa1e4ff4fb3e058ab1fff83d87de0be24a017dad7d721f23e
Instruction Fuzzy Hash: 7E41E320B1E9811FE755BB7C589A3F567C1EF98755F6802BAE40CC72C7CD1CA84683A2

Function 00007FF84919D155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF84919D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84919D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff84919d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f504a0454006ee291379837a18d08b0a59951185b992d0b774a746eb597f86f
Instruction ID: 3c49bf979db5bc15f8bea14ebcc778c9d75f46524d03a0db64b7b0e8007fd354
Opcode Fuzzy Hash: 1f504a0454006ee291379837a18d08b0a59951185b992d0b774a746eb597f86f
Instruction Fuzzy Hash: CD31033A90DAC74FE7B9AA2C94542717BD0EF45398F1800B9E44FC7192DE1CE881CB41

Function 00007FF84919D0CD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF84919D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84919D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff84919d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faaf6a6bf80cf8444d3781e00bdb9ca286ffafd071010b057bd2b8289a65ee2b
Instruction ID: 64018bc5cfc017de9c475e957b7f36eb1e9c13aa3a9aefa713b23b187ddd6a51
Opcode Fuzzy Hash: faaf6a6bf80cf8444d3781e00bdb9ca286ffafd071010b057bd2b8289a65ee2b
Instruction Fuzzy Hash: 8911E53158E6C61FD3469B748C20AD27BE5DF8B15030901F6E089CB5A3C91D9987C760

Function 00007FF84919D231 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF84919D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84919D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff84919d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f4785671c574c58cdc6493cfae9f6c6336a1a52befbe551c6e0199e0b2ee28
Instruction ID: 0f4a966022b9ac0336604dd614d9ae88f7f0726e804dcc6b0f5ead3ce00c7959
Opcode Fuzzy Hash: 44f4785671c574c58cdc6493cfae9f6c6336a1a52befbe551c6e0199e0b2ee28
Instruction Fuzzy Hash: 15110225D1C99A5EF765AB6894153F9B7E0FF96384F4801B6E00CC71C3CF1CA80487A1

Function 00007FF849193000 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849193000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849193000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849193000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4eb5374435182affc0fb00a9a24ddd2a380d71fbb80c29ffc271fed86c99ca9
Instruction ID: 2b1047b59fbf9ff2f4a89b1d7ea661da7aecb62fce23b2ecc2d0dbdd575ddbfc
Opcode Fuzzy Hash: a4eb5374435182affc0fb00a9a24ddd2a380d71fbb80c29ffc271fed86c99ca9
Instruction Fuzzy Hash: 1A014721A1CAC50FE366AB3CA4152767BE4EF42204F4D45FEC489CB1A3DE1CD8428741

Function 00007FF84919340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF849193000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849193000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff849193000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction ID: 684a1ce79898f5fbc51e78b3a0f55f7fb8d09b6de72f39530501dd7690f4f013
Opcode Fuzzy Hash: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction Fuzzy Hash: B1F0A07190D60C6FDB18FF59EC4AAEB37A8FF85224F00013AF44D82192E6356863CB50

Function 00007FF84919D2E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2319686448.00007FF84919D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84919D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff84919d000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7705486695a753bf54c67e012976e655c186979cc5c4a06698369772894101
Instruction ID: 441ab12104a39798504e4bee3ef62e5711c222dadbdcee72ffac76d45b075d92
Opcode Fuzzy Hash: ad7705486695a753bf54c67e012976e655c186979cc5c4a06698369772894101
Instruction Fuzzy Hash: CFD0233555454C57C7147B65B4054D7B758FF8D35CF00057FF91CC5041D62795354392

Analysis Process: Client.exePID: 3652, Parent PID: 3640COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8491993C1 Relevance: 11.4, Strings: 8, Instructions: 1410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF84919A141
HAH, xrefs: 00007FF849199FC7
HAH, xrefs: 00007FF84919A107
HAH, xrefs: 00007FF84919974B
HAH, xrefs: 00007FF849199F8D
HAH, xrefs: 00007FF84919A03A
HAH, xrefs: 00007FF84919A000
HAH, xrefs: 00007FF84919A292

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-4024470385
Opcode ID: 54497f807c746eb89b8f27ce05973f70ebd25580c1f2b701c8ac7da9022c6471
Instruction ID: b17dae8d6ac7da1f83734e09c82b966ff4d4463cee5e2cb651bea561fdf89862
Opcode Fuzzy Hash: 54497f807c746eb89b8f27ce05973f70ebd25580c1f2b701c8ac7da9022c6471
Instruction Fuzzy Hash: CB92F330A1C9894FEBA8EF2C9455A7577D1FF99394F0400BAD44EC7296DE2DAC42CB41

Function 00007FF849194DC6 Relevance: 2.5, Strings: 1, Instructions: 1274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196226

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: ff7a04f008a6dfaa31fae753f9ab42b6b8381a2892a36e1da64e20f05b1fef6a
Instruction ID: b0f35c223a76b10070084a1c6c5dc645e12f308bae2cd01b0f75cd0b70a5dc47
Opcode Fuzzy Hash: ff7a04f008a6dfaa31fae753f9ab42b6b8381a2892a36e1da64e20f05b1fef6a
Instruction Fuzzy Hash: 0D92A570A1CA598FDF98EF18C494BA97BE2FF58344F5041A8D44ED7296CE39E885CB40

Function 00007FF849195BE1 Relevance: 1.9, Strings: 1, Instructions: 692
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*%I, xrefs: 00007FF849196070

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: *%I
API String ID: 0-3524644257
Opcode ID: 066bc1caf8eec335ed9e75dcbf7644bd0e862b27d4d78c86c66b199b559a0088
Instruction ID: 390f8b6335695ae481a6b199e7c05e7341210a243038ff895dfbff7271fb2c57
Opcode Fuzzy Hash: 066bc1caf8eec335ed9e75dcbf7644bd0e862b27d4d78c86c66b199b559a0088
Instruction Fuzzy Hash: 36325E30A18A598FEBA4EF18C8857A9B7E1FF98344F1045B9D44ED3295DB38E981CF41

Function 00007FF84919A7CD Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5bda45b1189fb04882d568003b545f52994106badf7420f34f1c4c5304df49
Instruction ID: 7040fd49d5733dea73bf1ed5e98a76f287c2d71736f74f5ece172468ba438e15
Opcode Fuzzy Hash: 7f5bda45b1189fb04882d568003b545f52994106badf7420f34f1c4c5304df49
Instruction Fuzzy Hash: 8562503061CA498FEB98EB2CC458B6977E1FF99344F1445BAE04DC72A6DE38E845CB41

Function 00007FF849198A61 Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a020349a9039465b23e9a94da8cf95c24968d80ba27169833019ab3c19d77843
Instruction ID: ac7f2c3b7e0fdcaef41a0fa2009648e5c9de002fb25b73e02e82cd5c2f63948e
Opcode Fuzzy Hash: a020349a9039465b23e9a94da8cf95c24968d80ba27169833019ab3c19d77843
Instruction Fuzzy Hash: 8C228030A1CA494FEBA8EF1894957B973E2FF98344F1441BDD44ED3692DE39A842CB41

Function 00007FF849196C31 Relevance: 5.2, Strings: 4, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196DD6
HAH, xrefs: 00007FF849196E58
HAH, xrefs: 00007FF849196E0F
HAH, xrefs: 00007FF849196D9C

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 19e85c9436d9b736203a08f4336283d4e1d6b49912e354b9defc79d80990afc6
Instruction ID: d08766e77f8e7cf98d989dd998aa281d351caff3a22f0cca812371b8106cc17a
Opcode Fuzzy Hash: 19e85c9436d9b736203a08f4336283d4e1d6b49912e354b9defc79d80990afc6
Instruction Fuzzy Hash: BD61C171A2DD8A4FE6A9EB2CD45667563D2FF987D4B4800B9D00EC32D6DE2DAC02C750

Function 00007FF84919C349 Relevance: 4.0, Strings: 3, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!(I, xrefs: 00007FF84919C40B
`"(I, xrefs: 00007FF84919C48E
a&_H, xrefs: 00007FF84919C373

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: X!(I$`"(I$a&_H
API String ID: 0-2743432387
Opcode ID: 2f6be554e39ffe5b0b940c082e17de6ce9dead3fa9b6295eb0173b8a7a45fcba
Instruction ID: d85c1ea4ee8b84674dbd499e331d2457e23414a15258922e965f26f8dac5797c
Opcode Fuzzy Hash: 2f6be554e39ffe5b0b940c082e17de6ce9dead3fa9b6295eb0173b8a7a45fcba
Instruction Fuzzy Hash: D651D472F1CE8A5FE3A9EA2C50556B573D1FFA8794B50057AC08EC32C6DE2DA9428740

Function 00007FF84919A3D9 Relevance: 2.9, Strings: 2, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF84919A41A
HAH, xrefs: 00007FF84919A70E

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: e98e6935fd88886e856050975001293b3b5e554b1191fce2b1fcaf568aeea494
Instruction ID: 258e5f35d57c748949129334e41e417a750fe013c0daee3fd2e064e18f350db1
Opcode Fuzzy Hash: e98e6935fd88886e856050975001293b3b5e554b1191fce2b1fcaf568aeea494
Instruction Fuzzy Hash: 29C18130A1CA498FEBA8EF28D4457B9B7E1FF98344F54417AD04EC7292DE38A845CB41

Function 00007FF849192C10 Relevance: 1.7, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849192C63

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 90362f7d69ce5d55f293471b8a471eb926667a952c9c0587dc993aaa54e65d3e
Instruction ID: f860ea690d7e4190a417a2a761cb42bb4c11ec8e7d188b05deeadbbe3def6b70
Opcode Fuzzy Hash: 90362f7d69ce5d55f293471b8a471eb926667a952c9c0587dc993aaa54e65d3e
Instruction Fuzzy Hash: 5EE13632E1D9CA4FE7B5FA2C98592B57BD0EF95394F0405BAD049C7292DE2CAC06CB41

Function 00007FF849193F19 Relevance: 1.7, Strings: 1, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF849194457

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d4cf159aaa712aec40fd9e5950ce9941e75b5412caed245cbbddaab39bde9b4d
Instruction ID: ab0d109ae7b96c04a5a892ba54f6f795ff88421ba80cb14c7de0d65d2a0f93d8
Opcode Fuzzy Hash: d4cf159aaa712aec40fd9e5950ce9941e75b5412caed245cbbddaab39bde9b4d
Instruction Fuzzy Hash: 25E10731A0DA9A4FE7A5AF28985537837D1EF56354F0402BAD48EC72D2DE1CAC46C782

Function 00007FF848F23525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 00000012.00000002.2434963323.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 356bcca52e024e458a46cbfa30e0c339fccf2b0fe96adf2154da091da73d907f
Instruction ID: f7c89c329cd51cee99be934b3161f555ed2f2c10135a02a5b14e7b184b064749
Opcode Fuzzy Hash: 356bcca52e024e458a46cbfa30e0c339fccf2b0fe96adf2154da091da73d907f
Instruction Fuzzy Hash: 0A41F37180DB8C5FDB05DB6C98496E9BFF0EF56310F0441ABC049C71A2DB2968058792

Function 00007FF848F23569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F23607

Memory Dump Source

Source File: 00000012.00000002.2434963323.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f20000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b51026900f1a9d45003930fd8a7e91c0bc3b4642b71aca276bb4c147c750b69d
Instruction ID: abc54ccf21843c473a4d7dff86577630fd02a3549c39ea79b2012866f3849d86
Opcode Fuzzy Hash: b51026900f1a9d45003930fd8a7e91c0bc3b4642b71aca276bb4c147c750b69d
Instruction Fuzzy Hash: 1131F07180CB5C9FDB19DB5888496E9BBF0FF65310F04426BC049D3292DB79A846CB91

Function 00007FF849193451 Relevance: 1.5, Strings: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&_L, xrefs: 00007FF849193673

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: &_L
API String ID: 0-1440118532
Opcode ID: ff1960e8e4781e58522cc102acb852d82b69a1fe7802ea4e595728add7a5f398
Instruction ID: 6f875869870a7ce240c5e81b8151a5fcccdea0b51b9c8d1f9e387755c2af6925
Opcode Fuzzy Hash: ff1960e8e4781e58522cc102acb852d82b69a1fe7802ea4e595728add7a5f398
Instruction Fuzzy Hash: 38910830A0DA894FDBA6EF2894546B577E1FF59354F0501BAD04EC32A2DE2DE846CB81

Function 00007FF849196E69 Relevance: 1.4, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF849196E8E

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 8ba7df710a571bbf3ecb28fa0b4a6abb733e788cfcd32e9feb03630017c10618
Instruction ID: e0689052aa82c02ff15ac8e87c6a607890b564495be8fdbed7f108446e3a131e
Opcode Fuzzy Hash: 8ba7df710a571bbf3ecb28fa0b4a6abb733e788cfcd32e9feb03630017c10618
Instruction Fuzzy Hash: C2412721A1EAC54FE796AB3C98686757FE1DFA6384B0804FAD089C71A3D91D9885C701

Function 00007FF8491920E2 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: a68f6a4d155a22a7a8b8a276832db89bf8ccd5e1a83d65d87693ad4d2f399088
Instruction ID: f50f03f9b3e44deff4f7b11bc3b965d452f695278f4a653962641dd99ad1012f
Opcode Fuzzy Hash: a68f6a4d155a22a7a8b8a276832db89bf8ccd5e1a83d65d87693ad4d2f399088
Instruction Fuzzy Hash: C5410E37E1A5269EC311BEBDF4864D9B3B0EF85379B084677C188CE093DB1C544586E9

Function 00007FF8491920D7 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: 4353d0f64cd12f256ff529f136eee8590acb820d8c7326c83fc37952cfb31047
Instruction ID: 8896d64552868fc34030e801095ad9f07f2a7e3fb9bed2cb6d469f7f411aafae
Opcode Fuzzy Hash: 4353d0f64cd12f256ff529f136eee8590acb820d8c7326c83fc37952cfb31047
Instruction Fuzzy Hash: 63313D27F1E5259ED310BEBDF4864EAB3A0EF85379B0C4677C188CE083DA1C644586E8

Function 00007FF8491920CF Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#'_^, xrefs: 00007FF849192101

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: #'_^
API String ID: 0-523350721
Opcode ID: 1440e92d59acee66dcdaa225e1b4764738056750ca014c3e2a00b8d7b4c33023
Instruction ID: a7d5dbeb470b70c4e61a75ed4f64e325159e7a837f88e226ad12b0c94fe1a245
Opcode Fuzzy Hash: 1440e92d59acee66dcdaa225e1b4764738056750ca014c3e2a00b8d7b4c33023
Instruction Fuzzy Hash: DF310D27E5E52A9EC311BEBDF4864E9B3A0EF85379B0C4677C188CE183DA1C544586E4

Function 00007FF84919C466 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

`"(I, xrefs: 00007FF84919C48E

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: `"(I
API String ID: 0-1945562383
Opcode ID: 450a14919b0a85711d6fffc8e02c4a5ee4438a6b7ae98420067902bdbbc9e71d
Instruction ID: 858f33006d9b2d037623cc0ecc49c5ef280719a9ceeb9d757b1f0a4a23fb0cc5
Opcode Fuzzy Hash: 450a14919b0a85711d6fffc8e02c4a5ee4438a6b7ae98420067902bdbbc9e71d
Instruction Fuzzy Hash: BD2128A2B1DDCA1FE399EA3C44553B567E1FFA8350B0401BAC08EC72C7DD1CA8058350

Function 00007FF849199763 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c938bba84fa454388760a35a01f900b893883e5ff1dabfaaa061b725f30838
Instruction ID: 1aa06618bae1e800e7a4a1bb868a5bd9497b0162ef16d31210bcd38e5ba52fab
Opcode Fuzzy Hash: 70c938bba84fa454388760a35a01f900b893883e5ff1dabfaaa061b725f30838
Instruction Fuzzy Hash: 30D15B306189498FEB98FF2CD498A7977E1FF59345B1140B9E44EC72A6DE28EC42CB41

Function 00007FF849198BD9 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b5bef49c079c955d6d1713269456e16c77009c6b5ad80976b1a1b4436c3284
Instruction ID: 4d401b7cc95ed74bd32082dc43378ba526c41b4cb7fd43cf21e4a424af939489
Opcode Fuzzy Hash: 10b5bef49c079c955d6d1713269456e16c77009c6b5ad80976b1a1b4436c3284
Instruction Fuzzy Hash: 8CC1BF30A0CA4A4FEB68EB2C94557B877D1FF54388F1441B9D48EC32D2DE2DA846CB04

Function 00007FF849193125 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16761cb02dd1c747294f361130a90a7fc4cecd6b1a9fe3889604aa48af3b0fe
Instruction ID: 5508b77d12e66e9be78164e66db3f99f1e6e0911376a042d118b622dc342f5d7
Opcode Fuzzy Hash: a16761cb02dd1c747294f361130a90a7fc4cecd6b1a9fe3889604aa48af3b0fe
Instruction Fuzzy Hash: E5A15E31A1CA498FDBA8EF28D4516B973E1FF88359F504179E45ED32D2DE39E8028B44

Function 00007FF849198C28 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb34d3eab57c055c55021b98d6fa814297e86bac616b4a98cbb897949f4c1071
Instruction ID: c73a8b2370d1310728800952199d5c676b44006d66ca3050b10f04b6c123cedc
Opcode Fuzzy Hash: eb34d3eab57c055c55021b98d6fa814297e86bac616b4a98cbb897949f4c1071
Instruction Fuzzy Hash: 4BA1A030A0CA494FEB68EB2D94557B877D2FF58388F5041BCD48EC36D2DE2DA8468B44

Function 00007FF849198CA8 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2521b7ed1834c5afc1ebd35477304fc87ec8b437f4b2b81f0e100d097689835f
Instruction ID: bb4c6f542e8c1897e21fcaf5b5d58688ffc3582f23288a821d190d0dccf30184
Opcode Fuzzy Hash: 2521b7ed1834c5afc1ebd35477304fc87ec8b437f4b2b81f0e100d097689835f
Instruction Fuzzy Hash: E9A19F30A0C9494FEB68EB2D94957B877D2FF58388F5041B8D48EC36D2DE2DA846CB44

Function 00007FF849198D58 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e7e948f9915b340881ba12a7bc188f2e69f372b2878073e8bcddcd6f3dddd3
Instruction ID: 522bfaa97c18043705893669e516fbdb8c5b16851ab9a323d8c47e16cdae14b3
Opcode Fuzzy Hash: b0e7e948f9915b340881ba12a7bc188f2e69f372b2878073e8bcddcd6f3dddd3
Instruction Fuzzy Hash: 22915F30B0C9494FEBA8EB2D94957B873D2FF98388F544179D48EC36D2DE2DA8458B44

Function 00007FF849198CE3 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8369dc4c924da404c608ef82c524a4c97f1073982047613a950a5af200b7fc26
Instruction ID: 18dab5bc5c3381d504c2f18d090d56719605417e80dc2187be6a6b068e3ad3d6
Opcode Fuzzy Hash: 8369dc4c924da404c608ef82c524a4c97f1073982047613a950a5af200b7fc26
Instruction Fuzzy Hash: BE915F30A0C9494FEBA8EB2D94957B873D2FF98388F504179D48EC36D2DE2DA8458B44

Function 00007FF849198CC6 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53d01a5c098e2712728b86f2d9d287a54b5945c69da8cc0f36f613127e3f0c4
Instruction ID: 7e0d9f02fc7f8f230edf975374de00551b17b448c72eac890a5500c940daa18e
Opcode Fuzzy Hash: e53d01a5c098e2712728b86f2d9d287a54b5945c69da8cc0f36f613127e3f0c4
Instruction Fuzzy Hash: 72915030A0C9494FEB68EB2D94957B973D2FF98388F504179D48EC36D2DE2DA8458B44

Function 00007FF849198D3B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff36df14e63908c02b29c4dbbfebc07b373324652fa23b5d4ac60283d5e353fb
Instruction ID: 01b0436794557ed9192c90ccd31a4945ec663459551cac3af05e5828ed5d66e7
Opcode Fuzzy Hash: ff36df14e63908c02b29c4dbbfebc07b373324652fa23b5d4ac60283d5e353fb
Instruction Fuzzy Hash: 18915F30B0C9494FEBA8EB2D94957B873D2FF98388F504179D48EC36D2DE2DA8458B44

Function 00007FF849198D1D Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c8c15a7389cdd08743fbf92fe48d09872a35d5afa9ba6c1cfd05fac2778fc7
Instruction ID: 9249fdceca46973e6be753cd31afa346cd989f249c7238741fdf740e127900f2
Opcode Fuzzy Hash: f6c8c15a7389cdd08743fbf92fe48d09872a35d5afa9ba6c1cfd05fac2778fc7
Instruction Fuzzy Hash: 80914030A0C9494FEB68EB1D94957B873D2FF98388F544179D48EC36D3DE2DA8458B44

Function 00007FF849198BBD Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a670bf6f19e394127730b2dece79e846ac108fad8218000dcecb56cd48a50c2f
Instruction ID: 10baed4cfcdce20fcee6ea21131a08dee875fc8223aefa2191c495d28ad49c9a
Opcode Fuzzy Hash: a670bf6f19e394127730b2dece79e846ac108fad8218000dcecb56cd48a50c2f
Instruction Fuzzy Hash: 8D915030A0C9494FEB68EB1D94957B873D2FF98388F5441B9D48EC36D3DE2DA8458B44

Function 00007FF849198D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175d94df8599f7f07a522a7faf149e8b5f06d5d458e46078b1deccdff8b75e32
Instruction ID: acdde2d0245e010ad57c965410febbd1438f30c952d0c0cbc94be99297a2dbca
Opcode Fuzzy Hash: 175d94df8599f7f07a522a7faf149e8b5f06d5d458e46078b1deccdff8b75e32
Instruction Fuzzy Hash: 3A915130A0C9494FEB68EB1D94957B877D2FF98384F5041B9D48EC36C3DE2DA8458B44

Function 00007FF849196FC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9948ad3aacac184cdb053a5724f8c0ceaa091bf209c1b6a54c9ea67e5901a4
Instruction ID: fc4a0a4e82893be7bedb6586efd57d664ae38073bc4f66947d709f61e8f344e9
Opcode Fuzzy Hash: ea9948ad3aacac184cdb053a5724f8c0ceaa091bf209c1b6a54c9ea67e5901a4
Instruction Fuzzy Hash: 1A713731B1C9494FEBA8FB2CE84967577D1EF9A364B0401BAD44EC7293DD29EC428781

Function 00007FF84919BD32 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f2793b29e5584eb4f40a84076a15a9decac33aa45aca25812a63c563ff25e6
Instruction ID: 383230f02c8d0683c7fe8c3851fa43c044624480137a7d3a4c21aa32ab0ee216
Opcode Fuzzy Hash: c4f2793b29e5584eb4f40a84076a15a9decac33aa45aca25812a63c563ff25e6
Instruction Fuzzy Hash: 29619230A4DA898FEBA5EF28D858AB577E1FF45348F0504BAD45DC71A2DA2CEC41CB41

Function 00007FF84919CACE Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d512e089c6ede56ed40b7c44241e2ae29bcc924d3ed8247d5ac03aeea5036bbd
Instruction ID: d7eec369e0cbaa2ad0daf6646d5c0d8b2069bd14f40728be77eb499b1c158c0a
Opcode Fuzzy Hash: d512e089c6ede56ed40b7c44241e2ae29bcc924d3ed8247d5ac03aeea5036bbd
Instruction Fuzzy Hash: 26511672D0CACA4FE379EE2CA8151B57BD0EF556D4B04427AC48EC71D2DD1DA885C781

Function 00007FF84919C15F Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcaa0a27e35bfe53f793c3933bdef1cd2efbe62e5cace63d88465434c92716b
Instruction ID: 28e17837f1213ac985cd79ed8d67861fdce928b7108f453edbae97dddcb9a73c
Opcode Fuzzy Hash: 4dcaa0a27e35bfe53f793c3933bdef1cd2efbe62e5cace63d88465434c92716b
Instruction Fuzzy Hash: 29519B71F0CE8A9FE3E4EA7C90556B473D2EF98794B5005BEC44EC328ADD296842CB40

Function 00007FF8491936F5 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304ab8356a6c5b1f86c220e4a1ac67d147a5b7dd09643e54504a25e05a2b6f76
Instruction ID: f85f84dd477cffac1ce2ceb69c8c8bf8805aca2517ffceed43b99fdc6cce281a
Opcode Fuzzy Hash: 304ab8356a6c5b1f86c220e4a1ac67d147a5b7dd09643e54504a25e05a2b6f76
Instruction Fuzzy Hash: B251193161CA894FEB69FB2898446757BD0EF563A8F10027ED48DC31E6DE1DA803C781

Function 00007FF84919D2E8 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c087af8b41cf4509bff42b1acadf65d118fb99a62e5abbd125129193609d9f9
Instruction ID: c36a23b7d907b4d3cb7776c374f962d4969ea66999f66b645150eab33646cb2e
Opcode Fuzzy Hash: 9c087af8b41cf4509bff42b1acadf65d118fb99a62e5abbd125129193609d9f9
Instruction Fuzzy Hash: 0041F020B1EA851FE755BB7858563F5B7D1EF88759F2402BAE00CC72C7CD1CA94683A2

Function 00007FF849192EC6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009ff547ca569072ca22c790e683832eb389fca30f1914ee23a92a8a79fd980f
Instruction ID: ff2236e7ee3b372051be6da2d068f9bc8c425c9e7225e52c929b55b6ee6821aa
Opcode Fuzzy Hash: 009ff547ca569072ca22c790e683832eb389fca30f1914ee23a92a8a79fd980f
Instruction Fuzzy Hash: 9B317A3291EAC65FE39AAB7C94556B13BE1EF5B25470840FAC009CB293DD2D9C46C740

Function 00007FF8491928F2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab287bc9e1aa4306483b4bcd6bcdcc27a2f26016ccb13f5cdb7d578e542039a
Instruction ID: 9b61d896aa20b1e372329eb12d7a9cb457b470a1cee6ad9a03b800c0a915662d
Opcode Fuzzy Hash: eab287bc9e1aa4306483b4bcd6bcdcc27a2f26016ccb13f5cdb7d578e542039a
Instruction Fuzzy Hash: A731E021A2EA9A4FE765BB2894A11F67BF0EF69344F4004B7D04AC31C7DE2D6806C791

Function 00007FF849193730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aad9c95e6c528db9509f01a723ffb62f138bfadc2777f60ea4e092e6fc0b32
Instruction ID: b892379636a314858c55813e00c09955a2e2e6ddea6e8972fa6c3e610775a224
Opcode Fuzzy Hash: a1aad9c95e6c528db9509f01a723ffb62f138bfadc2777f60ea4e092e6fc0b32
Instruction Fuzzy Hash: 9731D73161C9095FEB98FF28D44967533C1EF99398B00027DD44EC32A6EE2DE8028781

Function 00007FF84919D348 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59c7e32f42ddda215a422e0c57aaa673234c74ab745ed574e6e75dd41a2d76e
Instruction ID: 4f52a1b5030c24363f3671c6f9defaa1ca82727ae98b2494f0e6404bac53b05d
Opcode Fuzzy Hash: f59c7e32f42ddda215a422e0c57aaa673234c74ab745ed574e6e75dd41a2d76e
Instruction Fuzzy Hash: AF31F310B2E9455FF794FB6C589A3B8A2C2EF98744F6401B9D00CC32C7CD2CAC058751

Function 00007FF84919D155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f853f2670ac78b683cea1c34d0b72235c83fd7fac0cbc4eef035b73b17560d61
Instruction ID: 3c49bf979db5bc15f8bea14ebcc778c9d75f46524d03a0db64b7b0e8007fd354
Opcode Fuzzy Hash: f853f2670ac78b683cea1c34d0b72235c83fd7fac0cbc4eef035b73b17560d61
Instruction Fuzzy Hash: CD31033A90DAC74FE7B9AA2C94542717BD0EF45398F1800B9E44FC7192DE1CE881CB41

Function 00007FF8491975E8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f20176eab9b213672abddc3069fc86d3b620a8c67c1a989393514d4eb2d18
Instruction ID: 59b572fc492cc3fa5b961acc1297b83cd9b91388b694a9f279fe28e5cf703416
Opcode Fuzzy Hash: 7c5f20176eab9b213672abddc3069fc86d3b620a8c67c1a989393514d4eb2d18
Instruction Fuzzy Hash: D9113A33F1ED4A5FF2B8A91C68495B537D1EFE87A475502BAD00DC3286ED1CAC42C690

Function 00007FF849193140 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1900c9f719cc786196f8fbd1c52e83487252c989b305b8f28043ec6f7632bb0
Instruction ID: 7850ac01ab72677ded1304e7fda9d57b9a2ab5068d47de1d80998dac5be151bb
Opcode Fuzzy Hash: c1900c9f719cc786196f8fbd1c52e83487252c989b305b8f28043ec6f7632bb0
Instruction Fuzzy Hash: F021BC31A18A4D8FDB98EF28D4456AA77E1FF99319F10017EE40ED3292CB35E852CB40

Function 00007FF8491975F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc23f08f062537f57da25aa846b3bd4b5b6b8f580fa459cdc76326926ae3f0b
Instruction ID: f9632734babef89120cfc4a56455d58702f02a6fd1ee84b9a917fb85ef0d7222
Opcode Fuzzy Hash: 4cc23f08f062537f57da25aa846b3bd4b5b6b8f580fa459cdc76326926ae3f0b
Instruction Fuzzy Hash: 9A112932F1DD4A1FF2B8A91CA84A5B537D1EFE97A475502BAD00DC3286ED1CBC42C690

Function 00007FF849197987 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8d749adcc35a90960060d05e621b05a4eb57cceac6aa0f1f7cb931412474c2
Instruction ID: e1344c576649195c80d93808864a628027ea46dd323f1e1b0aaf89acf08b42cd
Opcode Fuzzy Hash: ca8d749adcc35a90960060d05e621b05a4eb57cceac6aa0f1f7cb931412474c2
Instruction Fuzzy Hash: ED216A3061CA498FDB98EF1DD4456A9B7E1FF98321F10117EE48AD32A1CA35E842CB41

Function 00007FF84919D231 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e3c9fd302e7ce5f1e32d101ac83386c64d8d65977a4f3d027c69550898d1ec
Instruction ID: e285601e8082b6f5d3ca7456fba95ec737e4e21e235793dac843f88e1a438a57
Opcode Fuzzy Hash: 30e3c9fd302e7ce5f1e32d101ac83386c64d8d65977a4f3d027c69550898d1ec
Instruction Fuzzy Hash: D921322691C99D5FE765BB6894017FAB7E0FF96354F0802B6E00CC30C2CF1CA91487A1

Function 00007FF849192943 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422135fe55d461c073a4ac22034e713e5ef0ecb133e16fc2b933d76f0c99349
Instruction ID: 6dfdafdf28b04abc4c87a2983ca5bdc9c4c0db32ca0895fa127906615269ab60
Opcode Fuzzy Hash: 4422135fe55d461c073a4ac22034e713e5ef0ecb133e16fc2b933d76f0c99349
Instruction Fuzzy Hash: 50219F31B3995A4EE754BB28E0922FA73E1FB98344F40457AD44FC32C7DE2DA8068781

Function 00007FF84919CCA5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d792c8d9aef292c09483306f629f6585f39e1eb00a5ada8237da4251aebc96b
Instruction ID: 7a60b093814248407e2ba58531f15bdd10abc521fe368aa144e7a07e0ca66db1
Opcode Fuzzy Hash: 2d792c8d9aef292c09483306f629f6585f39e1eb00a5ada8237da4251aebc96b
Instruction Fuzzy Hash: 1011A31148FAC61FE34A67B44C295E23FE5DF9B19071D42E7E085CB4E3D84C498AC3A1

Function 00007FF84919D0CD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3ab37509013dbb28f4d79e09bf09d107131f5b7017feb43c0a7c1f9b6e6089
Instruction ID: 64018bc5cfc017de9c475e957b7f36eb1e9c13aa3a9aefa713b23b187ddd6a51
Opcode Fuzzy Hash: 6b3ab37509013dbb28f4d79e09bf09d107131f5b7017feb43c0a7c1f9b6e6089
Instruction Fuzzy Hash: 8911E53158E6C61FD3469B748C20AD27BE5DF8B15030901F6E089CB5A3C91D9987C760

Function 00007FF8491922A9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5b6144f56f62c1c387eee4af0ca33d5553a35507711995fa8bde62e1c27bc2
Instruction ID: ed5af7a951412cc8892b731cd215e1446897622b8b22b8714ce2f3b9f275bb1c
Opcode Fuzzy Hash: 8e5b6144f56f62c1c387eee4af0ca33d5553a35507711995fa8bde62e1c27bc2
Instruction Fuzzy Hash: 4811023291E7C94FD356AB3498690E97FB0EF46210B4A05FBD144CB1A3DF2C594AC751

Function 00007FF849194C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b696eae5d1eaf2eef2a038486d4e18549afe1804d9243e9717e0cb412aeda0
Instruction ID: 2991edce58318fe24afe76c9aa8fdf45d9c10673b2fbded0936309cb47e91d12
Opcode Fuzzy Hash: 72b696eae5d1eaf2eef2a038486d4e18549afe1804d9243e9717e0cb412aeda0
Instruction Fuzzy Hash: CC01F53190DA954FE752E72894452A97FD1DF85264F080A6ED088C61E2CA684A86C386

Function 00007FF84919223A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2810148862be4b688bf6a00ffed140f4ce2697349f270415701889c8bfd8f338
Instruction ID: e86b5e9a0364c31c8028279c91daab019c8a51c5801e059092d04ff7b6b8b825
Opcode Fuzzy Hash: 2810148862be4b688bf6a00ffed140f4ce2697349f270415701889c8bfd8f338
Instruction Fuzzy Hash: 11F0C23180DACC2FEB51AB7894596EABFF0EF46300F4544E7D848DA193CE286645CB51

Function 00007FF84919C766 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008e25f5b8e082badb337c0a234f77ff7680e7e58a5e89e42d955fa0517cd11e
Instruction ID: bb41a19233668a7f786590f8999e9994f1899deac7c237ed25a497f227ce3109
Opcode Fuzzy Hash: 008e25f5b8e082badb337c0a234f77ff7680e7e58a5e89e42d955fa0517cd11e
Instruction Fuzzy Hash: EB01D671E1DEC64FE3A8FE3844515BA63E2FFD8684B444578C04EC3286CE1DB9068B10

Function 00007FF8491921D3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101badfb939290e4272dba7a2347a3336ba70ca66ac3b914a9317be90a2dac1f
Instruction ID: aca2c59662c9e666fb17bb8fb00c30c55683654bea72ad0605772e343720c6a1
Opcode Fuzzy Hash: 101badfb939290e4272dba7a2347a3336ba70ca66ac3b914a9317be90a2dac1f
Instruction Fuzzy Hash: 02F0542778DD4E0FD364BD9D7CC15F17380F780379B58013ACA1EC3585D54D68664290

Function 00007FF849193020 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49138bda0a58c861e825fb19f86c2fa74a8dfd61baf0aca26c4ae1dcb5d84b13
Instruction ID: f9288b2d012b362c74ebd4f7b897d01ac920a468624749927c4a1c21f2951529
Opcode Fuzzy Hash: 49138bda0a58c861e825fb19f86c2fa74a8dfd61baf0aca26c4ae1dcb5d84b13
Instruction Fuzzy Hash: 7BF0E920E6C9490BE754BB3C640527573D5EF45309F5409B9D84DC71E5DF29DC524781

Function 00007FF84919340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction ID: 684a1ce79898f5fbc51e78b3a0f55f7fb8d09b6de72f39530501dd7690f4f013
Opcode Fuzzy Hash: 2b43d43b492d4213959e61bb28802a0fa943040318bce010ea734979e5beae78
Instruction Fuzzy Hash: B1F0A07190D60C6FDB18FF59EC4AAEB37A8FF85224F00013AF44D82192E6356863CB50

Function 00007FF84919C439 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34db2c87c02bdc3fa2be3b67f77d40251e855d98913ab74af7c4a9abfe9530f
Instruction ID: 09fe943120623a5550ef0c4316288c454063daa7019782820bc016c59263a29e
Opcode Fuzzy Hash: c34db2c87c02bdc3fa2be3b67f77d40251e855d98913ab74af7c4a9abfe9530f
Instruction Fuzzy Hash: 2CD05E53B9C58E0BE590B94878911F1A380EB542B9B500373C58D830C6CD2F65464641

Function 00007FF84919CEB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d46be57608a414555087a9ff69b87ce9620efef7e9042b253813855672e1df
Instruction ID: 8e66ae1f85a45fcdc88f96f552331475f1a95b3ad1d0e0bdb1f1df88fcdd09f1
Opcode Fuzzy Hash: 21d46be57608a414555087a9ff69b87ce9620efef7e9042b253813855672e1df
Instruction Fuzzy Hash: 23D02331C0D589CFD348BB3C40051643650FF08388F5404BDD00ECB1D1D557540EC302

Non-executed Functions

Function 00007FF84919B0F1 Relevance: 10.3, Strings: 8, Instructions: 330COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF84919B319
HAH, xrefs: 00007FF84919B2A6
HAH, xrefs: 00007FF84919B2F1
HAH, xrefs: 00007FF84919B27E
HAH, xrefs: 00007FF84919B166
HAH, xrefs: 00007FF84919B1A0
r&_H, xrefs: 00007FF84919B271
HAH, xrefs: 00007FF84919B240

Memory Dump Source

Source File: 00000012.00000002.2437325823.00007FF849192000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff849192000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$r&_H
API String ID: 0-1577230237
Opcode ID: 06a66dc94931d93841925e24eaf39bf81f151a6b9969a87eb5adea60a59f5f04
Instruction ID: be846a6027a42d52494a3028f75d70838d4bd7f5308db5d5e6f1f7d848a68569
Opcode Fuzzy Hash: 06a66dc94931d93841925e24eaf39bf81f151a6b9969a87eb5adea60a59f5f04
Instruction Fuzzy Hash: 4B914821E1D98A4FE794EB38A459AB477D1FF98694B0841BAC04EC7293EE1CAC47C741

Analysis Process: Client.exePID: 5728, Parent PID: 3128COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8491A93C1 Relevance: 10.2, Strings: 7, Instructions: 1410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491AA03A
HAH, xrefs: 00007FF8491A974B
HAH, xrefs: 00007FF8491AA292
HAH, xrefs: 00007FF8491A9FC7
HAH, xrefs: 00007FF8491AA107
HAH, xrefs: 00007FF8491A9F8D
HAH, xrefs: 00007FF8491AA000

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-3722465034
Opcode ID: 29244ca1ad97f6ee60d7cc69d914ce20ef1553c8309b456c90c583f138a5a927
Instruction ID: 6186a3b371ec01e0cc9a36aa6dd1c8abc855991897a807009cb06b4614e5ebce
Opcode Fuzzy Hash: 29244ca1ad97f6ee60d7cc69d914ce20ef1553c8309b456c90c583f138a5a927
Instruction Fuzzy Hash: 8392F631B1CA894FEBA8EF2C945977577D1FF99360F1400BAD44EC7296DE28AC428B41

Function 00007FF8491A4DC6 Relevance: 2.5, Strings: 1, Instructions: 1273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491A6226

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 048da489551c56ac34d5025cc19fbf0f19615e6cb661caedb92a3b5bd30d3487
Instruction ID: cf6b3f47bf71c3345e2366a0a7ec85fca93c702ce66b606623a31f78e3f887ac
Opcode Fuzzy Hash: 048da489551c56ac34d5025cc19fbf0f19615e6cb661caedb92a3b5bd30d3487
Instruction Fuzzy Hash: 56929270A1CA598FDBA8EF18C494BB977E2FF58350F5041A8D04ED7296DA39EC85CB40

Function 00007FF8491A5BE1 Relevance: 1.9, Strings: 1, Instructions: 681
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*&I, xrefs: 00007FF8491A6070

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: *&I
API String ID: 0-4181237346
Opcode ID: 38065f91226c57ad1dd128193f98670896fc267315acd3559d92d736e2330ed5
Instruction ID: b297ee8ce16ce8f060fb4445012b1811537122632911612750183f6a8bf6ce53
Opcode Fuzzy Hash: 38065f91226c57ad1dd128193f98670896fc267315acd3559d92d736e2330ed5
Instruction Fuzzy Hash: 9A323D70A18A598FDBA4EF18C8857B9B7E1FFA8350F1045A9D44ED3295DB38AD818F40

Function 00007FF8491AA7CD Relevance: .9, Instructions: 934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea080657ca5beb55bf34ece674243f506e0718d63b5e2b6a95f068875cd891
Instruction ID: 1661aaf3d3541519e7eeaa108d79660e7c91b3e837819369c02c6f4a2f413e14
Opcode Fuzzy Hash: a3ea080657ca5beb55bf34ece674243f506e0718d63b5e2b6a95f068875cd891
Instruction Fuzzy Hash: A8624030608A498FDBA8EB2CC458B7577E2FF99350F1445B9E44DC72A6DE39EC418B41

Function 00007FF8491A8A61 Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6309f2768fdae4b08af34c25a68d1fbe8018f14f5073adc2ebd4d3adae01cb26
Instruction ID: b15c8ebcec3ed2ece811f821f60f958459e7367334c39d771f1b3e86f01d59d6
Opcode Fuzzy Hash: 6309f2768fdae4b08af34c25a68d1fbe8018f14f5073adc2ebd4d3adae01cb26
Instruction Fuzzy Hash: 58228130A1CA498FEB68EB2884557B977E2FF98350F5441BDD44ED36D2DE38AC428B44

Function 00007FF8491A6C31 Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491A6D9C
HAH, xrefs: 00007FF8491A6E0F
HAH, xrefs: 00007FF8491A6E58
HAH, xrefs: 00007FF8491A6DD6

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: c6a9b0e1febbe08603a0310e4d05ef84b26f093ec338fd333098e299d1b37eef
Instruction ID: c9ad8a0cb53a237ed6923fccee2473c0727a28034e95359ab0f8b1499140c646
Opcode Fuzzy Hash: c6a9b0e1febbe08603a0310e4d05ef84b26f093ec338fd333098e299d1b37eef
Instruction Fuzzy Hash: 1961C571A1DE8A8FE6A9FB28945567567D2FF997E0B4400B9D04EC32D6CE2DBC028740

Function 00007FF8491AC349 Relevance: 3.9, Strings: 3, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a%_H, xrefs: 00007FF8491AC373
`")I, xrefs: 00007FF8491AC48E
X!)I, xrefs: 00007FF8491AC40B

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: X!)I$`")I$a%_H
API String ID: 0-2618395969
Opcode ID: b923755593ebd2cc6645a2c00ad186949a2dc2b7640ad55d0d3c8ed11eef2063
Instruction ID: 41ce7b025eaa35de2c084b7853b01e418df975f2c879e6c79fe7cc7ed4a6bf3a
Opcode Fuzzy Hash: b923755593ebd2cc6645a2c00ad186949a2dc2b7640ad55d0d3c8ed11eef2063
Instruction Fuzzy Hash: 8551E532E2CE8A5FE3A9EA2894516B573D1FFD87A0F54047EC04EC3296DE2DAD064740

Function 00007FF8491ACACE Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CI, xrefs: 00007FF8491ACB9C
CI, xrefs: 00007FF8491ACBD7

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: CI$CI
API String ID: 0-4134897263
Opcode ID: ae821c6734400aa61ce5f9ff757019b40c3dbd010e47390c38b43993f1e82c9f
Instruction ID: 190f7dc9eb9664cc06f58c0b61d377131c6697d7c61867bab4483c6a3bb3c480
Opcode Fuzzy Hash: ae821c6734400aa61ce5f9ff757019b40c3dbd010e47390c38b43993f1e82c9f
Instruction Fuzzy Hash: BB411432D1DBCA4FD379DF2898552A57BE0EF957A0B0881BEC049C7193DE2D6C898781

Function 00007FF8491A2C10 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491A2C63

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: b511630e707a7693f847672f1ec9bbf150090dd7c9a9a7b95f28c0ea5f6a3703
Instruction ID: aa8c5f12f1d4d630bd186ff43eee0d6aa5c6d29a92917c3abd924cd1e594814e
Opcode Fuzzy Hash: b511630e707a7693f847672f1ec9bbf150090dd7c9a9a7b95f28c0ea5f6a3703
Instruction Fuzzy Hash: 94E12531F1DACA4FE7B5AE2888556B577D0FF943A0F0405BAD049C7297DE2CAC468B41

Function 00007FF8491A3F19 Relevance: 1.7, Strings: 1, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF8491A4457

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3a996dcfe3d6328d0eeac9602f88d0ad9d18346a776163fbc8660a2c5ad1475f
Instruction ID: 446f301d0f40c8631f11bd36b6bda4ef2d38121efbd607814aac45470f4af444
Opcode Fuzzy Hash: 3a996dcfe3d6328d0eeac9602f88d0ad9d18346a776163fbc8660a2c5ad1475f
Instruction Fuzzy Hash: A3E13931A0DB8A4FE7A5AF28985537977D1EF96360F0401BAD48EC72D3DE1CAC468742

Function 00007FF8491AA3D9 Relevance: 1.7, Strings: 1, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491AA70E

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: a5a0799fdf966b0de03ca0fbfdc4214739ea6eea38308f67aa20b8c91749a4fa
Instruction ID: 1ace4d561a9d7bfe8146c6925216dabec060fb79ecf60ad5a3622735c2652da2
Opcode Fuzzy Hash: a5a0799fdf966b0de03ca0fbfdc4214739ea6eea38308f67aa20b8c91749a4fa
Instruction Fuzzy Hash: F6D18331A1CA498FDBA8EF28C449BB977E2FF59350F14017AD04DC7292DE39AC458B41

Function 00007FF848F33525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F33607

Memory Dump Source

Source File: 00000018.00000002.2556496286.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b742b37146af7085c845524516b51c341dee0820e43295434aedba5ebe6be307
Instruction ID: 79350d9df3012dd2aa46b89b75ea8d646a242ae2e76b1a5572531b40cc4afdd6
Opcode Fuzzy Hash: b742b37146af7085c845524516b51c341dee0820e43295434aedba5ebe6be307
Instruction Fuzzy Hash: 6241043180DA8C4FDB49EB6898496E97BF0FF66310F0442AFC049C7692CB286849C751

Function 00007FF848F33569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF848F33607

Memory Dump Source

Source File: 00000018.00000002.2556496286.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bfec3d625e78c3da83f510080a6d6a75eac4ef45dae89aad96faee4dbade8b26
Instruction ID: 7f4b1f95c06e1596796736c6721584225933cf985fac8b31601228cd0322d648
Opcode Fuzzy Hash: bfec3d625e78c3da83f510080a6d6a75eac4ef45dae89aad96faee4dbade8b26
Instruction Fuzzy Hash: 3C31F03180DB5C8FDB59DB6888496E9BBF0FF65310F04426BC049D3692CB78A845CB91

Function 00007FF8491A3451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%_L, xrefs: 00007FF8491A3673

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: %_L
API String ID: 0-1469106525
Opcode ID: f64cc20fc6107c59cb66ae1d2a6a31258ac07cdc509650468564d70ab9110ddb
Instruction ID: e087d4579ee0ff50866f9ad33c48ea47444a917a5ab4290b0c007ca3df0f49d5
Opcode Fuzzy Hash: f64cc20fc6107c59cb66ae1d2a6a31258ac07cdc509650468564d70ab9110ddb
Instruction Fuzzy Hash: F391E731A0DB894FDBA6EF2898546B5B7E1EF55360F0405BAD04DC3292DE2DEC46CB81

Function 00007FF8491A6E69 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491A6E8E

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 0f213612ac3de815fd9430a277a30fd5f7666cfac3c645b195e8ee83c645926b
Instruction ID: 115dc6fcf252307066101fac26ca0e1b8fd2f6086724d9a29303f43b6f888693
Opcode Fuzzy Hash: 0f213612ac3de815fd9430a277a30fd5f7666cfac3c645b195e8ee83c645926b
Instruction Fuzzy Hash: FF410621A1EBC54FE7A6EB3C98686717FD0EFA6290F0804FED089C71A3D91D9C858701

Function 00007FF8491A20E2 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 200e970312005fcf518977cce66d7c75a7d141aab53f3730baa680644546c32a
Instruction ID: 82123a636f80e561dbb2257518de3d0d6a04941473d806df436a2b5c069783a4
Opcode Fuzzy Hash: 200e970312005fcf518977cce66d7c75a7d141aab53f3730baa680644546c32a
Instruction Fuzzy Hash: B7311937B1A6259ED310BE7DF4814E97360EF8577AB188677C18CCE093DB2C648586E8

Function 00007FF8491A20D7 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 22dafbf509e7a2e571f3d6eb15d3004b4732fed38fad322d1b1bdf1988db9f53
Instruction ID: f6ac40f8cef86617793e76f023063ae498744575d84dc57d79961d7061730ded
Opcode Fuzzy Hash: 22dafbf509e7a2e571f3d6eb15d3004b4732fed38fad322d1b1bdf1988db9f53
Instruction Fuzzy Hash: EB312A37B1E6299ED310BE7DF4814E973A0EF8577AB084677C1C8CE083DA1C648586E8

Function 00007FF8491A20CF Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 1f89d46a2c3f5cdfb6ea6adac76dd2cf3c2aad182014ea3a569d81d3df566f2d
Instruction ID: 26880b046c88f92125a92d535d083f8246fe3a254b9eadb80c183e8ffc4355cf
Opcode Fuzzy Hash: 1f89d46a2c3f5cdfb6ea6adac76dd2cf3c2aad182014ea3a569d81d3df566f2d
Instruction Fuzzy Hash: C1313D37B1D6199EC310BE7DF4814E97390EF85779B184777C188CE083DA1C648586E8

Function 00007FF8491AC466 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

`")I, xrefs: 00007FF8491AC48E

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: `")I
API String ID: 0-1793973326
Opcode ID: 3551a8ccfe2ecf46f06ca00c83f444b5f95f55febe99f3358aa64e675f4714f8
Instruction ID: 210bd8389c400de6566c5b917653409b9912ef7276f4d3a721e8565e079d335b
Opcode Fuzzy Hash: 3551a8ccfe2ecf46f06ca00c83f444b5f95f55febe99f3358aa64e675f4714f8
Instruction Fuzzy Hash: C021F562E2DECA1FE39AAB3844566B567E1FFA9350F4444BAD04EC3283DD1CE9054351

Function 00007FF8491A9763 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed79e1d0f64948779f75a7e6943f2541f8ffb05b9106e4efb13e336d3cafbbd
Instruction ID: d4c480cb00e29e0b51f35acf7a24e1c1f9d314c1c9db3d9a4794c9ca8d91504b
Opcode Fuzzy Hash: 9ed79e1d0f64948779f75a7e6943f2541f8ffb05b9106e4efb13e336d3cafbbd
Instruction Fuzzy Hash: 83D17F3061CA498FDB98FF6CD458A7977E1FF59350B1101B9E44EC72A6DE28EC828B41

Function 00007FF8491A8BBD Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a5d197882fc00244eb837aef49c43630a815eae78038cf5c11caff774fc9fd
Instruction ID: cb516d9bf2d1341c5a45e17fe6439f1bdb75ad1a582c5fe8e24499f1a42b9c44
Opcode Fuzzy Hash: e1a5d197882fc00244eb837aef49c43630a815eae78038cf5c11caff774fc9fd
Instruction Fuzzy Hash: FCE1F531A0DA894FE765AB2884557B877D1FF653A0F1401BDD48EC76D3DE2CAC868B01

Function 00007FF8491A8C28 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121026580900e06750e3b696038214758a5af93176baedf85b485f104b12ae3b
Instruction ID: d329db85edf56e3a73d8c37ab49edae34b0b30558bdcd72b342d553ae191f333
Opcode Fuzzy Hash: 121026580900e06750e3b696038214758a5af93176baedf85b485f104b12ae3b
Instruction Fuzzy Hash: 14C1D530A0CA894FE769AB2884557B977D1FF65390F5441BDD48EC76D3DE2CAC868B00

Function 00007FF8491A3125 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4d8ef4697b6810f931da3fdf42cbcae98d2221acdd5f4aa4175283eacdfdf1
Instruction ID: 3cd015a756e130f9b32a8dd3e851572e7bbbdbc9c3bbb7fa75d8e90b76bfcbf0
Opcode Fuzzy Hash: 3a4d8ef4697b6810f931da3fdf42cbcae98d2221acdd5f4aa4175283eacdfdf1
Instruction Fuzzy Hash: 6BA16F31A1CA498FDB98EF2894516B973E1FF98365F50417AE45ED3282DF39AC028B44

Function 00007FF8491A8D1D Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef057590f4ab1db16470e69491b4a24c095672c8cc7f8ba1c801a23c81593250
Instruction ID: 7bc2477f5cb9eed683245cb974a724a5c7f3e406db6d906147acc7a7e272ffa5
Opcode Fuzzy Hash: ef057590f4ab1db16470e69491b4a24c095672c8cc7f8ba1c801a23c81593250
Instruction Fuzzy Hash: DEA16130A0CA494FEB69EB2884557B977D2FF58390F5440B9D48EC36D3DE2DAC858B44

Function 00007FF8491A8D89 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d01d9e5b8dcfa7778220715a33ce27321b226b58954a2f09656b849fd5806b0
Instruction ID: ed34c675858a3a2c2d52d27637c340058e78ffa7b2ad16a18248445d00636349
Opcode Fuzzy Hash: 8d01d9e5b8dcfa7778220715a33ce27321b226b58954a2f09656b849fd5806b0
Instruction Fuzzy Hash: 0B915F30A0CA494FEBA8FB1884957B873D2FF98390F5040B9D44ED36D3DE29AC858B44

Function 00007FF8491A8D58 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a98da1651b1c4eeabc1d829cffff45b125d8b70d23f8b23ff9bdb8178af8f59
Instruction ID: 1316773b56a26edb80351bcd00f1d85bb84a35d32c76cfd63ff672500c5b251e
Opcode Fuzzy Hash: 9a98da1651b1c4eeabc1d829cffff45b125d8b70d23f8b23ff9bdb8178af8f59
Instruction Fuzzy Hash: D0914130A0CA494FEB68EB2984957B873D2FF98394F544079D48EC36D7DE2DAC858B44

Function 00007FF8491A8D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4665a895935cf55ebfdbabc5ce0cdbd2b9f948deae33c523de130305a17b00
Instruction ID: df00c716d7d45a92f81206837121fc4a38a20f01df4c226f5b4fb0ed6d6a80d3
Opcode Fuzzy Hash: 3c4665a895935cf55ebfdbabc5ce0cdbd2b9f948deae33c523de130305a17b00
Instruction Fuzzy Hash: 38915130A0CA494FEB68EB6984557B877D2FF98390F5040B9D48EC36C7DE29AC858B44

Function 00007FF8491A6FC5 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01a5c1f9b87e14270c3fbd17d1277e7bfc10eb215977fe4587a670f868c75d8
Instruction ID: 54b6624441958d90cffc55dfa0897c66d73ca93ff650c425e3e1622f4074ce14
Opcode Fuzzy Hash: b01a5c1f9b87e14270c3fbd17d1277e7bfc10eb215977fe4587a670f868c75d8
Instruction Fuzzy Hash: 0C711731B1DA494FE798FB2CE8596B577D1EF9A360B0400BAD04EC7293DD29AC428781

Function 00007FF8491ABD32 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7854c28487398981fe5db05d7848089be49496bcbfb26e2513ab4d13938fa7b
Instruction ID: b7d0a212b0c277fa70a178e705bd638fc0bb87ba49f8e5f6e0cb9343fa351d8d
Opcode Fuzzy Hash: f7854c28487398981fe5db05d7848089be49496bcbfb26e2513ab4d13938fa7b
Instruction Fuzzy Hash: 2761BF30A4DBC94FEBA1EF289858AB577E1EF49354F0904BAD45DC71A2DA2CAC45CB40

Function 00007FF8491AC15F Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bada29e038aa7bad8e699d52d1a92b17c3048dfdc24ac2063b4772a6ef1fab
Instruction ID: c05100575b7e5fe3f260650b5245309ad2892c962ad0682e95cff1a6767d7627
Opcode Fuzzy Hash: c3bada29e038aa7bad8e699d52d1a92b17c3048dfdc24ac2063b4772a6ef1fab
Instruction Fuzzy Hash: EA518971F1DE8A9FE7A8AB3894516B56392FF94784F5004BDC40EC3297DE2DAC528B40

Function 00007FF8491A36F5 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690d0f01ac2d05da8f0732da6c4479b5bc28d55d85f333e748463396227b8139
Instruction ID: c89c5badea04e6bfea437b912d36c9d2294378362c07388c23fed08861b03df1
Opcode Fuzzy Hash: 690d0f01ac2d05da8f0732da6c4479b5bc28d55d85f333e748463396227b8139
Instruction Fuzzy Hash: F451043051C7894FEB65BB2898457767BD1EF463B4F10067ED48DC3196EE2DAC428781

Function 00007FF8491AD30D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0224dc6704d44d275d62debe63b701012d0e4d551da3635a00f29182f9cb7b9
Instruction ID: c737842deaf53a7a32f28c1ecf9760705d5ec6773112968594ddd291906967e7
Opcode Fuzzy Hash: a0224dc6704d44d275d62debe63b701012d0e4d551da3635a00f29182f9cb7b9
Instruction Fuzzy Hash: 9041E120B1EA425FE754BB7C58967F567C1EF98760F6401BAD00CC32C7CE5CA8464362

Function 00007FF8491A28F2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9868d5829b869be51da94a18e36e594dfafb10e7c91ad903801546c6751d9f8a
Instruction ID: 3def4d38effc4d2515c7a775a78f6ff1eb1c329c4ca3634d0c4e1dcbd205a31b
Opcode Fuzzy Hash: 9868d5829b869be51da94a18e36e594dfafb10e7c91ad903801546c6751d9f8a
Instruction Fuzzy Hash: 43311371A2DB9A4FE765BB2988A16F677B0EF59350F4004BBD04AC31C7CE2C6C068751

Function 00007FF8491A2EC6 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964104cfcbb4c50815ab291b1335f988846c916390a15f5a3f924a4d79751d15
Instruction ID: ca3b1602147d4b01ce1f394e259635f29db0d3d74fa04f76a58c0370b7cbf69f
Opcode Fuzzy Hash: 964104cfcbb4c50815ab291b1335f988846c916390a15f5a3f924a4d79751d15
Instruction Fuzzy Hash: 5E314631E1DAC64FE7AAAB3898556B177E1EF96760B0444BAC009C7287DD2DAC46C740

Function 00007FF8491A3730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c3959e61aa6622d6911662863c56bdc2793ef9f0fa9e9957c81098fc273308
Instruction ID: a8d34f8294c426a2b14b25a8536c36355529f61e5cc83f85f611ea89c38a16c1
Opcode Fuzzy Hash: b9c3959e61aa6622d6911662863c56bdc2793ef9f0fa9e9957c81098fc273308
Instruction Fuzzy Hash: 3D31C53161CA095FEB98FF28984977633C1EF993B0B000679E84DC3296EE29AC024780

Function 00007FF8491AD155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a3d3b27a36b1421509a906a1a651f59d832e22a2634218312533e733484636
Instruction ID: 54dcae6d5ef031f8ec7fb0de949a2e1e3d1648829ed2bf888680a422b92c2692
Opcode Fuzzy Hash: a7a3d3b27a36b1421509a906a1a651f59d832e22a2634218312533e733484636
Instruction Fuzzy Hash: 8F31E03890DFC64FE3B9AA28985427176D0EF653A0F1800BAD48EC7192DD5CEC81CB81

Function 00007FF8491A75E8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d8e86f1ee699348e9b5b105a381c4a734663fad6ddf543edab0a5b6a4cdd5e
Instruction ID: 02ee78872d4f78db334ed2ecfde4047ec63fee706940b8320aa25d342d4f8d2f
Opcode Fuzzy Hash: 01d8e86f1ee699348e9b5b105a381c4a734663fad6ddf543edab0a5b6a4cdd5e
Instruction Fuzzy Hash: 71215B32F1EF4D0FF2A8A96C68456B137D1EFE46B075501BAD00DC3287DD1CAC424680

Function 00007FF8491A3140 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a86ded2d7f9f9486436386a7495664c89fdfbcdf2e3466c88129ee93c35f3f7
Instruction ID: a5220b948b5f875bd6d804c6ee6d1ec9b685bdbbd37db5be843dd33a3ce11e60
Opcode Fuzzy Hash: 8a86ded2d7f9f9486436386a7495664c89fdfbcdf2e3466c88129ee93c35f3f7
Instruction Fuzzy Hash: 0A217A31A18A4D8FDB98EF28C4456B977E1FF99325F10417AE40ED3282DB35E852CB40

Function 00007FF8491A75F0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb717bb101a9ab0bbb35a099876a5444eb1e63caaf316cdcb19e409d6b584e7
Instruction ID: 67a63c98ed7b81ec7fe1338878f1c4422457069421cec10f9c7d5fadc8bda84b
Opcode Fuzzy Hash: 2cb717bb101a9ab0bbb35a099876a5444eb1e63caaf316cdcb19e409d6b584e7
Instruction Fuzzy Hash: 23113632F1EE4E1FF2A8A92CA8466B137D1EFE86B075501B9D00DC3286ED1CAC424690

Function 00007FF8491A7987 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e854a7e41222b2545d0c7cc2205b189aeb6d67004c17be77cbc35690bb9f99
Instruction ID: a9d3c9de20ddd79589e49051e25517fc7c808f62e9dfece0b02a4d6eee57ff41
Opcode Fuzzy Hash: c6e854a7e41222b2545d0c7cc2205b189aeb6d67004c17be77cbc35690bb9f99
Instruction Fuzzy Hash: 19217C3061CA498FDB98EF1CD4556B9B7E1FF98321F10117EE48AD32A1CB35E8428B81

Function 00007FF8491A2943 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d51d815191919874bc16415d8a51683a2c6cf317b46b95216809f0037fb8e7
Instruction ID: 3cd187b7df24498400f4bc08e5a1882d5be1abd8ddc68323ff489e2af1f4b1d0
Opcode Fuzzy Hash: a1d51d815191919874bc16415d8a51683a2c6cf317b46b95216809f0037fb8e7
Instruction Fuzzy Hash: AE21C631B39A5A4EE758BB19D4526FA72E1FB58740F90447AD04FC32C7CE6CB8068781

Function 00007FF8491AD0CD Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780c8c4583fd9940caad1ede06a9a1898ab258868ca1d51b9f08ca8859943b38
Instruction ID: 96ad55891345f2ae7236ab7b9b89e87b5d49d31142e49aca100e99b58c8dfe7f
Opcode Fuzzy Hash: 780c8c4583fd9940caad1ede06a9a1898ab258868ca1d51b9f08ca8859943b38
Instruction Fuzzy Hash: AB11A13158EBC65FC346EBB48810AD17BE1EF9B26030941FAD089CB5A3C96C9887C761

Function 00007FF8491AD231 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0cf0630a8f7db4aeecc630f77a1b5b41364fcd8edf279c6607527ce0980cf4
Instruction ID: 99fe2326b856724d965a1010d8ef0f74751bda88c937eb3f097cc7dbf2026753
Opcode Fuzzy Hash: be0cf0630a8f7db4aeecc630f77a1b5b41364fcd8edf279c6607527ce0980cf4
Instruction Fuzzy Hash: A611E02192DEDA1EE725A76884163F9BBE1FF96350F4801B6E01CC71C3CF9CA8048791

Function 00007FF8491A4C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a073dc20d32ec079d175f2ec304c6f8e338748b37a1f145fc08e8e22e72e2a
Instruction ID: ea4da275d07b716dfe4cf7d9991621c73e8d18056446480323aa094ab210edc4
Opcode Fuzzy Hash: 46a073dc20d32ec079d175f2ec304c6f8e338748b37a1f145fc08e8e22e72e2a
Instruction Fuzzy Hash: 0801283190DB854FE752F72884452B97FD1DF852A0F080A7ED08CC60E2CE6C4AC68387

Function 00007FF8491A223A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6f50ef5583df024a8a699f0d7f0714b5ae2b5762f05f43d7bf90e2e73f3730
Instruction ID: 0e58e850d071c041e63abbe8e7ffb8af42c46f1fd6c844168e6f22e633f6b68f
Opcode Fuzzy Hash: 9c6f50ef5583df024a8a699f0d7f0714b5ae2b5762f05f43d7bf90e2e73f3730
Instruction Fuzzy Hash: AEF0C23190DBC86FEB51AB78A4496EA7FF0EF46310F4540E7D848C6193CA286A448751

Function 00007FF8491ACD35 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15732fa373726e0b409f5150805c96c2a3afe194d7cd747f751b555beb2e9ce3
Instruction ID: 9194586a674ecaccc4644b47623761bb3886e25f8c25040bedec124b64f6f147
Opcode Fuzzy Hash: 15732fa373726e0b409f5150805c96c2a3afe194d7cd747f751b555beb2e9ce3
Instruction Fuzzy Hash: 7C019E7290C7C44FC305DF24980509ABBE0FF98318F0506AFE48CE7252E738DA048B46

Function 00007FF8491AC766 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e8b33ac0916296b0b1e243b698f21a6bfe545b4ae653fc3de0ff188f298f90
Instruction ID: 096ba66ba7fe5582b15b88ce58e46f505999e657f6192aef6e26176ef93818ef
Opcode Fuzzy Hash: 68e8b33ac0916296b0b1e243b698f21a6bfe545b4ae653fc3de0ff188f298f90
Instruction Fuzzy Hash: FD01D621E1DEC64FE3A9BE3804515BA63E2FFD8690B444578C01EC3286CE1CBD064B00

Function 00007FF8491A21D3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661d4936121daadac5bd82c783e91257b57969dda92c66c892dcfa0e7e256f8f
Instruction ID: 589aa5eed8a789aafdc40865d14c50e856b1ca542387bfb3c56eacf63fc62402
Opcode Fuzzy Hash: 661d4936121daadac5bd82c783e91257b57969dda92c66c892dcfa0e7e256f8f
Instruction Fuzzy Hash: 0CF0272674DA8E1FE254BD9EA8815F17380EB903B1B58053BCA19C3585D98DAC5646D0

Function 00007FF8491A3020 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d891e50198a1775eca7f256dc60b595658a2e831b3f318b200f606aeb6065c
Instruction ID: afade6051220a857c140917519fca8ac67a0c303f751d24dbb2552a94df3b4f2
Opcode Fuzzy Hash: a6d891e50198a1775eca7f256dc60b595658a2e831b3f318b200f606aeb6065c
Instruction Fuzzy Hash: 25F0E230A2CA8A0BE794BA3CA80027673C5EB45215F5408BAD88EC7292DF2CDC424685

Function 00007FF8491A22A9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941f5675cf9d1ef454ba200793267cfeefcfdd47a07dee31eb961beef55fdbbc
Instruction ID: 4f900576b4e559874844ccca99620f789fcbf771a39dcc36193c3baebdcccf7f
Opcode Fuzzy Hash: 941f5675cf9d1ef454ba200793267cfeefcfdd47a07dee31eb961beef55fdbbc
Instruction Fuzzy Hash: A5F0FF71E1D6C84FE755AB74881A0ED7FF0EF56210F4505E7D448C7092EA3859458300

Function 00007FF8491A340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction ID: cf83029328f4ad40a8db66ae19be38369b9181fa82c86dbc3ac0179cdc805d59
Opcode Fuzzy Hash: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction Fuzzy Hash: C3F0A07190D60D6FDB18FF59EC46AEB37A8FF85220F00013AF44D82192E6396863CB50

Function 00007FF8491ACDB1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63aa23a1fa6cc2cccf89fae32ac6cfe61300b7a543a0e8d8f78fb944fe6f840e
Instruction ID: b3edaa4ee85b6341bd7da06291d6f53c6a84272208a0e25c77faae9fe5cad784
Opcode Fuzzy Hash: 63aa23a1fa6cc2cccf89fae32ac6cfe61300b7a543a0e8d8f78fb944fe6f840e
Instruction Fuzzy Hash: B8F0827290F2C54FC3429B7888559957F90AE1355030988FAC048CF1A2D15848098751

Function 00007FF8491AC439 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817952ee2949c7e6433a5911bbc7d752ad0a81915d740191ac18c33f324af9b5
Instruction ID: 368dcea47f75652f9bdadaaae0a44fcb5cc4408dfafc32f12603e442acae19e5
Opcode Fuzzy Hash: 817952ee2949c7e6433a5911bbc7d752ad0a81915d740191ac18c33f324af9b5
Instruction Fuzzy Hash: 6BD05E53B6C68E0EE590790878910B1A380EB952B5B5002B3C44992186CD2F99460641

Function 00007FF8491AD2E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bfb1e22a99aa11d7b1ec7850d2932b67863802919bd0c3bf2843e862db3bdc
Instruction ID: 441ab12104a39798504e4bee3ef62e5711c222dadbdcee72ffac76d45b075d92
Opcode Fuzzy Hash: 50bfb1e22a99aa11d7b1ec7850d2932b67863802919bd0c3bf2843e862db3bdc
Instruction Fuzzy Hash: CFD0233555454C57C7147B65B4054D7B758FF8D35CF00057FF91CC5041D62795354392

Non-executed Functions

Function 00007FF8491AB0F1 Relevance: 10.3, Strings: 8, Instructions: 323COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491AB1A0
r%_H, xrefs: 00007FF8491AB271
HAH, xrefs: 00007FF8491AB240
HAH, xrefs: 00007FF8491AB166
HAH, xrefs: 00007FF8491AB319
HAH, xrefs: 00007FF8491AB2A6
HAH, xrefs: 00007FF8491AB27E
HAH, xrefs: 00007FF8491AB2F1

Memory Dump Source

Source File: 00000018.00000002.2560822111.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff8491a0000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$r%_H
API String ID: 0-1547968964
Opcode ID: bd1a2cc51f303322ddd99de37bfaf6ec3495fdab60b201192d5a35134b0c7690
Instruction ID: c21c52a9c0edbea478a5fe07eee70e8dd9bc98445c7d9db1cfa985eb275f0e73
Opcode Fuzzy Hash: bd1a2cc51f303322ddd99de37bfaf6ec3495fdab60b201192d5a35134b0c7690
Instruction Fuzzy Hash: 30912A31E4DACB4FE795EB389455A747BD1FFA52A0B0441BAC04DC7297DE1CAC468740

Analysis Process: Client.exePID: 2292, Parent PID: 3168COMMON

Execution Graph

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8491A8A61 Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be168dd7dfad30cd2f0e263a8893726f1dd29dcce9239a40ce839003f71d7eaf
Instruction ID: bd3b624ebf14299c8539b736d658e57aa7ed0e62c846d28f45075ef804551301
Opcode Fuzzy Hash: be168dd7dfad30cd2f0e263a8893726f1dd29dcce9239a40ce839003f71d7eaf
Instruction Fuzzy Hash: 75227030A1CA494FEBA8EF2884557B977E2FF98350F1441BDD44ED36D2DE28AC428B45

Function 00007FF8491A6C31 Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491A6E0F
HAH, xrefs: 00007FF8491A6E58
HAH, xrefs: 00007FF8491A6D9C
HAH, xrefs: 00007FF8491A6DD6

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 1d825e109899288bd89873e952c42f41bf2f008ba78127ccf089743bb6641825
Instruction ID: 0484302daf71525ba80157f0158ffab7ae14a63b117c01548780b106d34dc8a8
Opcode Fuzzy Hash: 1d825e109899288bd89873e952c42f41bf2f008ba78127ccf089743bb6641825
Instruction Fuzzy Hash: A661C671A1DE8A4FE6A9EB2C945567567D2FF997E0B4400B9D04EC32D6CE2DBC028740

Function 00007FF8491ACACE Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CI, xrefs: 00007FF8491ACBD7
CI, xrefs: 00007FF8491ACB9C

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: CI$CI
API String ID: 0-4134897263
Opcode ID: ae821c6734400aa61ce5f9ff757019b40c3dbd010e47390c38b43993f1e82c9f
Instruction ID: 190f7dc9eb9664cc06f58c0b61d377131c6697d7c61867bab4483c6a3bb3c480
Opcode Fuzzy Hash: ae821c6734400aa61ce5f9ff757019b40c3dbd010e47390c38b43993f1e82c9f
Instruction Fuzzy Hash: BB411432D1DBCA4FD379DF2898552A57BE0EF957A0B0881BEC049C7193DE2D6C898781

Function 00007FF8491A2C10 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HAH, xrefs: 00007FF8491A2C63

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 73ed8f92a1aadabcf08bec2315d6b90432c11c6316edd73cd1158613e0cb7a25
Instruction ID: 6e6c62c46f1a6570fa4834b9c3bfb8b87dfd1cf306a979072c8e2a8e4fba6247
Opcode Fuzzy Hash: 73ed8f92a1aadabcf08bec2315d6b90432c11c6316edd73cd1158613e0cb7a25
Instruction Fuzzy Hash: BFE12731F1DACA4FE779AE2888556A977D0FF943A0F0405BAD049C72D7DE2CAC468B41

Function 00007FF8491A3451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%_L, xrefs: 00007FF8491A3673

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: %_L
API String ID: 0-1469106525
Opcode ID: 41b3599a423284019766557c10a07eca0fabe03a5f52f9213f4280dd0b9f1592
Instruction ID: b73b686a0934bd706e3b1ae2ed2d80c4b84a081b5cd9108e69c5ae2680efa368
Opcode Fuzzy Hash: 41b3599a423284019766557c10a07eca0fabe03a5f52f9213f4280dd0b9f1592
Instruction Fuzzy Hash: 0391E831A0DB894FDBA6EF2898546B5B7E1EF55360F0405BAD04DC3292DE2DEC46CB81

Function 00007FF8491A6E69 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF8491A6E8E

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: abf6fe504b77a01f38d24001f6d5a89b2f8cad49e15714b04d0a873ad8f5382f
Instruction ID: 115dc6fcf252307066101fac26ca0e1b8fd2f6086724d9a29303f43b6f888693
Opcode Fuzzy Hash: abf6fe504b77a01f38d24001f6d5a89b2f8cad49e15714b04d0a873ad8f5382f
Instruction Fuzzy Hash: FF410621A1EBC54FE7A6EB3C98686717FD0EFA6290F0804FED089C71A3D91D9C858701

Function 00007FF8491A20E2 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: b32b56c0d75ce5aca5b7ed8271907fbb2b8e41c7cd616c9ef6ec58b979e1e19f
Instruction ID: 82123a636f80e561dbb2257518de3d0d6a04941473d806df436a2b5c069783a4
Opcode Fuzzy Hash: b32b56c0d75ce5aca5b7ed8271907fbb2b8e41c7cd616c9ef6ec58b979e1e19f
Instruction Fuzzy Hash: B7311937B1A6259ED310BE7DF4814E97360EF8577AB188677C18CCE093DB2C648586E8

Function 00007FF8491A20D7 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: a6eff21ba5dfdfdabf2352c9ba2b94f9dcb555f9390d13526a1b3891fc05ef9e
Instruction ID: f6ac40f8cef86617793e76f023063ae498744575d84dc57d79961d7061730ded
Opcode Fuzzy Hash: a6eff21ba5dfdfdabf2352c9ba2b94f9dcb555f9390d13526a1b3891fc05ef9e
Instruction Fuzzy Hash: EB312A37B1E6299ED310BE7DF4814E973A0EF8577AB084677C1C8CE083DA1C648586E8

Function 00007FF8491A20CF Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

#&_^, xrefs: 00007FF8491A2101

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: #&_^
API String ID: 0-519297270
Opcode ID: 9b0c7fef596edb3c8386e05273ec449e2895266679207ed8150d3dcbe20a771e
Instruction ID: 26880b046c88f92125a92d535d083f8246fe3a254b9eadb80c183e8ffc4355cf
Opcode Fuzzy Hash: 9b0c7fef596edb3c8386e05273ec449e2895266679207ed8150d3dcbe20a771e
Instruction Fuzzy Hash: C1313D37B1D6199EC310BE7DF4814E97390EF85779B184777C188CE083DA1C648586E8

Function 00007FF8491AC466 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

`")I, xrefs: 00007FF8491AC48E

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID: `")I
API String ID: 0-1793973326
Opcode ID: 3551a8ccfe2ecf46f06ca00c83f444b5f95f55febe99f3358aa64e675f4714f8
Instruction ID: 210bd8389c400de6566c5b917653409b9912ef7276f4d3a721e8565e079d335b
Opcode Fuzzy Hash: 3551a8ccfe2ecf46f06ca00c83f444b5f95f55febe99f3358aa64e675f4714f8
Instruction Fuzzy Hash: C021F562E2DECA1FE39AAB3844566B567E1FFA9350F4444BAD04EC3283DD1CE9054351

Function 00007FF8491A8C28 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56615419f640f8c1e5684faa5163a5a164f27dc28ac72161d229dc515737506
Instruction ID: c7bdc43b9eda057e176326822920543f2d7e61eba0e1f12d722b42c6ea93d823
Opcode Fuzzy Hash: a56615419f640f8c1e5684faa5163a5a164f27dc28ac72161d229dc515737506
Instruction Fuzzy Hash: EEC1C430A0DA894FEB69AB2884557B977D1FF553A0F1441BDD48EC76D3DE2CAC868B00

Function 00007FF8491A36F5 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905b3197de8260afea0939a2676687a8111ab570b160fa6ad52370c3ffe58331
Instruction ID: ccc5ec4b3b33d26783f270e7ff4b957fffd265e53a5644985a7adfc37d67fc64
Opcode Fuzzy Hash: 905b3197de8260afea0939a2676687a8111ab570b160fa6ad52370c3ffe58331
Instruction Fuzzy Hash: 42510130A1CB894FEB69BB6898446757BD0EF563B4F10067ED489C31D6EE2DAC428781

Function 00007FF8491A28F2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d71d3ef52cd3413589b02d3452de98066093687836a43d1859ecdd25e97536
Instruction ID: 025d4ac75d192779b0381d654e8f74d4cfb60d233dea56a34dca46c5a7aa56bb
Opcode Fuzzy Hash: f9d71d3ef52cd3413589b02d3452de98066093687836a43d1859ecdd25e97536
Instruction Fuzzy Hash: A7311531A2EB8A4FE765BB2984A15F677B0EF59350F4004BBD04AC31C7CE2C6C098791

Function 00007FF8491A2EC6 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29744506ea32a50abf3a92b43b9db6619d9a0d31b8839b096ae50dd2be34e5be
Instruction ID: 19f8165248b0ed7c27b3b791cc197cf0a468b023d93ce811ff0f638d87d4a875
Opcode Fuzzy Hash: 29744506ea32a50abf3a92b43b9db6619d9a0d31b8839b096ae50dd2be34e5be
Instruction Fuzzy Hash: 58314B31E1DAC64FE7AAAB3858916B17BD1EF96650B0444FEC009C71D7DD2D9C4AC740

Function 00007FF8491ACCA5 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ed3f99e450ee0c6c5583ddc547a3aa78a92824f750dec26e79978f87e7f730
Instruction ID: a7e9f33e93e36eb77213bf40401a81fb89c5d40773748d69b8cb43ee7b110090
Opcode Fuzzy Hash: d3ed3f99e450ee0c6c5583ddc547a3aa78a92824f750dec26e79978f87e7f730
Instruction Fuzzy Hash: BE11C11148FAC60FE30767B44C295E63FA4DFC71A071D42EBE085CB4A3D84C498A83A1

Function 00007FF8491AD231 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0cf0630a8f7db4aeecc630f77a1b5b41364fcd8edf279c6607527ce0980cf4
Instruction ID: 99fe2326b856724d965a1010d8ef0f74751bda88c937eb3f097cc7dbf2026753
Opcode Fuzzy Hash: be0cf0630a8f7db4aeecc630f77a1b5b41364fcd8edf279c6607527ce0980cf4
Instruction Fuzzy Hash: A611E02192DEDA1EE725A76884163F9BBE1FF96350F4801B6E01CC71C3CF9CA8048791

Function 00007FF8491A4C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f48486e0e806d9afaaf0c2851b708b4d285b118231a2cf2c470de0864f158c7
Instruction ID: ea4da275d07b716dfe4cf7d9991621c73e8d18056446480323aa094ab210edc4
Opcode Fuzzy Hash: 0f48486e0e806d9afaaf0c2851b708b4d285b118231a2cf2c470de0864f158c7
Instruction Fuzzy Hash: 0801283190DB854FE752F72884452B97FD1DF852A0F080A7ED08CC60E2CE6C4AC68387

Function 00007FF8491A223A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35814de0922080f1f2f796079a1793e22542d9157df5dd8de2eaae7d4a2d7f4
Instruction ID: cae0ef97af6e49aaecf91dd711cfaa00adfd5c5e62dd37b112fefe949fcccba4
Opcode Fuzzy Hash: e35814de0922080f1f2f796079a1793e22542d9157df5dd8de2eaae7d4a2d7f4
Instruction Fuzzy Hash: F8F0C23190DBC96FEB51AB7894496EA7FF0EF46310F4540E7D848C6197CE286A448752

Function 00007FF8491A3020 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d891e50198a1775eca7f256dc60b595658a2e831b3f318b200f606aeb6065c
Instruction ID: afade6051220a857c140917519fca8ac67a0c303f751d24dbb2552a94df3b4f2
Opcode Fuzzy Hash: a6d891e50198a1775eca7f256dc60b595658a2e831b3f318b200f606aeb6065c
Instruction Fuzzy Hash: 25F0E230A2CA8A0BE794BA3CA80027673C5EB45215F5408BAD88EC7292DF2CDC424685

Function 00007FF8491A22A9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43572c15f9bf6d66c3a8ae478f32cb39d2340bfe34c3b6f581f34960a02a278
Instruction ID: bb6bc8316e5dfea319dbc76bff7b8b675262b4c2f74db6fc5ced53000debc3cb
Opcode Fuzzy Hash: e43572c15f9bf6d66c3a8ae478f32cb39d2340bfe34c3b6f581f34960a02a278
Instruction Fuzzy Hash: 9CF0FF31E1D6C84FE755AF78885A0ED7FB0EF55210F4905E7D448C7092EE2859498300

Function 00007FF8491A340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction ID: cf83029328f4ad40a8db66ae19be38369b9181fa82c86dbc3ac0179cdc805d59
Opcode Fuzzy Hash: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction Fuzzy Hash: C3F0A07190D60D6FDB18FF59EC46AEB37A8FF85220F00013AF44D82192E6396863CB50

Function 00007FF8491AC439 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817952ee2949c7e6433a5911bbc7d752ad0a81915d740191ac18c33f324af9b5
Instruction ID: 368dcea47f75652f9bdadaaae0a44fcb5cc4408dfafc32f12603e442acae19e5
Opcode Fuzzy Hash: 817952ee2949c7e6433a5911bbc7d752ad0a81915d740191ac18c33f324af9b5
Instruction Fuzzy Hash: 6BD05E53B6C68E0EE590790878910B1A380EB952B5B5002B3C44992186CD2F99460641

Function 00007FF8491AD2E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2682666279.00007FF8491A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff8491a2000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bfb1e22a99aa11d7b1ec7850d2932b67863802919bd0c3bf2843e862db3bdc
Instruction ID: 441ab12104a39798504e4bee3ef62e5711c222dadbdcee72ffac76d45b075d92
Opcode Fuzzy Hash: 50bfb1e22a99aa11d7b1ec7850d2932b67863802919bd0c3bf2843e862db3bdc
Instruction Fuzzy Hash: CFD0233555454C57C7147B65B4054D7B758FF8D35CF00057FF91CC5041D62795354392

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Test2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Test2.exe.log

C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat

C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat

C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat

C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat

C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat

C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat

C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat

C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat

C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat

C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat

C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat

C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows Analysis Report
Test2.exe