Edit tour

Windows Analysis Report
EZFN op cheats.exe

Overview

General Information

Sample name:	EZFN op cheats.exe
Analysis ID:	1581174
MD5:	ef4d8a6e9965bc6bb50cc1dfc5afde69
SHA1:	22dc66b0dec9e655fc049063eb9ed1ac40163d63
SHA256:	fc0afaabeb1bec166e86302143e2ae0387142cc17df7a8980c8b7a9de43aad67
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (STR)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

EZFN op cheats.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\EZFN op cheats.exe" MD5: EF4D8A6E9965BC6BB50CC1DFC5AFDE69)

schtasks.exe (PID: 6396 cmdline: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 1612 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: EF4D8A6E9965BC6BB50CC1DFC5AFDE69)

schtasks.exe (PID: 5928 cmdline: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 2312 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: EF4D8A6E9965BC6BB50CC1DFC5AFDE69)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "192.168.137.1:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c9e46391-a513-481f-850c-0575d9434d9b", "StartupKey": "cheats", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "gmOxfyf+ykgHNniimpsMF6kft/g8eAy78kixuCAy3zuPFNdN3lcN+Zko9G4kbEghfHmT+IFJAXJ6Cz0VTTgAMdGphGF9Kk4hmi221QkSPZpnQuwiZb/vv57sAhIN4vZAW7v7v5H2VsSarV1sD9d4SYaUB+ahdWrfqnyfJv+vxbbFCzFedFlF3oZdSdmx4X79CjKYHlOx5Paf8fgVuLTjKC8vkkIb/h4RrdX9NfOwUrGdyVCoH25m7D/Qz1/LLvC4COhyXvYT0TfzpdVSWyKAO3UBJMAwRcHcfhahgV/dIhzro9yLA63HYSJjTyENl3rLyymBwbST/SYNMn3Uzn1sM+WVBtrTpjlf+bOJ8SHNWGRUxOJp5cF3q3rcq78HwJW1RM6saygoF2S0dTKzbnWpWach5xFEEMfBRHTR3rCjH2qnCiHfdjiMR3KbSHCtLojE/uoqrDqW2NlOt4vI2Ua7cZsIFkVAlo3UDCLZhSj0uIQtLsmIiUzh3Q77oal+iaxqVG8P9ucIyQeRhc64X26DpOdj9WTzVNibXA4d6Ki/HU8WG2bd7ZiQnQAVIxPX/+88UkPJIe/NuF9J2XkW4DIm3RwIOOczUE/WpFgDAx4LQgO96Ix/WwIKJ5PcZ2TtEuXeQEZaRfL+3z5ziAMzjj9OATPmlM3KIfnVDBN9pCRIoos=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJH+yisawyH1t/3B1e4XQTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDcxNjAwMjAxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiz0zqpeUYmVtNdqPyjMMD9OQRh8tg1eeer/avPMzNJErdC00Qm+0F5jGOD5gJhXDk86aaVWdnd93uNreyxpI9nMQaW1Imv9RLLkQBijIVk2SWvPMsbYHmZzzJHZVdEmrOu3+VSgMJTARh8QqGvBOHEEGB2C+fwh+PKpFJuCQZRwuhPz4WYHVwCuWZN4+LXMvMkW+Efio8GSfq/6MzHzAWpeaoDrOEP92cbSP2T5xOgqAhxle7xjbI66pSJjNJE6uzCp+PKeth54hzXGIOUB4rEzoCTxcOWSyrXv0XHTU8KTH4EHjkwv3fYPULoR80X2aC3ns3s2dMaFw9SNasKeVFxHelRl8jEMOdPi8uo/taGh3jMQ0gn2lQfchJMbqCgQmykxZR28+a6M3dsSO1x0M1MkQHYT0CgRtLv2CC5IU9/OdwuBNucoa/iVbW3M0czHi36kqMvH/6c5+1eh1bcrLXl3p4glNXAs3wpdFlaNyQ0P92HmEzXYtX8a0oYPJvcJGbOjRTXvt1P8qPoPO6qlKHU2svCNVSouH0byQVj8X7aEcJLRuPGgMXN0My4OGJSDGfAARz/uATejNXMqqHVe5FIZ66jsJTXZNJ8pPBW0Ya2ehy4r++iFtmBZVt+SL1bC0UMeg0h4rLXB1jSVAHhzuFFMSnp+LLAIVpWQJ9wZ2ZGkCAwEAAaMyMDAwHQYDVR0OBBYEFF6jCGqE3WkSs35EnX7xuZ9CpfvfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADWbG8qxtK7gYvLxyj01Xq2Bmi/Yzyn0+03wrsZRjLceXHB7LOjC8bzuH8JDrFnX5+c6aouJkW9HoNfa6q0WPinvkeL/b0FjfgemoF4cbZmqPWtsuboBohaXn4jPUeTt9nKlQSX5G5eUvWF4Rbj67ToPZxqfFmKJJ5QC/2Zndd4sMk2D3uFmxWqVyLR+qB5ybjW+wEzW+9dlURJI0ezboPd+BWZcnHz2Ysc0DZzB5lwhjToto4IGgG3gPZH4rCOhjf3T7H+hi3hDckrEEqQ+Wc/CF9CbApI0jkrNCZeqA8gNqYiVzuYLnnVu51cKEBUz9VNRKoepmaLd7FmksvSZtAkk44brALBEwmeNDqRSqJMM9n2/Nvr6+hJ1wdz6e99d9RFEVOOm3I3F5MAfCe/mnmz+fYweI+OgbFcKnuXUUHcLlpIqw32Ppvn3aI+oEw8tBH/cJGml0ESIlu5341ArY+QOvhHRzW1ORYD3QrZODgYpB3b6PUQAMRnouIF6FtHBEmQHp4kzUVLbPvklbxkRBmze0JIwC0NdWcdFRgMXLixJk0AUzp0BOny3dY8TTS/TjUe7yrqt7CQrnhd/t47+ixoSbQCfdRpDx/ABWOLZBIDvX3FeFGKh7tNyJsjgm3HBQxxs3XLNvnmAn2kxC4mhYwDKYsVgDQD4m1Gp7Uqdy+Xn"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
EZFN op cheats.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
EZFN op cheats.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
EZFN op cheats.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab7f6:$x4: Uninstalling... good bye :-( 0x2acfeb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
EZFN op cheats.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada8:$f1: FileZilla\recentservers.xml 0x2aade8:$f2: FileZilla\sitemanager.xml 0x2aae2a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab076:$b1: Chrome\User Data\ 0x2ab0cc:$b1: Chrome\User Data\ 0x2ab3a4:$b2: Mozilla\Firefox\Profiles 0x2ab4a0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3fc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f8:$b4: Opera Software\Opera Stable\Login Data 0x2ab6b2:$b5: YandexBrowser\User Data\ 0x2ab720:$b5: YandexBrowser\User Data\ 0x2ab3f4:$s4: logins.json 0x2ab12a:$a1: username_value 0x2ab148:$a2: password_value 0x2ab434:$a3: encryptedUsername 0x2fd340:$a3: encryptedUsername 0x2ab458:$a4: encryptedPassword 0x2fd35e:$a4: encryptedPassword 0x2fd2dc:$a5: httpRealm
EZFN op cheats.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e0:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea2a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab7f6:$x4: Uninstalling... good bye :-( 0x2acfeb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada8:$f1: FileZilla\recentservers.xml 0x2aade8:$f2: FileZilla\sitemanager.xml 0x2aae2a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab076:$b1: Chrome\User Data\ 0x2ab0cc:$b1: Chrome\User Data\ 0x2ab3a4:$b2: Mozilla\Firefox\Profiles 0x2ab4a0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3fc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f8:$b4: Opera Software\Opera Stable\Login Data 0x2ab6b2:$b5: YandexBrowser\User Data\ 0x2ab720:$b5: YandexBrowser\User Data\ 0x2ab3f4:$s4: logins.json 0x2ab12a:$a1: username_value 0x2ab148:$a2: password_value 0x2ab434:$a3: encryptedUsername 0x2fd340:$a3: encryptedUsername 0x2ab458:$a4: encryptedPassword 0x2fd35e:$a4: encryptedPassword 0x2fd2dc:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e0:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea2a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: EZFN op cheats.exe PID: 7164	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 1612	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.EZFN op cheats.exe.370000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.EZFN op cheats.exe.370000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.EZFN op cheats.exe.370000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab7f6:$x4: Uninstalling... good bye :-( 0x2acfeb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.EZFN op cheats.exe.370000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada8:$f1: FileZilla\recentservers.xml 0x2aade8:$f2: FileZilla\sitemanager.xml 0x2aae2a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab076:$b1: Chrome\User Data\ 0x2ab0cc:$b1: Chrome\User Data\ 0x2ab3a4:$b2: Mozilla\Firefox\Profiles 0x2ab4a0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3fc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f8:$b4: Opera Software\Opera Stable\Login Data 0x2ab6b2:$b5: YandexBrowser\User Data\ 0x2ab720:$b5: YandexBrowser\User Data\ 0x2ab3f4:$s4: logins.json 0x2ab12a:$a1: username_value 0x2ab148:$a2: password_value 0x2ab434:$a3: encryptedUsername 0x2fd340:$a3: encryptedUsername 0x2ab458:$a4: encryptedPassword 0x2fd35e:$a4: encryptedPassword 0x2fd2dc:$a5: httpRealm
0.0.EZFN op cheats.exe.370000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e0:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea2a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 1612, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5928, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EZFN op cheats.exe", ParentImage: C:\Users\user\Desktop\EZFN op cheats.exe, ParentProcessId: 7164, ParentProcessName: EZFN op cheats.exe, ProcessCommandLine: "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 6396, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: EZFN op cheats.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: EZFN op cheats.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "192.168.137.1:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c9e46391-a513-481f-850c-0575d9434d9b", "StartupKey": "cheats", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "gmOxfyf+ykgHNniimpsMF6kft/g8eAy78kixuCAy3zuPFNdN3lcN+Zko9G4kbEghfHmT+IFJAXJ6Cz0VTTgAMdGphGF9Kk4hmi221QkSPZpnQuwiZb/vv57sAhIN4vZAW7v7v5H2VsSarV1sD9d4SYaUB+ahdWrfqnyfJv+vxbbFCzFedFlF3oZdSdmx4X79CjKYHlOx5Paf8fgVuLTjKC8vkkIb/h4RrdX9NfOwUrGdyVCoH25m7D/Qz1/LLvC4COhyXvYT0TfzpdVSWyKAO3UBJMAwRcHcfhahgV/dIhzro9yLA63HYSJjTyENl3rLyymBwbST/SYNMn3Uzn1sM+WVBtrTpjlf+bOJ8SHNWGRUxOJp5cF3q3rcq78HwJW1RM6saygoF2S0dTKzbnWpWach5xFEEMfBRHTR3rCjH2qnCiHfdjiMR3KbSHCtLojE/uoqrDqW2NlOt4vI2Ua7cZsIFkVAlo3UDCLZhSj0uIQtLsmIiUzh3Q77oal+iaxqVG8P9ucIyQeRhc64X26DpOdj9WTzVNibXA4d6Ki/HU8WG2bd7ZiQnQAVIxPX/+88UkPJIe/NuF9J2XkW4DIm3RwIOOczUE/WpFgDAx4LQgO96Ix/WwIKJ5PcZ2TtEuXeQEZaRfL+3z5ziAMzjj9OATPmlM3KIfnVDBN9pCRIoos=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJH+yisawyH1t/3B1e4XQTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDcxNjAwMjAxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiz0zqpeUYmVtNdqPyjMMD9OQRh8tg1eeer/avPMzNJErdC00Qm+0F5jGOD5gJhXDk86aaVWdnd93uNreyxpI9nMQaW1Imv9RLLkQBijIVk2SWvPMsbYHmZzzJHZVdEmrOu3+VSgMJTARh8QqGvBOHEEGB2C+fwh+PKpFJuCQZRwuhPz4WYHVwCuWZN4+LXMvMkW+Efio8GSfq/6MzHzAWpeaoDrOEP92cbSP2T5xOgqAhxle7xjbI66pSJjNJE6uzCp+PKeth54hzXGIOUB4rEzoCTxcOWSyrXv0XHTU8KTH4EHjkwv3fYPULoR80X2aC3ns3s2dMaFw9SNasKeVFxHelRl8jEMOdPi8uo/taGh3jMQ0gn2lQfchJMbqCgQmykxZR28+a6M3dsSO1x0M1MkQHYT0CgRtLv2CC5IU9/OdwuBNucoa/iVbW3M0czHi36kqMvH/6c5+1eh1bcrLXl3p4glNXAs3wpdFlaNyQ0P92HmEzXYtX8a0oYPJvcJGbOjRTXvt1P8qPoPO6qlKHU2svCNVSouH0byQVj8X7aEcJLRuPGgMXN0My4OGJSDGfAARz/uATejNXMqqHVe5FIZ66jsJTXZNJ8pPBW0Ya2ehy4r++iFtmBZVt+SL1bC0UMeg0h4rLXB1jSVAHhzuFFMSnp+LLAIVpWQJ9wZ2ZGkCAwEAAaMyMDAwHQYDVR0OBBYEFF6jCGqE3WkSs35EnX7xuZ9CpfvfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADWbG8qxtK7gYvLxyj01Xq2Bmi/Yzyn0+03wrsZRjLceXHB7LOjC8bzuH8JDrFnX5+c6aouJkW9HoNfa6q0WPinvkeL/b0FjfgemoF4cbZmqPWtsuboBohaXn4jPUeTt9nKlQSX5G5eUvWF4Rbj67ToPZxqfFmKJJ5QC/2Zndd4sMk2D3uFmxWqVyLR+qB5ybjW+wEzW+9dlURJI0ezboPd+BWZcnHz2Ysc0DZzB5lwhjToto4IGgG3gPZH4rCOhjf3T7H+hi3hDckrEEqQ+Wc/CF9CbApI0jkrNCZeqA8gNqYiVzuYLnnVu51cKEBUz9VNRKoepmaLd7FmksvSZtAkk44brALBEwmeNDqRSqJMM9n2/Nvr6+hJ1wdz6e99d9RFEVOOm3I3F5MAfCe/mnmz+fYweI+OgbFcKnuXUUHcLlpIqw32Ppvn3aI+oEw8tBH/cJGml0ESIlu5341ArY+QOvhHRzW1ORYD3QrZODgYpB3b6PUQAMRnouIF6FtHBEmQHp4kzUVLbPvklbxkRBmze0JIwC0NdWcdFRgMXLixJk0AUzp0BOny3dY8TTS/TjUe7yrqt7CQrnhd/t47+ixoSbQCfdRpDx/ABWOLZBIDvX3FeFGKh7tNyJsjgm3HBQxxs3XLNvnmAn2kxC4mhYwDKYsVgDQD4m1Gp7Uqdy+Xn"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: EZFN op cheats.exe	ReversingLabs: Detection: 76%
Source: EZFN op cheats.exe	Virustotal: Detection: 85%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EZFN op cheats.exe

Joe Sandbox ML: detected

Source: EZFN op cheats.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EZFN op cheats.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 192.168.137.1

Yara detected Generic Downloader

Source: Yara match	File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: EZFN op cheats.exe, 00000000.00000002.1689444295.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.4120119667.0000000003419000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EZFN op cheats.exe, Client.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: EZFN op cheats.exe, Client.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: EZFN op cheats.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: EZFN op cheats.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: EZFN op cheats.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA6AFDD	3_2_00007FFD9BA6AFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA69BD1	3_2_00007FFD9BA69BD1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA69271	3_2_00007FFD9BA69271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA655D6	3_2_00007FFD9BA655D6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA6621F	3_2_00007FFD9BA6621F

Source: EZFN op cheats.exe, 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs EZFN op cheats.exe
Source: EZFN op cheats.exe	Binary or memory string: OriginalFilenameClient.exe. vs EZFN op cheats.exe

Source: EZFN op cheats.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: EZFN op cheats.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/3@0/1

Source: C:\Users\user\Desktop\EZFN op cheats.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\c9e46391-a513-481f-850c-0575d9434d9b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03

Source: EZFN op cheats.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EZFN op cheats.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\EZFN op cheats.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EZFN op cheats.exe	ReversingLabs: Detection: 76%
Source: EZFN op cheats.exe	Virustotal: Detection: 85%

Source: EZFN op cheats.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\EZFN op cheats.exe

File read: C:\Users\user\Desktop\EZFN op cheats.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EZFN op cheats.exe "C:\Users\user\Desktop\EZFN op cheats.exe"
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: EZFN op cheats.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EZFN op cheats.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: EZFN op cheats.exe

Static file information: File size 3265536 > 1048576

Source: EZFN op cheats.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: EZFN op cheats.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Code function: 0_2_00007FFD9B7D00AD pushad ; iretd	0_2_00007FFD9B7D00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B7F2BE5 pushad ; iretd	3_2_00007FFD9B7F2C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B7F2BB0 pushad ; iretd	3_2_00007FFD9B7F2C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B7F00AD pushad ; iretd	3_2_00007FFD9B7F00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA6336E push eax; ret	3_2_00007FFD9BA6340C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFD9B7F00AD pushad ; iretd	4_2_00007FFD9B7F00C1

Source: C:\Users\user\Desktop\EZFN op cheats.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\EZFN op cheats.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\EZFN op cheats.exe	File opened: C:\Users\user\Desktop\EZFN op cheats.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Memory allocated: 1A870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AD90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Code function: 3_2_00007FFD9B7FF1F2 str ax

3_2_00007FFD9B7FF1F2

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 1438			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 8387			Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4092	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1740	Thread sleep count: 1438 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1740	Thread sleep count: 8387 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4092	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Client.exe, 00000003.00000002.4126084722.000000001BFF0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe	Queries volume information: C:\Users\user\Desktop\EZFN op cheats.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EZFN op cheats.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EZFN op cheats.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
EZFN op cheats.exe	85%	Virustotal		Browse
EZFN op cheats.exe	100%	Avira	HEUR/AGEN.1307453
EZFN op cheats.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
192.168.137.1	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
192.168.137.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	EZFN op cheats.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	EZFN op cheats.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	EZFN op cheats.exe, Client.exe.0.dr	false	high
https://ipwho.is/	EZFN op cheats.exe, Client.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EZFN op cheats.exe, 00000000.00000002.1689444295.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.4120119667.0000000003419000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	EZFN op cheats.exe, Client.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.137.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581174
Start date and time:	2024-12-27 06:54:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EZFN op cheats.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/3@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Client.exe, PID 2312 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:55:02	API Interceptor	12727463x Sleep call for process: Client.exe modified
05:55:00	Task Scheduler	Run new task: cheats path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EZFN op cheats.exe.log

Download File

Process:	C:\Users\user\Desktop\EZFN op cheats.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\EZFN op cheats.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3265536
Entropy (8bit):	6.083843675606913
Encrypted:	false
SSDEEP:	49152:+vIt62XlaSFNWPjljiFa2RoUYICH/aEfpKk/YFsoGdzbTHHB72eh2NT:+vE62XlaSFNWPjljiFXRoUYICH/umj
MD5:	EF4D8A6E9965BC6BB50CC1DFC5AFDE69
SHA1:	22DC66B0DEC9E655FC049063EB9ED1AC40163D63
SHA-256:	FC0AFAABEB1BEC166E86302143E2AE0387142CC17DF7A8980C8B7A9DE43AAD67
SHA-512:	681EE20AEBD9E6C39004CF79C25A06C88F969ED2891DC46323314D9FEDBE99799894DEB88A4DF3175F93787C37B5B2037050BECF04280669B5499C649A25C9E9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@.................................d.1.W.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H...........T............k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.083843675606913
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	EZFN op cheats.exe
File size:	3'265'536 bytes
MD5:	ef4d8a6e9965bc6bb50cc1dfc5afde69
SHA1:	22dc66b0dec9e655fc049063eb9ed1ac40163d63
SHA256:	fc0afaabeb1bec166e86302143e2ae0387142cc17df7a8980c8b7a9de43aad67
SHA512:	681ee20aebd9e6c39004cf79c25a06c88f969ed2891dc46323314d9fedbe99799894deb88a4df3175f93787c37b5b2037050becf04280669b5499c649a25c9e9
SSDEEP:	49152:+vIt62XlaSFNWPjljiFa2RoUYICH/aEfpKk/YFsoGdzbTHHB72eh2NT:+vE62XlaSFNWPjljiFXRoUYICH/umj
TLSH:	77E55B143BF85F23E1BBE27395B0041667F0EC2AB3A3EB1B5191677E1C53B5058426AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e3be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e364	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3c4	0x31c400	3000d562c05b3e5a10571379bd7defbc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	4d500f037eed75b56776bd5a41faef15	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 06:55:03.014285088 CET	49730	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:03.133985043 CET	4782	49730	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:03.134160995 CET	49730	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:03.144686937 CET	49730	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:03.264413118 CET	4782	49730	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:25.115940094 CET	4782	49730	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:25.116024971 CET	49730	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:25.129101992 CET	49730	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:25.248719931 CET	4782	49730	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:28.454298973 CET	49737	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:28.573966980 CET	4782	49737	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:28.574100018 CET	49737	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:28.574537039 CET	49737	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:28.693994999 CET	4782	49737	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:50.482220888 CET	4782	49737	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:50.482559919 CET	49737	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:50.482739925 CET	49737	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:50.602359056 CET	4782	49737	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:53.939254999 CET	49738	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:54.059010029 CET	4782	49738	192.168.137.1	192.168.2.4
Dec 27, 2024 06:55:54.059196949 CET	49738	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:54.059501886 CET	49738	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:55:54.179347038 CET	4782	49738	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:15.951267958 CET	4782	49738	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:15.951468945 CET	49738	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:15.951708078 CET	49738	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:16.071367979 CET	4782	49738	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:19.532505035 CET	49781	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:19.651961088 CET	4782	49781	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:19.652074099 CET	49781	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:19.652456045 CET	49781	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:19.772093058 CET	4782	49781	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:41.607589960 CET	4782	49781	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:41.610586882 CET	49781	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:41.610586882 CET	49781	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:41.730150938 CET	4782	49781	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:45.220278978 CET	49837	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:45.339888096 CET	4782	49837	192.168.137.1	192.168.2.4
Dec 27, 2024 06:56:45.340373039 CET	49837	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:45.344255924 CET	49837	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:56:45.463720083 CET	4782	49837	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:07.304810047 CET	4782	49837	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:07.306515932 CET	49837	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:07.310313940 CET	49837	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:07.429833889 CET	4782	49837	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:10.766701937 CET	49893	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:10.886337996 CET	4782	49893	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:10.886435032 CET	49893	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:10.886707067 CET	49893	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:11.006186008 CET	4782	49893	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:32.812767982 CET	4782	49893	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:32.812850952 CET	49893	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:32.819108009 CET	49893	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:32.938746929 CET	4782	49893	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:36.158437967 CET	49946	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:36.278101921 CET	4782	49946	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:36.278170109 CET	49946	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:36.278476954 CET	49946	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:36.398070097 CET	4782	49946	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:58.212023020 CET	4782	49946	192.168.137.1	192.168.2.4
Dec 27, 2024 06:57:58.212114096 CET	49946	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:58.212426901 CET	49946	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:57:58.331887007 CET	4782	49946	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:01.596175909 CET	50002	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:01.715715885 CET	4782	50002	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:01.715904951 CET	50002	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:01.716173887 CET	50002	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:01.835661888 CET	4782	50002	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:23.640532017 CET	4782	50002	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:23.644270897 CET	50002	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:23.648152113 CET	50002	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:23.767924070 CET	4782	50002	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:27.297835112 CET	50010	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:27.417501926 CET	4782	50010	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:27.417649031 CET	50010	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:27.418363094 CET	50010	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:27.537823915 CET	4782	50010	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:49.328701019 CET	4782	50010	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:49.332490921 CET	50010	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:49.332492113 CET	50010	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:49.452066898 CET	4782	50010	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:52.719808102 CET	50011	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:52.839452982 CET	4782	50011	192.168.137.1	192.168.2.4
Dec 27, 2024 06:58:52.839519024 CET	50011	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:52.839838982 CET	50011	4782	192.168.2.4	192.168.137.1
Dec 27, 2024 06:58:52.959500074 CET	4782	50011	192.168.137.1	192.168.2.4

Target ID:	0
Start time:	00:54:58
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\EZFN op cheats.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EZFN op cheats.exe"
Imagebase:	0x370000
File size:	3'265'536 bytes
MD5 hash:	EF4D8A6E9965BC6BB50CC1DFC5AFDE69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:54:59
Start date:	27/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:54:59
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:55:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0xf00000
File size:	3'265'536 bytes
MD5 hash:	EF4D8A6E9965BC6BB50CC1DFC5AFDE69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:55:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Imagebase:	0x820000
File size:	3'265'536 bytes
MD5 hash:	EF4D8A6E9965BC6BB50CC1DFC5AFDE69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:55:01
Start date:	27/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:55:01
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B7D3525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7D3607

Memory Dump Source

Source File: 00000000.00000002.1692760424.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_EZFN op cheats.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: af53af9f984cb4870553ffc7e8e94dcf5209709c121f1c9e04421320439fa7a1
Instruction ID: d03e7390519f2b551ea17b069c404dcbe3a5700aa8648252ec7f182c712e379c
Opcode Fuzzy Hash: af53af9f984cb4870553ffc7e8e94dcf5209709c121f1c9e04421320439fa7a1
Instruction Fuzzy Hash: 1531143190CB4C8FDB19DB688859AE9BBF0FF56311F0542AFD049D71A2CB34A909CB91

Function 00007FFD9B7D3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7D3607

Memory Dump Source

Source File: 00000000.00000002.1692760424.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_EZFN op cheats.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1d3f35bcb4f1c16bac66cb6f9841f2fa20088f62f9a08502dac3c0b80d900177
Instruction ID: 7cfc8fb1434b9cd790aeb3f3b1c706afa0c1b00c50b3afaf7c294445ca98e7c2
Opcode Fuzzy Hash: 1d3f35bcb4f1c16bac66cb6f9841f2fa20088f62f9a08502dac3c0b80d900177
Instruction Fuzzy Hash: 3431E43190DB5C8FDB19DB588859AE9BBF0FFA6311F05426FD049D32A2CB74A805CB91

Analysis Process: Client.exePID: 1612, Parent PID: 7164COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BA655D6 Relevance: 2.1, Instructions: 2116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726253479e014d3cd2f75309dcb0a24235c02a2914f77887f2b1bf967286bb91
Instruction ID: c75d95f7656b1bbc0e2d1696f9224be93b7cf41bf925a5c33bb2b3e848853bdf
Opcode Fuzzy Hash: 726253479e014d3cd2f75309dcb0a24235c02a2914f77887f2b1bf967286bb91
Instruction Fuzzy Hash: 4BF2A170A19A0D8FDFA8DF68C894BA977E1FF98300F1141B9D04ED72A6DA75E941CB40

Function 00007FFD9BA69BD1 Relevance: 1.5, Instructions: 1475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b037157e12707ade099e0025b840d4a98004b3af41bb0a09af5ad171144b5cf8
Instruction ID: 1356fc9c353d8adf729013124202bfa5720dd8663bdb3df4a2c839ea2d74bba6
Opcode Fuzzy Hash: b037157e12707ade099e0025b840d4a98004b3af41bb0a09af5ad171144b5cf8
Instruction Fuzzy Hash: 8F922871B0D94D8FEBA8EB6CD465A7537D1EF99310F0500BAE44EC72A6DE68EC028741

Function 00007FFD9BA6AFDD Relevance: .9, Instructions: 862
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a90dbbece85ef00b5a0aecb9b155e63ac4a9f40830d7da0f14e7c8adc76da6
Instruction ID: 35224601c712b9a52b222af21f99e5608aeeb4359e100ad51af1f8a48d20eab6
Opcode Fuzzy Hash: d8a90dbbece85ef00b5a0aecb9b155e63ac4a9f40830d7da0f14e7c8adc76da6
Instruction Fuzzy Hash: 6A528170B08A498FDBA8EB2CC4A5B7977E1FF99304F5545B9E04DC72A6CE34E8418741

Function 00007FFD9BA69271 Relevance: .7, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0782631f514cd229076376dd14c7da5c7be0c87503b039592cd99cd8ae799e6f
Instruction ID: 2a50d91fb1d7422b799feadeced273ba3e86b5434d61bb88fa88e388a829188a
Opcode Fuzzy Hash: 0782631f514cd229076376dd14c7da5c7be0c87503b039592cd99cd8ae799e6f
Instruction Fuzzy Hash: 1222A270B09A0D8FEBA8DB6884A57B877E2FF98300F11417DD44EC32A2CE74E9428745

Function 00007FFD9BA6621F Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05821582e00e93df50116ba312e58a6841bc59a7e5ec9a06dda54836fb24beb9
Instruction ID: 9fc94e278b6ce0b685107d96cb4ddd0ac91cd16612cdaa2b60951b3d7e7c2661
Opcode Fuzzy Hash: 05821582e00e93df50116ba312e58a6841bc59a7e5ec9a06dda54836fb24beb9
Instruction Fuzzy Hash: 6A027D70E18A1E8FEBA8DF68C4947B973E1FF98301F1141B9D44ED32A5CA74B9818B40

Function 00007FFD9BA6E6F9 Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9BA6E8E6

Memory Dump Source

Source File: 00000003.00000002.4130850523.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba60000_Client.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0b207607c6b9bf17a719e7bab2e2e0d552f8aaf0294701d77bb6d01dd58a7ecb
Instruction ID: bc3f13ab8a9ef03160b605562c05b56e7ea80405b379cb682cf7408d01210ce1
Opcode Fuzzy Hash: 0b207607c6b9bf17a719e7bab2e2e0d552f8aaf0294701d77bb6d01dd58a7ecb
Instruction Fuzzy Hash: 5E712571B1DE4D4FDB58EB6C98665F97BE0EF98300B0541BEE05DC7293DE28A8428781

Function 00007FFD9B7F3525 Relevance: 1.6, APIs: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7F3607

Memory Dump Source

Source File: 00000003.00000002.4127533502.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 480abe52860cde742d2574cee4feb05341788f9385c385044f91f9a413102f60
Instruction ID: 0cb1905b8c6b3cecef55421ce666ec286eb3fc94548c4d51d5687683c68ad2c4
Opcode Fuzzy Hash: 480abe52860cde742d2574cee4feb05341788f9385c385044f91f9a413102f60
Instruction Fuzzy Hash: 0131163190CB4C4FDB19DB6888596E97FF0EF56311F0542AFC049D75A2CB34A905C791

Function 00007FFD9B7F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7F3607

Memory Dump Source

Source File: 00000003.00000002.4127533502.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: eadc03102c5eff10ed9b4c30124fa279c85142f165fa8b1c015b1f5a85b0f6e2
Instruction ID: e9aeedc9e0e12aff582aa6dcc78d1d29fc2ece21304b3b34b0cad1cfcfd4c983
Opcode Fuzzy Hash: eadc03102c5eff10ed9b4c30124fa279c85142f165fa8b1c015b1f5a85b0f6e2
Instruction Fuzzy Hash: 9631E63190DB5C8FDB19DB6888596E9BBF0FF65311F05426FD049D31A2CB74A805CB91

Non-executed Functions

Function 00007FFD9B7FF1F2 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4127533502.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b780eb8136b56c159929a795730053f27b8f772fae26ba66643e95a8e14d24e7
Instruction ID: 1c6c0281cb2fe1283e49c988a192597070140f50e1700fa0c86a3c7bede19fa2
Opcode Fuzzy Hash: b780eb8136b56c159929a795730053f27b8f772fae26ba66643e95a8e14d24e7
Instruction Fuzzy Hash: C131521FF0A1E219E315F2BCB5768ED3B60DF9227E71982F3D19D4D0A79C09108641D9

Analysis Process: Client.exePID: 2312, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7F0B78 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

;M_I, xrefs: 00007FFD9B7F0C04

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID: ;M_I
API String ID: 0-1276053120
Opcode ID: 3d699dcf125d32a2708d186f10b94a6296caf8344082d04e5ed897b934fe0ee8
Instruction ID: 81b9f720ae4ae38573de53d6064e8d55617e77db2b9792600be49718acc6e890
Opcode Fuzzy Hash: 3d699dcf125d32a2708d186f10b94a6296caf8344082d04e5ed897b934fe0ee8
Instruction Fuzzy Hash: 07A16E72B0F6C64BE7189B6C98B45E87FE1EF81304B5542FAE488473EBDD286901C381

Function 00007FFD9B7F15FA Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

.M_^, xrefs: 00007FFD9B7F1601

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID: .M_^
API String ID: 0-2820351210
Opcode ID: 747a9978078ed1ccac7da01fe2f52fb743bbbd62d9bff7fe183f6c7e5ed22da0
Instruction ID: 51d5e58b6e6bdf569144e0e611c36c9901932db9e3842cca4da8460930d28796
Opcode Fuzzy Hash: 747a9978078ed1ccac7da01fe2f52fb743bbbd62d9bff7fe183f6c7e5ed22da0
Instruction Fuzzy Hash: 0121F316B0EA9D0FD365AB6C9C751F47BE0EF96221B0E03F7C089C71A3DC0859064394

Function 00007FFD9B7F2188 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1ff1d59f51452401586f5632c9beabccd5b47074cd03a418af082d266436a3
Instruction ID: f9b6949521203d2876492543345e40e0834adcbf00698dbf1c7a26f614f79999
Opcode Fuzzy Hash: 0b1ff1d59f51452401586f5632c9beabccd5b47074cd03a418af082d266436a3
Instruction Fuzzy Hash: 1F91E831B19E4E4FEBA5EB6884657B977D2EF94340F4502B5E40DC72F6DD28AD028384

Function 00007FFD9B7F2DE9 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02356ae3ccec2a5f5ffeb1c8078a944e152b39bec9c90b1bbf3599b9b879952b
Instruction ID: 00e56bbd3e2129d708eb99dff5bd62feb347b8eaa6956965dd6ab78b2c8debb8
Opcode Fuzzy Hash: 02356ae3ccec2a5f5ffeb1c8078a944e152b39bec9c90b1bbf3599b9b879952b
Instruction Fuzzy Hash: 41619861B1990D4FDB98EBA884757FCB7D2EF98310F554279E05ED32E6CE14AC428780

Function 00007FFD9B7F2729 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9a1b1a83dc7aaa8ca6ad05b62e1cb25f88822db842eb42f6b121ed6c507a6a
Instruction ID: 8fd9052b9828406a9dbbedf2ed952ffcc91ed4f7b335e37a34421a8f296599ad
Opcode Fuzzy Hash: 3f9a1b1a83dc7aaa8ca6ad05b62e1cb25f88822db842eb42f6b121ed6c507a6a
Instruction Fuzzy Hash: 92415F21B1DB490FE75897AC94657B97BD1EF94314F40027EF05EC32E2DD286D028796

Function 00007FFD9B7F24E8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01044e31afaac75583a470c0b15699c608f0d7f0a09ab09b2a9bcbb48c928b7
Instruction ID: 8db6ca4ee417c606609920667f1a1f3550550a72699438805b1d88832e882734
Opcode Fuzzy Hash: a01044e31afaac75583a470c0b15699c608f0d7f0a09ab09b2a9bcbb48c928b7
Instruction Fuzzy Hash: C6414525B59D1B0FEF98F6AC80B1AFD66D3AF84244B9145B4E01DC37EADD2C9D028385

Function 00007FFD9B7F196D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9203ffc76b708750fc55d526d1737f16222c6e3ba512f8ec1065c4b5c9aa6f
Instruction ID: 1f014d5dbb9f7ffc1aed9ab29263348cb992171c3d9331e84f82cf3ed4282a8c
Opcode Fuzzy Hash: 3a9203ffc76b708750fc55d526d1737f16222c6e3ba512f8ec1065c4b5c9aa6f
Instruction Fuzzy Hash: C3210331B0E6864FDB55DB6880D55A57B91EF51310F1683FAC0588B5BBD928AC86C3C0

Function 00007FFD9B7F1BF5 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a8563db28fe917701d0e45d2b65fab752182641e6ade0933bf2772b68d19cb
Instruction ID: 69237ed524ae5da1eed70268736fbbbcfb47b479d9a03fa268a430ca2c5c6476
Opcode Fuzzy Hash: 28a8563db28fe917701d0e45d2b65fab752182641e6ade0933bf2772b68d19cb
Instruction Fuzzy Hash: 28316F34659AC64BEB48EB2CD4A1AE97F61AFC4308F9149E5F418833CECE3C6906C751

Function 00007FFD9B7F32DD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7c0f1c006537fbbce6fc843ba0e32288dcd5eb949aeffd5c5926153dc4d422
Instruction ID: 0f560770bda8560471a44f62335a37f448d2395cf61721ca125d7a4b5baf6bfa
Opcode Fuzzy Hash: ae7c0f1c006537fbbce6fc843ba0e32288dcd5eb949aeffd5c5926153dc4d422
Instruction Fuzzy Hash: E621D631F19A5D4FDB94EB6888A99B977D1EF58301B4605B6E40DC72E6DE28EC00C781

Function 00007FFD9B7F0872 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2547efd00d148559379f0782ec4e427321e3932357a3260677307587e3c564
Instruction ID: fe2d764eb55bbab585b647f5d81dffc9f1a1b37c1b1bd63bd2f7628a3eccc9ca
Opcode Fuzzy Hash: fb2547efd00d148559379f0782ec4e427321e3932357a3260677307587e3c564
Instruction Fuzzy Hash: A5213792B1EAC64FE355AB644835AA57FA1EF51740F0506FAD099C72E7EC08280483D1

Function 00007FFD9B7F3491 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c314a12c53bec6fefc2500d967f0c440f88e6feae55a193d4e5a472c25e5ef8
Instruction ID: a72c18078350a6e16183ad5e2389acf72be9b61cc8c27f05592ba22b0e420361
Opcode Fuzzy Hash: 4c314a12c53bec6fefc2500d967f0c440f88e6feae55a193d4e5a472c25e5ef8
Instruction Fuzzy Hash: B3117D21B0EB850FE395E6786C698F17FD0DF9022470503BBE44CC31B3CD0899868391

Function 00007FFD9B7F28D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396a8372869d3e6d24a05ee1bee0cc4a3461b30504077316cf957504feedd9ce
Instruction ID: 2781bcd954107f2cb66156e1b87b5396acbd94ebed4a636039cb44bfe43b42de
Opcode Fuzzy Hash: 396a8372869d3e6d24a05ee1bee0cc4a3461b30504077316cf957504feedd9ce
Instruction Fuzzy Hash: 5B11C620B0EBCD0FE347E37858A8AA43FD1EF46215B0A41E7E488CB0B7C9584945C342

Function 00007FFD9B7F0DA9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764da4d966ce21371d5472053bca8cfd49275c3baa22d1822eb6efaff5d975f6
Instruction ID: ba85f41c3e19a16dc2236c0675dcf876c920afc1b0a4e8d34ba6467f2cdb9c92
Opcode Fuzzy Hash: 764da4d966ce21371d5472053bca8cfd49275c3baa22d1822eb6efaff5d975f6
Instruction Fuzzy Hash: E7014E5371AD8E0EDBA9A62C54A59F67B82DBD5710B0506F6E40DC23B6DD147D4243C0

Function 00007FFD9B7F1E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438500eb9df471dce427ea4611a325c169b5f8130cddda9fa0823cb93a827a76
Instruction ID: b6ee8f7ec8c951da5c002d9f40693b11a758fce38e8021a804c49389cc8aa791
Opcode Fuzzy Hash: 438500eb9df471dce427ea4611a325c169b5f8130cddda9fa0823cb93a827a76
Instruction Fuzzy Hash: D2F0F022F1981D0FE754F6AD54ECAFA7BD1DBAC22671502B7E40CC72B7DC0498428381

Function 00007FFD9B7F1E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33c4f289f0f918d9ca77e1d5369cc6352d16bd8c698e3263572bb0c8931fbce
Instruction ID: 460693d778915d3dc3532e3c8fef514c5ede74a2b54f19813b0bd8c65b91c4a7
Opcode Fuzzy Hash: a33c4f289f0f918d9ca77e1d5369cc6352d16bd8c698e3263572bb0c8931fbce
Instruction Fuzzy Hash: C1E09B21F19C1D1FA794F6AD44DDF7966C1DBAC2117510576E41CC72B6DC149C418381

Function 00007FFD9B7F094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264275a600972998d3d8d45f3add922ad5f20d2365c9327ef6caecc6211609c7
Instruction ID: dceda6915c54ad741f89ddeebac1050784350ac23a6cb71f09d814d11a86b593
Opcode Fuzzy Hash: 264275a600972998d3d8d45f3add922ad5f20d2365c9327ef6caecc6211609c7
Instruction Fuzzy Hash: E7E02622F1A91A57E394337820364FC2581CF48690B41053AE40DC62EBEC1D6D420284

Function 00007FFD9B7F2DC8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1719774776.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb34cfd6402c0cf2cd3d1552bc79771280b33ffe8363ad7088facd0752a6bcfc
Instruction ID: 4f5a2ac70440ddbf5dd8d05bae4b54741cff1a685b8801eb762a0e07459db911
Opcode Fuzzy Hash: eb34cfd6402c0cf2cd3d1552bc79771280b33ffe8363ad7088facd0752a6bcfc
Instruction Fuzzy Hash: 99C01262B16E4E4BDB65EFC824912F87691FFC83807D50239A008E2175CF241551A284

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EZFN op cheats.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EZFN op cheats.exe.log

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
EZFN op cheats.exe

Function 00007FFD9B7D3525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Function 00007FFD9B7D3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FFD9BA69BD1 Relevance: 1.5, Instructions: 1475
COMMON

Function 00007FFD9BA6AFDD Relevance: .9, Instructions: 862
COMMON

Function 00007FFD9BA69271 Relevance: .7, Instructions: 677
COMMON

Function 00007FFD9BA6E6F9 Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Function 00007FFD9B7F3525 Relevance: 1.6, APIs: 1, Instructions: 116
fileCOMMON

Function 00007FFD9B7F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON