Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YJaaZuNHwI.exe

Overview

General Information

Sample name:YJaaZuNHwI.exe
renamed because original name is a hash value
Original sample name:44037f6c2fed815da4c59b50479561f5.exe
Analysis ID:1582924
MD5:44037f6c2fed815da4c59b50479561f5
SHA1:f724de9954505061cd9f4fbe90bd57d8375ef6d1
SHA256:59405ec9b904646f7d674606945cffab2ece5cb7fba153c91de4c79bb40aa553
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YJaaZuNHwI.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\YJaaZuNHwI.exe" MD5: 44037F6C2FED815DA4C59B50479561F5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.2", "Host:Port": "45.83.244.141:4782;", "SubDirectory": "$77-SubDir", "InstallName": "$77-cmd.exe", "MutexName": "18dba2e6-0f3a-4d9f-b95d-78cbc696f514", "StartupKey": "$77-cmd", "Tag": "Java", "LogDirectoryName": "$77-Logs", "ServerSignature": "m24Rf9S4pR5F5YEkQ2M+JGcLVNr5t4SXe/pYN4mXelXdcrwYspm58rm5SUSbqpNDYODhS94ixfV1mIFFFxdyHQb4z+Sc9N5LMZryivC/v35cpJh7JirtHlgL6bXVU/nnOtPzp+X9aTOMTaYpt6NwbnLr9H64V6NUNMwKKCwZvFLOvNdrbat7c5AxN7QmUrr2YMZbPSVMre7V9CehosPy0Us5gV51VWnstlRK1+GjBrTUA65PZsUNfOIn9U7xO+xNa7I8A1F9wiPUVQ8ibtTSptJ7s8cJxOB84uBCR0sZS6rxlCwoI6CW03i3eOJjSVpe6uzSAxakCQ2UaUxdUg1Jpii2FDX8hRxoD+Fmpq1UpzMRIXFnvqwDUZFCX0Fh3EBuW8+KVdOJpoPJl4T4r/C9gnlXmmDbSoAyFQPUoouaPqd0ezPMwF62mFoh6p6V72Y6M8h82z4dTAQfvOjd1ygR3Tl3Gy/8YJuzz/5AiV1I/0ymkAgCiahq6Y77abFdPeMyQYDmyuawXByc9gUWrjrTx4ypjwjv/g+DlOY4M2Lz1KjqqIDcMsUPUVxzjV2sGWwJ8XblSq/kpbrUx1IEstNerMM6y7RS79LaUdjjk6pslgkJB2ktvx/C1O9GGIp7cHtt3HkSUw50oj11+6hJnofITf9Uo918oBiZnx1g4z9UHJQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANZ6L+TvfqOdOgyAxptgFTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIyMDA2NTYyNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs/enqvHcBSa3vV60UyTBYDGDWqUg50ulqqn67NKrCChlNBH+V5jBMuA7TE06/zUxxdbui4hFIlRsvf2sCWY+Zwtzm4OC9uRrebxkL2bz+QhfGtGeofaDqX+UM1HwERb5/6VzbnPLlfhspS2+8/uhevdyqYBDvtr1la9yHyJRw4BMBeovpr/ymhHSA4kpOd2UdInU/Q4+AMN1QvQXjf3GJ8xQ0BvyIH3oPsI+nipAzbU+TY3x2hLfUD5/UVtPsjBAteIJN955+sfh9w3VE7SQNTetL34XnEZuupRa59tElXnpQQqbAEKGCRpyY9h1OuTJ2Ge709agQFnXNFwcPxZG08MxW0tfkKww2CD3hn18+vMXsh3U8i/EWGreW95jH2C6SUaM7IfKwTWTsETsE/jyeawxotbjuBx6BGB5T188F/FRfVF/fDAzjRukMNIqD7DBSU6LNvwuN8FxIfo+tVV01vTEaWzCnot7fsyqjbFLe0o3hO6tQIjmSsCg/z6A3zkGuvjUi56KZL6n2nhMV4Ksrx1Ys4HbmFU5BHT5WyAa3ZmCveniRGBUgm8C3Nu/H2t0DiZXLhpMbPs4/7mjKkdC0co6gNw86K5DkMmh8YzFN5TbEiQALO171I/VYwG/ZQ71wXbAXhQq0kSSxqaox/CNX0jPGd7P8GydG8FhOOpsuVsCAwEAAaMyMDAwHQYDVR0OBBYEFARn/9eoWb/wuTKCQ89TaNYOAGgfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAo6LJ6imF/wPod+HrCVfp8ES2r40BJyMJPcDfqdXpgudtcgkWIY4c/kyKGAy+aQWzfFIR+fabYV4HqUGLweWaEjy6OUmoANY8e/uSzp4dePsFYiub0WvFLd/TKyNT/v19MzzwTW4neerglvf1uF81HD6Dwb5Oz4XKHQMaCB803xpBNkHGK8KMr0uuPUTNaipWynY0sue1TLElKGU2yB/ck4ZWe3em42JphKnJJt3zB6XzVnYvBwd+n4si7sKdnJAt2Be/voYXixc58vg88Vx6NCf003BSEY42ZRFb45Ej7kYaTUKZv8dTP2rok7geOm1VQVDCBv8hwwZOocKYhljGpDDj6JLEabuazpjVcep+QfQv0nxaUY4Y22fbH8F3XFSI248vdGqmqI7BWZJzv+/MZMoIGU6CkNIP/AgKOPmuhNHZFb5lqt4mCxYuaO2aSStU+kIjb9NijcGS/EpfDFeeN6t9v8GTfjylUXG6ui1+qmmI0SZNDGgkIaTWJUU7+7H1vq/pWm/2KHkinidn9zNrOEDgXEvbkEa4UdFvvXl7UXGtyjZy0aqOCX2Ny/n1SEJpebt+MevrS9kOlyUCNtLwev9C4/8CaldudA8bW1uYYrG/fDfyS0mEfCymmlygGy3MiyCJ9AQhhLytCGzAHyIe2OjptesiN8Aqz3A5tLv7Hb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
YJaaZuNHwI.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    YJaaZuNHwI.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      YJaaZuNHwI.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28f0da:$x1: Quasar.Common.Messages
      • 0x29f403:$x1: Quasar.Common.Messages
      • 0x2ac160:$x4: Uninstalling... good bye :-(
      • 0x2ad955:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      YJaaZuNHwI.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2ab712:$f1: FileZilla\recentservers.xml
      • 0x2ab752:$f2: FileZilla\sitemanager.xml
      • 0x2ab794:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab9e0:$b1: Chrome\User Data\
      • 0x2aba36:$b1: Chrome\User Data\
      • 0x2abd0e:$b2: Mozilla\Firefox\Profiles
      • 0x2abe0a:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fdd7b:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2abf62:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ac01c:$b5: YandexBrowser\User Data\
      • 0x2ac08a:$b5: YandexBrowser\User Data\
      • 0x2abd5e:$s4: logins.json
      • 0x2aba94:$a1: username_value
      • 0x2abab2:$a2: password_value
      • 0x2abd9e:$a3: encryptedUsername
      • 0x2fdcbf:$a3: encryptedUsername
      • 0x2abdc2:$a4: encryptedPassword
      • 0x2fdcdd:$a4: encryptedPassword
      • 0x2fdc5b:$a5: httpRealm
      YJaaZuNHwI.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x165102:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ac24a:$s3: Process already elevated.
      • 0x28edd9:$s4: get_PotentiallyVulnerablePasswords
      • 0x278e95:$s5: GetKeyloggerLogsDirectory
      • 0x29eb62:$s5: GetKeyloggerLogsDirectory
      • 0x28edfc:$s6: set_PotentiallyVulnerablePasswords
      • 0x2ff3a3:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          Process Memory Space: YJaaZuNHwI.exe PID: 7112JoeSecurity_QuasarYara detected Quasar RATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.YJaaZuNHwI.exe.e90000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              0.0.YJaaZuNHwI.exe.e90000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.YJaaZuNHwI.exe.e90000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28f0da:$x1: Quasar.Common.Messages
                • 0x29f403:$x1: Quasar.Common.Messages
                • 0x2ac160:$x4: Uninstalling... good bye :-(
                • 0x2ad955:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                0.0.YJaaZuNHwI.exe.e90000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2ab712:$f1: FileZilla\recentservers.xml
                • 0x2ab752:$f2: FileZilla\sitemanager.xml
                • 0x2ab794:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2ab9e0:$b1: Chrome\User Data\
                • 0x2aba36:$b1: Chrome\User Data\
                • 0x2abd0e:$b2: Mozilla\Firefox\Profiles
                • 0x2abe0a:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fdd7b:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2abf62:$b4: Opera Software\Opera Stable\Login Data
                • 0x2ac01c:$b5: YandexBrowser\User Data\
                • 0x2ac08a:$b5: YandexBrowser\User Data\
                • 0x2abd5e:$s4: logins.json
                • 0x2aba94:$a1: username_value
                • 0x2abab2:$a2: password_value
                • 0x2abd9e:$a3: encryptedUsername
                • 0x2fdcbf:$a3: encryptedUsername
                • 0x2abdc2:$a4: encryptedPassword
                • 0x2fdcdd:$a4: encryptedPassword
                • 0x2fdc5b:$a5: httpRealm
                0.0.YJaaZuNHwI.exe.e90000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                • 0x165102:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                • 0x2ac24a:$s3: Process already elevated.
                • 0x28edd9:$s4: get_PotentiallyVulnerablePasswords
                • 0x278e95:$s5: GetKeyloggerLogsDirectory
                • 0x29eb62:$s5: GetKeyloggerLogsDirectory
                • 0x28edfc:$s6: set_PotentiallyVulnerablePasswords
                • 0x2ff3a3:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-31T22:52:03.526715+010020355951Domain Observed Used for C2 Detected45.83.244.1414782192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-31T22:52:03.526715+010020276191Domain Observed Used for C2 Detected45.83.244.1414782192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: YJaaZuNHwI.exeAvira: detected
                Found malware configuration
                Source: YJaaZuNHwI.exeMalware Configuration Extractor: Quasar {"Version": "1.4.2", "Host:Port": "45.83.244.141:4782;", "SubDirectory": "$77-SubDir", "InstallName": "$77-cmd.exe", "MutexName": "18dba2e6-0f3a-4d9f-b95d-78cbc696f514", "StartupKey": "$77-cmd", "Tag": "Java", "LogDirectoryName": "$77-Logs", "ServerSignature": "m24Rf9S4pR5F5YEkQ2M+JGcLVNr5t4SXe/pYN4mXelXdcrwYspm58rm5SUSbqpNDYODhS94ixfV1mIFFFxdyHQb4z+Sc9N5LMZryivC/v35cpJh7JirtHlgL6bXVU/nnOtPzp+X9aTOMTaYpt6NwbnLr9H64V6NUNMwKKCwZvFLOvNdrbat7c5AxN7QmUrr2YMZbPSVMre7V9CehosPy0Us5gV51VWnstlRK1+GjBrTUA65PZsUNfOIn9U7xO+xNa7I8A1F9wiPUVQ8ibtTSptJ7s8cJxOB84uBCR0sZS6rxlCwoI6CW03i3eOJjSVpe6uzSAxakCQ2UaUxdUg1Jpii2FDX8hRxoD+Fmpq1UpzMRIXFnvqwDUZFCX0Fh3EBuW8+KVdOJpoPJl4T4r/C9gnlXmmDbSoAyFQPUoouaPqd0ezPMwF62mFoh6p6V72Y6M8h82z4dTAQfvOjd1ygR3Tl3Gy/8YJuzz/5AiV1I/0ymkAgCiahq6Y77abFdPeMyQYDmyuawXByc9gUWrjrTx4ypjwjv/g+DlOY4M2Lz1KjqqIDcMsUPUVxzjV2sGWwJ8XblSq/kpbrUx1IEstNerMM6y7RS79LaUdjjk6pslgkJB2ktvx/C1O9GGIp7cHtt3HkSUw50oj11+6hJnofITf9Uo918oBiZnx1g4z9UHJQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANZ6L+TvfqOdOgyAxptgFTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIyMDA2NTYyNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs/enqvHcBSa3vV60UyTBYDGDWqUg50ulqqn67NKrCChlNBH+V5jBMuA7TE06/zUxxdbui4hFIlRsvf2sCWY+Zwtzm4OC9uRrebxkL2bz+QhfGtGeofaDqX+UM1HwERb5/6VzbnPLlfhspS2+8/uhevdyqYBDvtr1la9yHyJRw4BMBeovpr/ymhHSA4kpOd2UdInU/Q4+AMN1QvQXjf3GJ8xQ0BvyIH3oPsI+nipAzbU+TY3x2hLfUD5/UVtPsjBAteIJN955+sfh9w3VE7SQNTetL34XnEZuupRa59tElXnpQQqbAEKGCRpyY9h1OuTJ2Ge709agQFnXNFwcPxZG08MxW0tfkKww2CD3hn18+vMXsh3U8i/EWGreW95jH2C6SUaM7IfKwTWTsETsE/jyeawxotbjuBx6BGB5T188F/FRfVF/fDAzjRukMNIqD7DBSU6LNvwuN8FxIfo+tVV01vTEaWzCnot7fsyqjbFLe0o3hO6tQIjmSsCg/z6A3zkGuvjUi56KZL6n2nhMV4Ksrx1Ys4HbmFU5BHT5WyAa3ZmCveniRGBUgm8C3Nu/H2t0DiZXLhpMbPs4/7mjKkdC0co6gNw86K5DkMmh8YzFN5TbEiQALO171I/VYwG/ZQ71wXbAXhQq0kSSxqaox/CNX0jPGd7P8GydG8FhOOpsuVsCAwEAAaMyMDAwHQYDVR0OBBYEFARn/9eoWb/wuTKCQ89TaNYOAGgfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAo6LJ6imF/wPod+HrCVfp8ES2r40BJyMJPcDfqdXpgudtcgkWIY4c/kyKGAy+aQWzfFIR+fabYV4HqUGLweWaEjy6OUmoANY8e/uSzp4dePsFYiub0WvFLd/TKyNT/v19MzzwTW4neerglvf1uF81HD6Dwb5Oz4XKHQMaCB803xpBNkHGK8KMr0uuPUTNaipWynY0sue1TLElKGU2yB/ck4ZWe3em42JphKnJJt3zB6XzVnYvBwd+n4si7sKdnJAt2Be/voYXixc58vg88Vx6NCf003BSEY42ZRFb45Ej7kYaTUKZv8dTP2rok7geOm1VQVDCBv8hwwZOocKYhljGpDDj6JLEabuazpjVcep+QfQv0nxaUY4Y22fbH8F3XFSI248vdGqmqI7BWZJzv+/MZMoIGU6CkNIP/AgKOPmuhNHZFb5lqt4mCxYuaO2aSStU+kIjb9NijcGS/EpfDFeeN6t9v8GTfjylUXG6ui1+qmmI0SZNDGgkIaTWJUU7+7H1vq/pWm/2KHkinidn9zNrOEDgXEvbkEa4UdFvvXl7UXGtyjZy0aqOCX2Ny/n1SEJpebt+MevrS9kOlyUCNtLwev9C4/8CaldudA8bW1uYYrG/fDfyS0mEfCymmlygGy3MiyCJ9AQhhLytCGzAHyIe2OjptesiN8Aqz3A5tLv7Hb"}
                Multi AV Scanner detection for submitted file
                Source: YJaaZuNHwI.exeReversingLabs: Detection: 75%
                Yara detected Quasar RAT
                Source: Yara matchFile source: YJaaZuNHwI.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: YJaaZuNHwI.exe PID: 7112, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: YJaaZuNHwI.exeJoe Sandbox ML: detected
                Source: YJaaZuNHwI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: YJaaZuNHwI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 45.83.244.141:4782 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 45.83.244.141:4782 -> 192.168.2.4:49730
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 45.83.244.141
                Yara detected Generic Downloader
                Source: Yara matchFile source: YJaaZuNHwI.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 45.83.244.141:4782
                Source: global trafficTCP traffic: 192.168.2.4:49386 -> 1.1.1.1:53
                Source: global trafficTCP traffic: 192.168.2.4:64710 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: unknownTCP traffic detected without corresponding DNS query: 45.83.244.141
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: YJaaZuNHwI.exeString found in binary or memory: http://45.83.244.141/Files/Install.exe
                Source: YJaaZuNHwI.exe, 00000000.00000002.4121952709.000000001C073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: YJaaZuNHwI.exe, 00000000.00000002.4115641081.0000000001724000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: YJaaZuNHwI.exe, 00000000.00000002.4117077448.000000000387C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: YJaaZuNHwI.exe, 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: YJaaZuNHwI.exe, 00000000.00000002.4117077448.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: YJaaZuNHwI.exeString found in binary or memory: https://api.ipify.org/
                Source: YJaaZuNHwI.exe, 00000000.00000002.4117077448.0000000003862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: YJaaZuNHwI.exeString found in binary or memory: https://ipwho.is/
                Source: YJaaZuNHwI.exeString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: YJaaZuNHwI.exeString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: YJaaZuNHwI.exeString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\YJaaZuNHwI.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: YJaaZuNHwI.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: YJaaZuNHwI.exe PID: 7112, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB0B3D90_2_00007FFD9BB0B3D9
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAFABCD0_2_00007FFD9BAFABCD
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF9BC00_2_00007FFD9BAF9BC0
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB011900_2_00007FFD9BB01190
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF51C60_2_00007FFD9BAF51C6
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB078060_2_00007FFD9BB07806
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB0E7810_2_00007FFD9BB0E781
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF5E970_2_00007FFD9BAF5E97
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF8E610_2_00007FFD9BAF8E61
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB085FF0_2_00007FFD9BB085FF
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB14CAD0_2_00007FFD9BB14CAD
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB010F50_2_00007FFD9BB010F5
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF10CF0_2_00007FFD9BAF10CF
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BC123210_2_00007FFD9BC12321
                Source: YJaaZuNHwI.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: YJaaZuNHwI.exe, 00000000.00000000.1664489094.00000000011B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs YJaaZuNHwI.exe
                Source: YJaaZuNHwI.exeBinary or memory string: OriginalFilename" vs YJaaZuNHwI.exe
                Source: YJaaZuNHwI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: YJaaZuNHwI.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/2@1/2
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeMutant created: NULL
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeMutant created: \Sessions\1\BaseNamedObjects\Local\18dba2e6-0f3a-4d9f-b95d-78cbc696f514
                Source: YJaaZuNHwI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: YJaaZuNHwI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: YJaaZuNHwI.exeReversingLabs: Detection: 75%
                Source: YJaaZuNHwI.exeString found in binary or memory: *.exeMhttp://45.83.244.141/Files/Install.exe
                Source: YJaaZuNHwI.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: YJaaZuNHwI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: YJaaZuNHwI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: YJaaZuNHwI.exeStatic file information: File size 3268096 > 1048576
                Source: YJaaZuNHwI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31ce00
                Source: YJaaZuNHwI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9B76D2A5 pushad ; iretd 0_2_00007FFD9B76D2A6
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB0B3D9 push ss; retn FD9Bh0_2_00007FFD9BB0BC0A
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BAF2F90 push eax; ret 0_2_00007FFD9BAF2FFC
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BB0A5BA push es; retn FD9Bh0_2_00007FFD9BB0A5CA
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeCode function: 0_2_00007FFD9BC12321 push edx; retf 5F20h0_2_00007FFD9BC15A3B

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeFile opened: C:\Users\user\Desktop\YJaaZuNHwI.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeMemory allocated: 1B4A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWindow / User API: threadDelayed 7449Jump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWindow / User API: threadDelayed 2388Jump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exe TID: 6456Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exe TID: 3020Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: YJaaZuNHwI.exe, 00000000.00000002.4121952709.000000001C0FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: YJaaZuNHwI.exe, 00000000.00000002.4121952709.000000001C0FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: YJaaZuNHwI.exe, 00000000.00000002.4121952709.000000001C073000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeQueries volume information: C:\Users\user\Desktop\YJaaZuNHwI.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\YJaaZuNHwI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: YJaaZuNHwI.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: YJaaZuNHwI.exe PID: 7112, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: YJaaZuNHwI.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.YJaaZuNHwI.exe.e90000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: YJaaZuNHwI.exe PID: 7112, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		11
                Input Capture                		1
                Query Registry                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts41
                Virtualization/Sandbox Evasion                		LSASS Memory11
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Hidden Files and Directories                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                YJaaZuNHwI.exe76%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                YJaaZuNHwI.exe100%AviraHEUR/AGEN.1307453
                YJaaZuNHwI.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://45.83.244.141/Files/Install.exe0%Avira URL Cloudsafe
                45.83.244.1410%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		high
                  ipwho.is
                  		195.201.57.90
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipwho.is/false
                      		high
                      45.83.244.141true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://45.83.244.141/Files/Install.exeYJaaZuNHwI.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org/YJaaZuNHwI.exefalse
                        		high
                        https://stackoverflow.com/q/14436606/23354YJaaZuNHwI.exefalse
                          		high
                          https://stackoverflow.com/q/2152978/23354sCannotYJaaZuNHwI.exefalse
                            		high
                            http://schemas.datacontract.org/2004/07/YJaaZuNHwI.exe, 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameYJaaZuNHwI.exe, 00000000.00000002.4117077448.00000000034A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ipwho.isYJaaZuNHwI.exe, 00000000.00000002.4117077448.000000000387C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/11564914/23354;YJaaZuNHwI.exefalse
                                    		high
                                    https://ipwho.isYJaaZuNHwI.exe, 00000000.00000002.4117077448.0000000003862000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      45.83.244.141
                                      		unknownGermany
                                      		395800GBTCLOUDUStrue
                                      195.201.57.90
                                      		ipwho.isGermany
                                      		24940HETZNER-ASDEfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1582924
                                      Start date and time:2024-12-31 22:51:08 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 17s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:5
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:YJaaZuNHwI.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:44037f6c2fed815da4c59b50479561f5.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@1/2@1/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 79%
                                      • Number of executed functions: 42
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.22.50.131, 52.149.20.212, 20.109.210.53, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: YJaaZuNHwI.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      16:52:02API Interceptor14775595x Sleep call for process: YJaaZuNHwI.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                      • /?output=json
                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                      • /?output=json
                                      ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                      • ipwhois.app/xml/
                                      cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json
                                      Clipper.exeGet hashmaliciousUnknownBrowse
                                      • /?output=json
                                      cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ipwho.isFlasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 108.181.61.49
                                      msgde.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                      • 108.181.61.49
                                      StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      hKvlV6A1Rl.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.61.49
                                      bg.microsoft.map.fastly.netO782uurN5d.exeGet hashmaliciousDCRatBrowse
                                      • 199.232.210.172
                                      bKxtUOPLtR.exeGet hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                      • 199.232.210.172
                                      46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
                                      • 199.232.210.172
                                      vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                      • 199.232.214.172
                                      GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                      • 199.232.210.172
                                      Qu3ped8inH.exeGet hashmaliciousUnknownBrowse
                                      • 199.232.210.172
                                      DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                      • 199.232.214.172
                                      https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                      • 199.232.214.172
                                      222.msiGet hashmaliciousXRedBrowse
                                      • 199.232.214.172

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      HETZNER-ASDECenteredDealing.exeGet hashmaliciousVidarBrowse
                                      • 116.203.13.109
                                      CenteredDealing.exeGet hashmaliciousVidarBrowse
                                      • 116.203.13.109
                                      over.ps1Get hashmaliciousVidarBrowse
                                      • 116.203.14.4
                                      MatAugust.exeGet hashmaliciousVidarBrowse
                                      • 116.203.14.4
                                      6684V5n83w.exeGet hashmaliciousVidarBrowse
                                      • 116.203.14.4
                                      RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                      • 88.198.193.213
                                      BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                      • 116.203.14.4
                                      botx.ppc.elfGet hashmaliciousMiraiBrowse
                                      • 49.13.202.247
                                      Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                      • 116.203.14.4
                                      db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                      • 5.9.64.57
                                      GBTCLOUDUSnshkmpsl.elfGet hashmaliciousMiraiBrowse
                                      • 194.31.197.248
                                      58VSNPxrI4.exeGet hashmaliciousUnknownBrowse
                                      • 45.94.31.128
                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 5.183.206.192
                                      akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                      • 154.37.70.165
                                      x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 45.11.15.123
                                      botx.x86.elfGet hashmaliciousMiraiBrowse
                                      • 154.37.105.101
                                      loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                      • 2.58.149.182
                                      sparc.elfGet hashmaliciousOkiruBrowse
                                      • 154.37.39.10
                                      VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                      • 212.87.215.19
                                      AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                      • 45.94.31.26

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eEtqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 195.201.57.90
                                      OPRfEWLTto.jsGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCKGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      over.ps1Get hashmaliciousVidarBrowse
                                      • 195.201.57.90
                                      http://trezorbridge.org/Get hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      tyPafmiT0t.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                      • 195.201.57.90
                                      vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                      • 195.201.57.90
                                      Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                      • 195.201.57.90
                                      Statement of Account - USD 16,720.00.exeGet hashmaliciousAgentTeslaBrowse
                                      • 195.201.57.90
                                      GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\Desktop\YJaaZuNHwI.exe
                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                      Category:dropped
                                      Size (bytes):71954
                                      Entropy (8bit):7.996617769952133
                                      Encrypted:true
                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\Desktop\YJaaZuNHwI.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):328
                                      Entropy (8bit):3.137989037915285
                                      Encrypted:false
                                      SSDEEP:6:kKPe9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:3BDnLNkPlE99SNxAhUe/3
                                      MD5:DF47A1C604CC4AA27A7F0AC3EE574EF2
                                      SHA1:ABCCF07D1D381A459D7899D3F2519096B7F13099
                                      SHA-256:7A4E7D044B6D938279B664B2F397C43557413CB7796E3FB6DC8137CB30E42A98
                                      SHA-512:8F65DE839BA3F41D5E93C63A43994568346F421C53B3F7A3193ECAED9D3A6D0AA19EA3314C14AFEF5FECA6546014162881A7563EDB29A47C5BB4F5D0000D136F
                                      Malicious:false
                                      Reputation:low
                                      Preview:p...... ............[..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):6.085987897675898
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:YJaaZuNHwI.exe
                                      File size:3'268'096 bytes
                                      MD5:44037f6c2fed815da4c59b50479561f5
                                      SHA1:f724de9954505061cd9f4fbe90bd57d8375ef6d1
                                      SHA256:59405ec9b904646f7d674606945cffab2ece5cb7fba153c91de4c79bb40aa553
                                      SHA512:e33bb327a8b8afc38bba20adfe4d00d99bd3772d65df1125796e5de00d02e37e8ea3a9ce48d16d5374343079d7addf8456c09b053ef9dfec35d183aaddfdf30d
                                      SSDEEP:49152:twAlUPhZwv68DkG17WlqTz5oqMn0f8bUlUUU+UUUZAMoAGdQTHHB72eh2NT:twsUPhZwv68DkG17WlqTzeqMn0fcK
                                      TLSH:A4E54A0477F85E23E1ABE67395F0405367F0FC2AF363EB0B2591A67A1C53B5098416AB
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg..................1...........1.. ........@.. .......................@2...........@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x71ed2e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6767B7E4 [Sun Dec 22 06:55:32 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x31ecdc0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa30.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x31cd340x31ce0069a28f4d453212fc1b7846a9a72e26cdunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x3200000xa300xc00ec999e4e05fc09af0ec07e476c8837e0False0.3502604166666667data5.258384450400837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x3220000xc0x200ff15e9c710c8664eb64f6f8e01049890False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x3200a00x2b8COM executable for DOS0.4367816091954023
                                      RT_MANIFEST0x3203580x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-31T22:52:03.526715+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)145.83.244.1414782192.168.2.449730TCP
                                      2024-12-31T22:52:03.526715+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert145.83.244.1414782192.168.2.449730TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 31, 2024 22:52:02.893385887 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:02.898292065 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:02.898360968 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:02.908406973 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:02.913177013 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:03.517096043 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:03.517117023 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:03.517168999 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:03.521940947 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:03.526715040 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:03.712428093 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:03.760291100 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:04.847810984 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:04.847848892 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:04.847965956 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:04.849366903 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:04.849381924 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.732301950 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.732387066 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:05.736659050 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:05.736668110 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.737019062 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.764997959 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:05.811340094 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.959500074 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.959688902 CET44349732195.201.57.90192.168.2.4
                                      Dec 31, 2024 22:52:05.959748030 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:06.062216043 CET49732443192.168.2.4195.201.57.90
                                      Dec 31, 2024 22:52:06.390713930 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:06.495465994 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:06.495524883 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:06.500384092 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:06.799673080 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:06.854062080 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:06.944546938 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:06.994685888 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:11.618182898 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:11.666712046 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:11.751684904 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:11.757064104 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:11.761832952 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:11.761904001 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:11.766613007 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.467008114 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.510386944 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.610789061 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.666733027 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.710897923 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.710973978 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.715692043 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715774059 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715783119 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715800047 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715809107 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715816975 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.715827942 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.715871096 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.715871096 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.716006994 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.716017008 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.716027975 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.716037989 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.716059923 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.716085911 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720443964 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720499992 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720582962 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720627069 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720820904 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720829964 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720838070 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720845938 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720855951 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720882893 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720902920 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720907927 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720944881 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.720947027 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.720999002 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.721088886 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.721106052 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.721116066 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.721153975 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.721153975 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.725419044 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725476027 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:12.725682020 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725692987 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725718021 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725824118 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725831985 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725841045 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725855112 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725894928 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725934982 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.725992918 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726130009 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726139069 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726145983 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726154089 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726161003 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726170063 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726177931 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726246119 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726253986 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726262093 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726269960 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.726277113 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.730257988 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.730448008 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.730456114 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:12.730463982 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.100966930 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.151009083 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.236046076 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.258414984 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.263233900 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.265120983 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.269881964 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.578257084 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.635370970 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.711895943 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.742284060 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.747139931 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:13.749206066 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:13.753978014 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.063592911 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.104115963 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.204973936 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.229800940 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.229856968 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.234565973 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234656096 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234664917 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234673023 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234869957 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234879971 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234913111 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.234926939 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.508100986 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.557276964 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.642267942 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.681839943 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.681910038 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:14.686639071 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.686651945 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:14.686908007 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.071341991 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.119749069 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.173106909 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.195502043 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.200299978 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.200728893 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.205461025 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.513016939 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.557429075 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.642462969 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.679491997 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.684340954 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.685296059 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:15.690102100 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:15.993283033 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.041641951 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.132765055 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.163862944 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.168638945 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.168796062 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.173568964 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.481143951 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.526025057 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.611346006 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.649053097 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.653856039 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:16.653906107 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:16.658688068 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:20.424082041 CET4938653192.168.2.41.1.1.1
                                      Dec 31, 2024 22:52:20.428932905 CET53493861.1.1.1192.168.2.4
                                      Dec 31, 2024 22:52:20.429167032 CET4938653192.168.2.41.1.1.1
                                      Dec 31, 2024 22:52:20.434020996 CET53493861.1.1.1192.168.2.4
                                      Dec 31, 2024 22:52:20.892174006 CET4938653192.168.2.41.1.1.1
                                      Dec 31, 2024 22:52:20.897160053 CET53493861.1.1.1192.168.2.4
                                      Dec 31, 2024 22:52:20.897217989 CET4938653192.168.2.41.1.1.1
                                      Dec 31, 2024 22:52:41.666951895 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:52:41.671927929 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:52:46.017940044 CET6471053192.168.2.4162.159.36.2
                                      Dec 31, 2024 22:52:46.022813082 CET5364710162.159.36.2192.168.2.4
                                      Dec 31, 2024 22:52:46.022878885 CET6471053192.168.2.4162.159.36.2
                                      Dec 31, 2024 22:52:46.027740955 CET5364710162.159.36.2192.168.2.4
                                      Dec 31, 2024 22:52:46.467163086 CET6471053192.168.2.4162.159.36.2
                                      Dec 31, 2024 22:52:46.472381115 CET5364710162.159.36.2192.168.2.4
                                      Dec 31, 2024 22:52:46.472425938 CET6471053192.168.2.4162.159.36.2
                                      Dec 31, 2024 22:53:06.682676077 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:53:06.688596010 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:53:31.701692104 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:53:31.706463099 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:53:56.725812912 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:53:56.730638027 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:54:21.902059078 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:54:21.907120943 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:54:46.995893955 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:54:47.000827074 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:55:12.091320992 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:55:12.096213102 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:55:37.156338930 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:55:37.161515951 CET47824973045.83.244.141192.168.2.4
                                      Dec 31, 2024 22:56:02.294630051 CET497304782192.168.2.445.83.244.141
                                      Dec 31, 2024 22:56:02.299577951 CET47824973045.83.244.141192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 31, 2024 22:52:04.836541891 CET5549653192.168.2.41.1.1.1
                                      Dec 31, 2024 22:52:04.843280077 CET53554961.1.1.1192.168.2.4
                                      Dec 31, 2024 22:52:20.423362017 CET53529481.1.1.1192.168.2.4
                                      Dec 31, 2024 22:52:46.017491102 CET5364655162.159.36.2192.168.2.4
                                      Dec 31, 2024 22:52:46.490323067 CET53548731.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 31, 2024 22:52:04.836541891 CET192.168.2.41.1.1.10x604eStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 31, 2024 22:52:04.843280077 CET1.1.1.1192.168.2.40x604eNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                      Dec 31, 2024 22:52:18.024806023 CET1.1.1.1192.168.2.40x8bc7No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                      Dec 31, 2024 22:52:18.024806023 CET1.1.1.1192.168.2.40x8bc7No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ipwho.is

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449732195.201.57.904437112C:\Users\user\Desktop\YJaaZuNHwI.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-31 21:52:05 UTC150OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                      Host: ipwho.is
                                      Connection: Keep-Alive
                                      2024-12-31 21:52:05 UTC223INHTTP/1.1 200 OK
                                      Date: Tue, 31 Dec 2024 21:52:05 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Server: ipwhois
                                      Access-Control-Allow-Headers: *
                                      X-Robots-Tag: noindex
                                      2024-12-31 21:52:05 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                      Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:16:51:59
                                      Start date:31/12/2024
                                      Path:C:\Users\user\Desktop\YJaaZuNHwI.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\YJaaZuNHwI.exe"
                                      Imagebase:0xe90000
                                      File size:3'268'096 bytes
                                      MD5 hash:44037F6C2FED815DA4C59B50479561F5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4117077448.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1664162584.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:6.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:6
                                        Total number of Limit Nodes:0
                                        execution_graph 52548 7ffd9bafe493 52549 7ffd9bafe4a4 SetWindowsHookExW 52548->52549 52550 7ffd9bafe4e6 52549->52550 52551 7ffd9b883579 52552 7ffd9b883581 DeleteFileW 52551->52552 52554 7ffd9b883626 52552->52554

                                        Executed Functions

                                        Function 00007FFD9BC12321 Relevance: 7.4, Strings: 1, Instructions: 6133COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: 46a915c2f7e21be595027e38c0a45861a5625fc8cb04f6f1d5290781db2210e4
                                        • Instruction ID: 2b1e0ab35f4131c5d907859f127c95f6e5fff2028fe1c1fa3c64fad968435cfe
                                        • Opcode Fuzzy Hash: 46a915c2f7e21be595027e38c0a45861a5625fc8cb04f6f1d5290781db2210e4
                                        • Instruction Fuzzy Hash: 1A83D212B1AE4E0BF7B9D67C04B523D16C2EFD9750B5A51BAD06ED32E6ED28ED024340
                                        Function 00007FFD9BB0B3D9 Relevance: 3.4, Strings: 2, Instructions: 853COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1516 7ffd9bb0b3d9-7ffd9bb0b41b 1519 7ffd9bb0b48d-7ffd9bb0b4a4 1516->1519 1520 7ffd9bb0b41d-7ffd9bb0b43f 1516->1520 1523 7ffd9bb0b505 1519->1523 1524 7ffd9bb0b4a6-7ffd9bb0b4b5 1519->1524 1525 7ffd9bb0b506-7ffd9bb0b509 1523->1525 1530 7ffd9bb0b527-7ffd9bb0b52d 1524->1530 1531 7ffd9bb0b4b7-7ffd9bb0b4de 1524->1531 1528 7ffd9bb0b51a 1525->1528 1529 7ffd9bb0b50b-7ffd9bb0b518 call 7ffd9baf9bc0 1525->1529 1533 7ffd9bb0b51c-7ffd9bb0b525 1528->1533 1529->1533 1534 7ffd9bb0b57f-7ffd9bb0b655 call 7ffd9bafa480 1530->1534 1535 7ffd9bb0b52f-7ffd9bb0b530 1530->1535 1531->1525 1567 7ffd9bb0b4e0-7ffd9bb0b500 1531->1567 1533->1530 1539 7ffd9bb0b65a-7ffd9bb0b65f 1533->1539 1584 7ffd9bb0badf-7ffd9bb0baf2 1534->1584 1540 7ffd9bb0b531-7ffd9bb0b53b 1535->1540 1541 7ffd9bb0baf3-7ffd9bb0bb25 1535->1541 1542 7ffd9bb0b661-7ffd9bb0b673 call 7ffd9baf3420 1539->1542 1543 7ffd9bb0b6c5-7ffd9bb0b6c9 1539->1543 1546 7ffd9bb0b53d-7ffd9bb0b549 1540->1546 1547 7ffd9bb0b54f-7ffd9bb0b57d call 7ffd9baf97e0 1540->1547 1552 7ffd9bb0bb2c-7ffd9bb0bb4c 1541->1552 1564 7ffd9bb0b678-7ffd9bb0b67f 1542->1564 1553 7ffd9bb0b71a-7ffd9bb0b722 1543->1553 1554 7ffd9bb0b6cb-7ffd9bb0b6e7 call 7ffd9baf3d70 1543->1554 1546->1547 1546->1552 1547->1534 1569 7ffd9bb0bb65-7ffd9bb0bb81 1552->1569 1566 7ffd9bb0b729-7ffd9bb0b745 1553->1566 1554->1569 1579 7ffd9bb0b6ed-7ffd9bb0b715 1554->1579 1570 7ffd9bb0b681-7ffd9bb0b6c0 call 7ffd9bb0b2e0 1564->1570 1571 7ffd9bb0b675-7ffd9bb0b676 1564->1571 1582 7ffd9bb0b754 1566->1582 1583 7ffd9bb0b747-7ffd9bb0b752 1566->1583 1567->1584 1593 7ffd9bb0bb88-7ffd9bb0bbd7 1569->1593 1570->1584 1571->1564 1579->1584 1588 7ffd9bb0b756-7ffd9bb0b785 1582->1588 1583->1588 1595 7ffd9bb0b967-7ffd9bb0b96a 1588->1595 1596 7ffd9bb0b78b-7ffd9bb0b7aa call 7ffd9baf7730 1588->1596 1634 7ffd9bb0bbde-7ffd9bb0bc09 1593->1634 1600 7ffd9bb0b87a-7ffd9bb0b87c 1595->1600 1609 7ffd9bb0b95f-7ffd9bb0b962 1596->1609 1610 7ffd9bb0b7b0-7ffd9bb0b7c7 call 7ffd9baf6e10 1596->1610 1603 7ffd9bb0b931-7ffd9bb0b93a 1600->1603 1604 7ffd9bb0b882-7ffd9bb0b8a1 call 7ffd9baf7730 1600->1604 1607 7ffd9bb0b940-7ffd9bb0b945 1603->1607 1608 7ffd9bb0ba17-7ffd9bb0ba1c 1603->1608 1604->1603 1624 7ffd9bb0b8a7-7ffd9bb0b8be call 7ffd9baf6e10 1604->1624 1615 7ffd9bb0b96f 1607->1615 1616 7ffd9bb0b947-7ffd9bb0b955 1607->1616 1613 7ffd9bb0ba1e-7ffd9bb0ba42 1608->1613 1614 7ffd9bb0ba6a-7ffd9bb0ba86 1608->1614 1609->1600 1628 7ffd9bb0b7e0-7ffd9bb0b7ea 1610->1628 1629 7ffd9bb0b7c9-7ffd9bb0b7de 1610->1629 1625 7ffd9bb0ba62-7ffd9bb0ba63 1613->1625 1626 7ffd9bb0ba44-7ffd9bb0ba5b 1613->1626 1621 7ffd9bb0ba88-7ffd9bb0bad4 1614->1621 1623 7ffd9bb0b971-7ffd9bb0b973 1615->1623 1616->1623 1635 7ffd9bb0badb-7ffd9bb0badc 1621->1635 1630 7ffd9bb0b975-7ffd9bb0b978 1623->1630 1631 7ffd9bb0b97a-7ffd9bb0b97f 1623->1631 1642 7ffd9bb0b8c0-7ffd9bb0b8d5 1624->1642 1643 7ffd9bb0b8d7-7ffd9bb0b8de 1624->1643 1625->1614 1626->1625 1637 7ffd9bb0b816-7ffd9bb0b81d 1628->1637 1638 7ffd9bb0b7ec-7ffd9bb0b810 1628->1638 1629->1628 1639 7ffd9bb0b9b2-7ffd9bb0b9be 1630->1639 1640 7ffd9bb0b981-7ffd9bb0b9a3 1631->1640 1641 7ffd9bb0b9aa-7ffd9bb0b9af 1631->1641 1635->1584 1637->1634 1645 7ffd9bb0b823-7ffd9bb0b83a 1637->1645 1638->1593 1638->1637 1653 7ffd9bb0b9c0-7ffd9bb0b9c3 1639->1653 1654 7ffd9bb0ba0a-7ffd9bb0ba11 1639->1654 1640->1641 1641->1639 1642->1643 1643->1634 1651 7ffd9bb0b8e4-7ffd9bb0b8fa 1643->1651 1646 7ffd9bb0b85b-7ffd9bb0b874 call 7ffd9baf7730 1645->1646 1647 7ffd9bb0b83c-7ffd9bb0b859 1645->1647 1646->1600 1672 7ffd9bb0b957-7ffd9bb0b95a 1646->1672 1647->1646 1655 7ffd9bb0b913-7ffd9bb0b92b call 7ffd9baf7730 1651->1655 1656 7ffd9bb0b8fc-7ffd9bb0b8fd 1651->1656 1660 7ffd9bb0b9c5-7ffd9bb0b9e0 1653->1660 1661 7ffd9bb0b9e8-7ffd9bb0ba06 call 7ffd9baf4fb0 1653->1661 1654->1607 1654->1608 1655->1603 1655->1624 1665 7ffd9bb0b904-7ffd9bb0b90c 1656->1665 1660->1661 1661->1654 1665->1655 1672->1610
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: i&_H$n&_L
                                        • API String ID: 0-2390173273
                                        • Opcode ID: d231f8ee36d003c5fa064ae37eb24474e354aa19ad537df1cd290a1ef88d1add
                                        • Instruction ID: 8554bc7bdc020db827b7811efb7130b4860bc778a243b3e59153480f0229f64d
                                        • Opcode Fuzzy Hash: d231f8ee36d003c5fa064ae37eb24474e354aa19ad537df1cd290a1ef88d1add
                                        • Instruction Fuzzy Hash: 1842CF31B19A498FEBB8EB588465679B3E1FF58304F41057DD48EC32E6DE38B9428781
                                        Function 00007FFD9BB010F5 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1675 7ffd9bb010f5-7ffd9bb01126
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2'_^$3'_^
                                        • API String ID: 0-2890519786
                                        • Opcode ID: 227175a00a538eddd5694558e02770c55c06639b90dabdf1ce8c5a96f4c5b53c
                                        • Instruction ID: 04a81cee6a2af34ecba37b7d579b07a7f706bbaefc845d33a4e733594c4ad6db
                                        • Opcode Fuzzy Hash: 227175a00a538eddd5694558e02770c55c06639b90dabdf1ce8c5a96f4c5b53c
                                        • Instruction Fuzzy Hash: 2D513433B0C6258BD72DBA7CB8A55E977D0EF85339B08417BE199CB1D7DD2814468384
                                        Function 00007FFD9BB0E781 Relevance: 2.4, Strings: 1, Instructions: 1112COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1680 7ffd9bb0e781-7ffd9bb0e79d 1681 7ffd9bb0e79f-7ffd9bb0e7a2 1680->1681 1682 7ffd9bb0e7a4-7ffd9bb0e81f call 7ffd9baf4c60 1681->1682 1683 7ffd9bb0e756-7ffd9bb0e77c 1681->1683 1691 7ffd9bb0e821-7ffd9bb0e826 1682->1691 1692 7ffd9bb0e829-7ffd9bb0e839 1682->1692 1683->1680 1691->1692 1693 7ffd9bb0e83f-7ffd9bb0e84c 1692->1693 1694 7ffd9bb0ed62-7ffd9bb0ed6d 1692->1694 1695 7ffd9bb0e84f call 7ffd9bafa850 1693->1695 1696 7ffd9bb0ed6f-7ffd9bb0ed74 1694->1696 1697 7ffd9bb0ed77-7ffd9bb0edd7 call 7ffd9baf4370 1694->1697 1698 7ffd9bb0e854-7ffd9bb0e859 1695->1698 1696->1697 1706 7ffd9bb0eddd-7ffd9bb0ede6 1697->1706 1707 7ffd9bb0ed01-7ffd9bb0ed5d 1697->1707 1700 7ffd9bb0ec6f-7ffd9bb0ec7a 1698->1700 1701 7ffd9bb0e85f-7ffd9bb0e86a 1698->1701 1708 7ffd9bb0ec7b-7ffd9bb0ecc1 1700->1708 1703 7ffd9bb0e887-7ffd9bb0e8c0 call 7ffd9baf4370 1701->1703 1704 7ffd9bb0e86c-7ffd9bb0e87d 1701->1704 1719 7ffd9bb0e8c2-7ffd9bb0e8e6 call 7ffd9bafa580 call 7ffd9bafa6d0 1703->1719 1720 7ffd9bb0e8eb-7ffd9bb0e9c9 call 7ffd9baf4370 1703->1720 1704->1703 1725 7ffd9bb0e87f-7ffd9bb0e884 1704->1725 1709 7ffd9bb0efdb-7ffd9bb0eff8 1706->1709 1710 7ffd9bb0edec-7ffd9bb0edf7 1706->1710 1724 7ffd9bb0ecc8-7ffd9bb0ecfa 1708->1724 1721 7ffd9bb0f042-7ffd9bb0f075 1709->1721 1722 7ffd9bb0effa-7ffd9bb0f027 1709->1722 1710->1709 1715 7ffd9bb0edfd-7ffd9bb0ee00 1710->1715 1723 7ffd9bb0ee06-7ffd9bb0ee4c 1715->1723 1715->1724 1719->1720 1789 7ffd9bb0e9cf-7ffd9bb0e9d3 1720->1789 1790 7ffd9bb0ec36-7ffd9bb0ec41 1720->1790 1742 7ffd9bb0f092-7ffd9bb0f09b 1721->1742 1743 7ffd9bb0f077-7ffd9bb0f086 1721->1743 1744 7ffd9bb0f02e-7ffd9bb0f03f 1722->1744 1750 7ffd9bb0ee4e-7ffd9bb0ee81 1723->1750 1751 7ffd9bb0ee84-7ffd9bb0eea7 1723->1751 1724->1707 1725->1703 1748 7ffd9bb0f09e-7ffd9bb0f0e5 1742->1748 1753 7ffd9bb0f08d-7ffd9bb0f090 1743->1753 1744->1721 1754 7ffd9bb0f0ec-7ffd9bb0f0ed 1748->1754 1750->1751 1759 7ffd9bb0f0f4-7ffd9bb0f0fd 1751->1759 1762 7ffd9bb0eead-7ffd9bb0eeb5 1751->1762 1753->1748 1754->1759 1763 7ffd9bb0ef81-7ffd9bb0efaf 1759->1763 1764 7ffd9bb0f103-7ffd9bb0f10b 1759->1764 1765 7ffd9bb0eec4-7ffd9bb0eedb 1762->1765 1766 7ffd9bb0eeb7-7ffd9bb0eebc 1762->1766 1777 7ffd9bb0efb5-7ffd9bb0efd6 1763->1777 1778 7ffd9bb0eb47-7ffd9bb0eb53 1763->1778 1764->1763 1767 7ffd9bb0f111-7ffd9bb0f122 1764->1767 1765->1744 1772 7ffd9bb0eee1-7ffd9bb0ef2d 1765->1772 1766->1765 1767->1763 1776 7ffd9bb0f128-7ffd9bb0f158 1767->1776 1775 7ffd9bb0ef2f-7ffd9bb0ef73 1772->1775 1783 7ffd9bb0ef7a-7ffd9bb0ef7b 1775->1783 1776->1763 1777->1778 1785 7ffd9bb0ec02-7ffd9bb0ec09 1778->1785 1786 7ffd9bb0eb59-7ffd9bb0eb71 1778->1786 1783->1763 1791 7ffd9bb0f1c1-7ffd9bb0f1e1 call 7ffd9bb0f1e2 1785->1791 1796 7ffd9bb0f15d-7ffd9bb0f175 1786->1796 1797 7ffd9bb0eb77-7ffd9bb0eb7e 1786->1797 1793 7ffd9bb0ec0e 1789->1793 1794 7ffd9bb0e9d9-7ffd9bb0eb45 1789->1794 1790->1708 1803 7ffd9bb0ec13-7ffd9bb0ec2f 1793->1803 1794->1778 1796->1803 1804 7ffd9bb0f17b-7ffd9bb0f1ba 1796->1804 1801 7ffd9bb0eb80-7ffd9bb0eba2 1797->1801 1807 7ffd9bb0eba9-7ffd9bb0ebbd 1801->1807 1803->1790 1804->1791 1813 7ffd9bb0ebbf-7ffd9bb0ebd0 1807->1813 1814 7ffd9bb0ebd2-7ffd9bb0ec00 1807->1814 1813->1785 1813->1814 1814->1785
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6&_H
                                        • API String ID: 0-2380319242
                                        • Opcode ID: c08d90055d9d565f09bf78e35ce31fd0489b3b71a4c2977384cb7c2ea619e9ee
                                        • Instruction ID: f7dcd121ba00b8efc1216344b23f18938d6a7abc9bef36cc2ae193f98ee0c0b5
                                        • Opcode Fuzzy Hash: c08d90055d9d565f09bf78e35ce31fd0489b3b71a4c2977384cb7c2ea619e9ee
                                        • Instruction Fuzzy Hash: 2B72A031B19A4A8FEB98DF1C88A56B973E1FF98304F150179E49AC72D6DE34AC42C741
                                        Function 00007FFD9BAF51C6 Relevance: 1.5, Instructions: 1478COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a13e28fe9db4a0b6f85e1569a0ae738ecd2b171129455e87a5eea681e658951
                                        • Instruction ID: 50f896091d5be2559c629c79e4b220255892aee9781a0225758aeefcba7b1f6e
                                        • Opcode Fuzzy Hash: 9a13e28fe9db4a0b6f85e1569a0ae738ecd2b171129455e87a5eea681e658951
                                        • Instruction Fuzzy Hash: D0B2C670B19A0D8FDFA8DF58C8A4BA97BE2FF58300F1541A9D04ED7296DA34E941CB40
                                        Function 00007FFD9BB01190 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2'_^
                                        • API String ID: 0-4153705019
                                        • Opcode ID: 31a2d8593168c7c2672ea020e2695ddc22a9c1429bb6b94db6e3dc28edad01ee
                                        • Instruction ID: 4019601c29136001b2846781cdefb93d46f7cb04a74abaf4bc833449c7d2c5cb
                                        • Opcode Fuzzy Hash: 31a2d8593168c7c2672ea020e2695ddc22a9c1429bb6b94db6e3dc28edad01ee
                                        • Instruction Fuzzy Hash: 48411932B0C6294BD76DAA7CB4655FA77D0EF85325B04017FE19AC7292DE2458468380
                                        Function 00007FFD9BAF9BC0 Relevance: 1.0, Instructions: 1037COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06d151f918369b47bbc8b948c6117749e77bc4172021b2575da83181012381fb
                                        • Instruction ID: dedee058822d5e22553a0c0ee2084c1f0ed388788a677856193aee143c670e34
                                        • Opcode Fuzzy Hash: 06d151f918369b47bbc8b948c6117749e77bc4172021b2575da83181012381fb
                                        • Instruction Fuzzy Hash: BC522831B1DA0D4FEBA8EB5CD465AF537E1EF58350B0501BAE44EC72A6DE28EC428741
                                        Function 00007FFD9BAFABCD Relevance: .9, Instructions: 864COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2f4fb8b0d301a361f9d9ed8b381e646068b21c74ca02ab10396acb35aa9f79d
                                        • Instruction ID: 46a8cd89aaf5f00a8ec87a340ef87161c39089ed0cb7f34b58808d1fdb676e6f
                                        • Opcode Fuzzy Hash: d2f4fb8b0d301a361f9d9ed8b381e646068b21c74ca02ab10396acb35aa9f79d
                                        • Instruction Fuzzy Hash: 15529530708A4D8FEBA8EB2CC464BA97BE1FF99304F5545B9E04DC72A6DE74E8418741
                                        Function 00007FFD9BAF5E97 Relevance: .8, Instructions: 839COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3648a0b01ad76c1e936095fd7dd27cfbd21a5e5b144db809c7ba1268847f8537
                                        • Instruction ID: 6593324821522c097d1b26b6ba8ab848933794a69825410b2ad4ee80629f74ae
                                        • Opcode Fuzzy Hash: 3648a0b01ad76c1e936095fd7dd27cfbd21a5e5b144db809c7ba1268847f8537
                                        • Instruction Fuzzy Hash: 07527C30B18A4D8FDBA4EF68C8957A9BBE1FF98300F1541B9D44ED32A5DB74A941CB40
                                        Function 00007FFD9BAF8E61 Relevance: .7, Instructions: 710COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 999333f2c13ac899d9ba7c2eb08c60f6d8c75ca600096d3c8cfe90c9e87b2a06
                                        • Instruction ID: b2004f1e56aed256e2dfc3951c19ffb7c2dc7e876b2572eb4655d1f8f70dd02d
                                        • Opcode Fuzzy Hash: 999333f2c13ac899d9ba7c2eb08c60f6d8c75ca600096d3c8cfe90c9e87b2a06
                                        • Instruction Fuzzy Hash: 60229230B09A0D4FEBA8EB5984A97B977E2FF98300F11417DD44ED32A2DE74E9468741
                                        Function 00007FFD9BB07806 Relevance: .5, Instructions: 477COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 611b1d78b5b20c2f085de9b77ce990a06f80d2903ca47beb67d4c6f815136db7
                                        • Instruction ID: e38285244cfdc8f898c0d50f009542327f3aacf7e928055149c2f0223e52841d
                                        • Opcode Fuzzy Hash: 611b1d78b5b20c2f085de9b77ce990a06f80d2903ca47beb67d4c6f815136db7
                                        • Instruction Fuzzy Hash: C7F1B531609A8D4FEBA8DF28C865BF977D1FF54314F14426AE84DC72D5CB34A9418B82
                                        Function 00007FFD9BB085FF Relevance: .4, Instructions: 428COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc6b06f0d665787b8407cd18586629086bc65b80cd30ff1b96eae0a12e8b7450
                                        • Instruction ID: 45df56ae543f7ba5b3cd4dc47ca9dc9f8bb561160bb65e84ced4c5aa2cb9ccd2
                                        • Opcode Fuzzy Hash: fc6b06f0d665787b8407cd18586629086bc65b80cd30ff1b96eae0a12e8b7450
                                        • Instruction Fuzzy Hash: CDE19230A19A4D8FEBA8DF28D8557F977D1FF58310F10426AE84DC7299DF74AA408B81
                                        Function 00007FFD9BB14CAD Relevance: .4, Instructions: 403COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ddf632b0e59ac2c6c2c09b790fbf3726bb723cf50441df674c6f97d15860ae9
                                        • Instruction ID: e61579a828f9e510efc431a973eaaf79e232cf4b603de1d79e51849b5d989a44
                                        • Opcode Fuzzy Hash: 2ddf632b0e59ac2c6c2c09b790fbf3726bb723cf50441df674c6f97d15860ae9
                                        • Instruction Fuzzy Hash: 3AB1D431B1DA0D4FEB68EB6C9865AB977D1FF59314F01417AE04EC32E6DE24AC428781
                                        Function 00007FFD9B883535 Relevance: 1.6, APIs: 1, Instructions: 140fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2263 7ffd9b883535-7ffd9b88353f 2264 7ffd9b883581-7ffd9b8835e8 2263->2264 2265 7ffd9b883541-7ffd9b883572 2263->2265 2271 7ffd9b8835f2-7ffd9b883624 DeleteFileW 2264->2271 2272 7ffd9b8835ea-7ffd9b8835ef 2264->2272 2265->2264 2273 7ffd9b88362c-7ffd9b88365a 2271->2273 2274 7ffd9b883626 2271->2274 2272->2271 2274->2273
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4126510601.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 9c891f96778fd628e4219696dd57e6846f15c70716c4d902bd9f9a81fd3330c1
                                        • Instruction ID: cf4f8641df0a21d599b2bb1b1604152f2a767c8e4c49fd8532eddcea56aba5d5
                                        • Opcode Fuzzy Hash: 9c891f96778fd628e4219696dd57e6846f15c70716c4d902bd9f9a81fd3330c1
                                        • Instruction Fuzzy Hash: 9B41253190DB8C8FDB19DB6888196F97FF0FF5A320F0442AFD049C71A2DA24A909C781
                                        Function 00007FFD9B883579 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2276 7ffd9b883579-7ffd9b8835e8 2281 7ffd9b8835f2-7ffd9b883624 DeleteFileW 2276->2281 2282 7ffd9b8835ea-7ffd9b8835ef 2276->2282 2283 7ffd9b88362c-7ffd9b88365a 2281->2283 2284 7ffd9b883626 2281->2284 2282->2281 2284->2283
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4126510601.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: e55c3230122af5e15c05f1d16c3da9f584d16677e9d63e5397fb968bed479770
                                        • Instruction ID: cc5bc714e2c75b9ee3c4cff93ffcda58733c9fc3ad056204d626d7c4aea7df5d
                                        • Opcode Fuzzy Hash: e55c3230122af5e15c05f1d16c3da9f584d16677e9d63e5397fb968bed479770
                                        • Instruction Fuzzy Hash: 6531C17190CB5C8FDB59DB589859AF9BBF0FF66320F04426BD049D3292DB34A8068B81
                                        Function 00007FFD9BAFE493 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2286 7ffd9bafe493-7ffd9bafe4e4 SetWindowsHookExW 2288 7ffd9bafe4ec-7ffd9bafe525 2286->2288 2289 7ffd9bafe4e6 2286->2289 2289->2288
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 523ea44c3378b271e3dc1fb0e78984398ffb8c74a588a3987b82d7c86242973e
                                        • Instruction ID: f1eb57ce928b9b76d4593fcdfefd3177904a82b8c3fcd31171ce0c098a458cbe
                                        • Opcode Fuzzy Hash: 523ea44c3378b271e3dc1fb0e78984398ffb8c74a588a3987b82d7c86242973e
                                        • Instruction Fuzzy Hash: DE119D3161CA0C4FDB18EF9CE4415A8B7E0FB59325F10427EE00983192DB34A4568BC5
                                        Function 00007FFD9BC15FC4 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: 48d622d4ed1626c35dd4bceba9a33bb01884cb29359c65d8bbf2c1aecdd50259
                                        • Instruction ID: 3c2e7b92ad0b96c0cb53cfc89ff6e9f6e20fce98a8f56441849f7ed7342cb5bd
                                        • Opcode Fuzzy Hash: 48d622d4ed1626c35dd4bceba9a33bb01884cb29359c65d8bbf2c1aecdd50259
                                        • Instruction Fuzzy Hash: C641E611B1FB8A0BE76297B848B52796BE6EF95700F0A50BAD04CC72E3DD18ED058381
                                        Function 00007FFD9BC10050 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A
                                        • API String ID: 0-3554254475
                                        • Opcode ID: b8ddc421eccf4e37d716b6f2496b7f89285f9a849e3374615e36321b4afbc26c
                                        • Instruction ID: c2f61e1f9318b0e5881a2195afb6239acc5ab1107db3db64ede0eb41c581b229
                                        • Opcode Fuzzy Hash: b8ddc421eccf4e37d716b6f2496b7f89285f9a849e3374615e36321b4afbc26c
                                        • Instruction Fuzzy Hash: 4131083170DA4D0FD768D62C9869B7537D1EB56320F0502BFD44EC72E3DA58AD428380
                                        Function 00007FFD9BC152F1 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H
                                        • API String ID: 0-2852464175
                                        • Opcode ID: e7626ce09b3670344c5cbef116517bd804540741ec0c1a81ad3ab81f2155e884
                                        • Instruction ID: 2ce9d1dfe4a902be8cac3a0a8d081f4b76cce6494b8a07498885ac3861e56fde
                                        • Opcode Fuzzy Hash: e7626ce09b3670344c5cbef116517bd804540741ec0c1a81ad3ab81f2155e884
                                        • Instruction Fuzzy Hash: E121D612B1EE4E0BF7B9A27C14B527856C2EF88740B9A11BAD01DD72E6ED29FD024300
                                        Function 00007FFD9BC1207D Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdb42ed8cbe4aca0a8308bc034376153e107fe74792c9d484162cbd503a9bf2d
                                        • Instruction ID: b97144f0842a7c3e28e1e8c242ee3f42b7a9220bba23e0960c274a8a51864e6e
                                        • Opcode Fuzzy Hash: bdb42ed8cbe4aca0a8308bc034376153e107fe74792c9d484162cbd503a9bf2d
                                        • Instruction Fuzzy Hash: BA818E14B2AE5E0BE6A5ABEC84B637963D2FF99700F56507AD10CC72E7CE18ED018341
                                        Function 00007FFD9B76ED84 Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4126183413.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b76d000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6d3ccfa1aa9989eb49d3fe0b1a74fcc41f4c098ee7333f75f443239f8c5b696
                                        • Instruction ID: 2db9f741673340004ce68a5f1a93ca29978aac6b670829453e02f1be9b23cd83
                                        • Opcode Fuzzy Hash: e6d3ccfa1aa9989eb49d3fe0b1a74fcc41f4c098ee7333f75f443239f8c5b696
                                        • Instruction Fuzzy Hash: 0941E33150EBC48FD756CB28D8959523FF0EF56320B1906DFD088CB1A7D629AC46CBA2
                                        Function 00007FFD9BC10676 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c17a6381a7c5b30fd5a84b4c9c90725e9e3f32ee55c67da75f4b9b8c9c6e312
                                        • Instruction ID: c871d34c72fb0580bb2bae5cd3ca74e22d5727bc5a517e8da972d7aa23a3623a
                                        • Opcode Fuzzy Hash: 9c17a6381a7c5b30fd5a84b4c9c90725e9e3f32ee55c67da75f4b9b8c9c6e312
                                        • Instruction Fuzzy Hash: 3331F962B1EA890FE798967C582667877C1EB65B10F0511BED49DC32E2DD18A8428382
                                        Function 00007FFD9BC1014A Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ead717e8a3b0fa80276be24f127fa38298405036889dac6b79da13cfa16aa89
                                        • Instruction ID: f6d0de77f4e4e7e5b40b97a63a784eb4cdf30b5e8592449bc506030d7e85e12f
                                        • Opcode Fuzzy Hash: 2ead717e8a3b0fa80276be24f127fa38298405036889dac6b79da13cfa16aa89
                                        • Instruction Fuzzy Hash: F831E422B1EA890FE7A8DA7C5836678B7D1EB55710F1401BED09ED32E3DD19A8428342
                                        Function 00007FFD9BC15E9D Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b4732709f1df5c872ade85cf6cfc551b2c799959ed76cd45b0a4a8da5335d1a
                                        • Instruction ID: 5a49f85435001d490d7b79d702b742597df73518411e84c194ff686e9a3eed33
                                        • Opcode Fuzzy Hash: 0b4732709f1df5c872ade85cf6cfc551b2c799959ed76cd45b0a4a8da5335d1a
                                        • Instruction Fuzzy Hash: E531C162F1FE0F0AE6BAD6B804B117C0292FF94390B565479C85DD72E6EE1CFA024241
                                        Function 00007FFD9BC12AAF Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 962d74a32022a54de2895ae0ad797c42ad49b90334a91b5a48d1062a02f3afbc
                                        • Instruction ID: 7f3cb1f57153dd89a24b27167d4607914b9437db8b471f329c9b06a0d65b59cb
                                        • Opcode Fuzzy Hash: 962d74a32022a54de2895ae0ad797c42ad49b90334a91b5a48d1062a02f3afbc
                                        • Instruction Fuzzy Hash: 31210B12B1AE0E0BE7B9D6BC146523C52C2DFD875475A517AD01EC72E6ED24EC024340
                                        Function 00007FFD9BC135BA Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c42d945e381c499b211b44cb870043a8bda4f2658496f42d81ed4f1073edeb01
                                        • Instruction ID: 75fb87922f290e023acf020fe68c3798b39173827ab2bfd1e2d0cdaa292df5e4
                                        • Opcode Fuzzy Hash: c42d945e381c499b211b44cb870043a8bda4f2658496f42d81ed4f1073edeb01
                                        • Instruction Fuzzy Hash: 7921D516B1AE4E0BE7B9937C186527856C2EFD8750B9A017AD01DD33E6ED29ED424340
                                        Function 00007FFD9BC13D9F Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5efbcb39d73ffa0e8315ba64c54f75d74d2204854f52d14d32b23a32798a09ba
                                        • Instruction ID: 6eacced684687c4f9f8d07b1c397285d2f0a15e5afb1ebed1f3fded2360a702b
                                        • Opcode Fuzzy Hash: 5efbcb39d73ffa0e8315ba64c54f75d74d2204854f52d14d32b23a32798a09ba
                                        • Instruction Fuzzy Hash: 5B21D412B1EE4E0BF7BAA27C08B517816C2EFC8750B5A10BAD01DC33E6ED28ED024341
                                        Function 00007FFD9BC13293 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dae320a239c0f7d96783f73bc9a0416dabd8824edd35292989f7e82991acc30d
                                        • Instruction ID: 9289cb68fcd9a9bf7a3083453dafc8d742a031fabb1dee981629a56e653fcd4c
                                        • Opcode Fuzzy Hash: dae320a239c0f7d96783f73bc9a0416dabd8824edd35292989f7e82991acc30d
                                        • Instruction Fuzzy Hash: A421D611B1AE4E0BF7B9E27C147523866C2DFD8754B9A517AD01ED32E6ED29FD024340
                                        Function 00007FFD9BC15090 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c2a6184af71c30acece644b19e2f6faf982345a6a9689efffad198187f9610e
                                        • Instruction ID: c954b7fec6b02cd1a246442f5d0592006f71b52db170bb8ef4272520c77e73c4
                                        • Opcode Fuzzy Hash: 2c2a6184af71c30acece644b19e2f6faf982345a6a9689efffad198187f9610e
                                        • Instruction Fuzzy Hash: 6221D812B1AE4E0BF7B992BC14B563816C2EFD8740B5A51BAD01DD72E6ED28FD024381
                                        Function 00007FFD9BC143EE Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: def34244e2bbfdace8d6387799f1103f8b12f1341f2bd17f429fac008c671675
                                        • Instruction ID: 2513f1aad3dfca8450256aef89723ef5357ad0f8f25a0ebc782fd09ab647c03e
                                        • Opcode Fuzzy Hash: def34244e2bbfdace8d6387799f1103f8b12f1341f2bd17f429fac008c671675
                                        • Instruction Fuzzy Hash: 9521D212B1EE4E0BF7B9A67C04B513856C2DFD9740B9A51BAD01DD72AAED28ED020341
                                        Function 00007FFD9BC139C2 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83a7b4cca0560ef5c6f82a80453f6697638b63f6a9193d81c148bf90ddd26dcd
                                        • Instruction ID: bc5eebb32854ef8eea18bfeaf2b2c52e98cd45e524478f2993231c8e1786d8df
                                        • Opcode Fuzzy Hash: 83a7b4cca0560ef5c6f82a80453f6697638b63f6a9193d81c148bf90ddd26dcd
                                        • Instruction Fuzzy Hash: A121B611B1AE4E0BE7B9E6BC146523C66C2DFD8750B5A11BBD01DD32EAED29ED424340
                                        Function 00007FFD9BC1292E Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 024fc408169b873bec77d36a93eaf1c76cf11e25f23a07951bf6fee55b867426
                                        • Instruction ID: 94d31e18338b6027bfaede8ce68885e2c4613a4bcff97bb023ae0101a8821aed
                                        • Opcode Fuzzy Hash: 024fc408169b873bec77d36a93eaf1c76cf11e25f23a07951bf6fee55b867426
                                        • Instruction Fuzzy Hash: 0321D611B1AE0E0BF7B9E67C146523856C2EFD8750B9A11BAD42DC73E7ED29ED024340
                                        Function 00007FFD9BC1555F Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f7182073045cc9c5a74471356b51b68423739d64f350ae47e19bbbed7e89943
                                        • Instruction ID: 0220b7c183f6c3954fda3c06fca784d37a9d5d8c028c94f0671282dea14b1f72
                                        • Opcode Fuzzy Hash: 7f7182073045cc9c5a74471356b51b68423739d64f350ae47e19bbbed7e89943
                                        • Instruction Fuzzy Hash: CD21A411B1AE0E0BE7B9D27C18A523C56C3EFC8750B9A11BAD41ED33A6ED29ED024341
                                        Function 00007FFD9BC13762 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be3d740119ba6e6b598633e82e72ed4e6f268f3ff55bea6e37e1b4277c517f54
                                        • Instruction ID: 9fc3fc262364c85fd17a67ae2cd9aa3177db6a3829a509b6f4e84462dcec61ce
                                        • Opcode Fuzzy Hash: be3d740119ba6e6b598633e82e72ed4e6f268f3ff55bea6e37e1b4277c517f54
                                        • Instruction Fuzzy Hash: D621F811B1AE4E0BF7B9E27C14A523966D2EFD8750B5A11BAD41EC33E6ED28ED024341
                                        Function 00007FFD9BC14E48 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 642177b6911dfa6cad100471a5878f8a3e5d0f09020f5b9f268c3f0a4c5bfe5c
                                        • Instruction ID: acd0ba18f0735d7d2327c49ea2a161c1ef5e48c2d6e67d0fd92ec7bc381a66e6
                                        • Opcode Fuzzy Hash: 642177b6911dfa6cad100471a5878f8a3e5d0f09020f5b9f268c3f0a4c5bfe5c
                                        • Instruction Fuzzy Hash: D021B311B1AE0E0BE7B9E27C14B523C66C2EF99750B5A51BED41DC33EAED29ED024341
                                        Function 00007FFD9BC13CF1 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea8ab755092c8a0359fc179b4abe6a65493b33a72418f3a01b6236964ca26270
                                        • Instruction ID: a61ac12446e5805e965a3dd8ed6269e93fe18a206ae52cc1ae7ae2c6b2227bc2
                                        • Opcode Fuzzy Hash: ea8ab755092c8a0359fc179b4abe6a65493b33a72418f3a01b6236964ca26270
                                        • Instruction Fuzzy Hash: B521F811B1EE0E0BF7BAE37C146523856C2EFC8750B5A11BAD01EC32E6ED28ED024340
                                        Function 00007FFD9BC126DA Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ffc2b129c0812e4febe822a2c7dbfc6a86eb1dedf765ee01c1d638663d8317e
                                        • Instruction ID: a056967d3682375ecba0f489ba3524712d7c8d4f6aa3c107be61f2fa6e9871fd
                                        • Opcode Fuzzy Hash: 6ffc2b129c0812e4febe822a2c7dbfc6a86eb1dedf765ee01c1d638663d8317e
                                        • Instruction Fuzzy Hash: 4921D416B1AE4E0BE3B9D2AC187123A51C3EFC8750B5A51BAD41EC73A6ED28ED424341
                                        Function 00007FFD9BC1597E Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ac309460ed6a7c7219a3ecff9b04a8651c490850e515d28bc8bb5aa92c1edd3
                                        • Instruction ID: b5ab6b093b7a3833e2d8f8e4dd92fb8256e38cac5d14116aeac8b4aa6a924b20
                                        • Opcode Fuzzy Hash: 8ac309460ed6a7c7219a3ecff9b04a8651c490850e515d28bc8bb5aa92c1edd3
                                        • Instruction Fuzzy Hash: 14119311B1AE4E0BE7A9E67C146023856D2DF89221B5A11BAD42DD73E6ED29E9024301
                                        Function 00007FFD9BC13B82 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca57e5ebba276daba621a900973d99487f0f8d33b275bbc64aeede29f80a0209
                                        • Instruction ID: d82081a8beaf3691e4fd3b479aa638eff98e20a4783f2f16ffc1b2fc47168e5f
                                        • Opcode Fuzzy Hash: ca57e5ebba276daba621a900973d99487f0f8d33b275bbc64aeede29f80a0209
                                        • Instruction Fuzzy Hash: 7311E621B1EE4E0BF7BAD27C04B013866C2DFC9714B5A51BAD45DD32E6FE29E8024300
                                        Function 00007FFD9BC15330 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5b1c96c42dafe3bbdd35a6ada3ff5358fb8b6703f509eb586d0ab4ee8258101
                                        • Instruction ID: c85adedf31709d5ade64e7bd775572dec90c9a2b64701ecb0eb969a16f9fd6e0
                                        • Opcode Fuzzy Hash: f5b1c96c42dafe3bbdd35a6ada3ff5358fb8b6703f509eb586d0ab4ee8258101
                                        • Instruction Fuzzy Hash: 13118611B1AE4E0BE7BAD27C147023856C2DF89750B9A11BAD45DD73E6ED29E9024301
                                        Function 00007FFD9BC15268 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 393ad1aa846a391610029a7709a7fe10947cda87825c1778962a7fec6e983345
                                        • Instruction ID: 2df2ae0b06b52b9d4f9112348eda396a19849ff69881dcd0ce109e6ea8cd6b4a
                                        • Opcode Fuzzy Hash: 393ad1aa846a391610029a7709a7fe10947cda87825c1778962a7fec6e983345
                                        • Instruction Fuzzy Hash: 8111C812B1AE4E0BF7BAD27C147013866C2DF89750B5A11BAD45ED73E6EE29ED024300
                                        Function 00007FFD9BC10EE1 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128882400.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9bc10000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3aa53ecb0dc11d8882e03a5eae7dfa6aba28d1efeaa5b23b816155302994d3ed
                                        • Instruction ID: f9a8001de54fa66fe88a49cc386cfa064e7f8ec872a56a41eca2814a9b1e32ef
                                        • Opcode Fuzzy Hash: 3aa53ecb0dc11d8882e03a5eae7dfa6aba28d1efeaa5b23b816155302994d3ed
                                        • Instruction Fuzzy Hash: 6FD0C92572B91A07F224A6DCA8623F8B286CB8C714F511177E459C63E6C89E6DC142D2

                                        Non-executed Functions

                                        Function 00007FFD9BAF10CF Relevance: 2.0, Strings: 1, Instructions: 783COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4128326288.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9baf0000_YJaaZuNHwI.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /(_^
                                        • API String ID: 0-1589332548
                                        • Opcode ID: 4e60bbb1ad4d56efd0b14746f54e9e7470fd2565f94b7658aa481b2e02cb8a8b
                                        • Instruction ID: 40a096e5a4c6b1c87f397a6f47d45e36c011d43f20f4da24159b6e074ad3ab56
                                        • Opcode Fuzzy Hash: 4e60bbb1ad4d56efd0b14746f54e9e7470fd2565f94b7658aa481b2e02cb8a8b
                                        • Instruction Fuzzy Hash: 7D428F46A0E3E65AE71B77B879B94E53F60CF0222C71C02F7E0DD8A4D7EC48614B9295