Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kthiokadjg.exe

Overview

General Information

Sample name:kthiokadjg.exe
Analysis ID:1583704
MD5:cc5e91e1a0c3ca5edf2bdba7fa252827
SHA1:004ba0788113ebb3bce8eaf63fa53c70caa91079
SHA256:30efa81a5d0d9bf04a00b4e30823c2f0c7bd6461383acf0195d857edf2162543
Tags:exeQuasarRATuser-lontze7
Infos:

Detection

Blackshades
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blackshades RAT
Yara detected RansomwareGeneric
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Deletes shadow drive data (may be related to ransomware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May check the online IP address of the machine
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kthiokadjg.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\kthiokadjg.exe" MD5: CC5E91E1A0C3CA5EDF2BDBA7FA252827)
    • schtasks.exe (PID: 7392 cmdline: "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • kthiokadjg.exe (PID: 7468 cmdline: C:\Users\user\Desktop\kthiokadjg.exe MD5: CC5E91E1A0C3CA5EDF2BDBA7FA252827)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BlackShadesNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
kthiokadjg.exeJoeSecurity_BlackshadesYara detected Blackshades RATJoe Security
    kthiokadjg.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      kthiokadjg.exeWindows_Trojan_Quasarrat_e52df647unknownunknown
      • 0x3697a:$a1: GetKeyloggerLogsResponse
      • 0x360e5:$a2: DoDownloadAndExecute
      • 0x411ca:$a3: http://api.ipify.org/
      • 0x3ed41:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
      • 0x4008f:$a5: " /sc ONLOGON /tr "
      kthiokadjg.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x35ed7:$s1: DoUploadAndExecute
      • 0x360e5:$s2: DoDownloadAndExecute
      • 0x35cdb:$s3: DoShellExecute
      • 0x360aa:$s4: set_Processname
      • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x7552:$op3: 00 04 03 69 91 1B 40
      • 0x7da2:$op3: 00 04 03 69 91 1B 40
      kthiokadjg.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3697a:$x1: GetKeyloggerLogsResponse
      • 0x36bba:$s1: DoShellExecuteResponse
      • 0x36533:$s2: GetPasswordsResponse
      • 0x36a8d:$s3: GetStartupItemsResponse
      • 0x35eeb:$s5: RunHidden
      • 0x35f09:$s5: RunHidden
      • 0x35f17:$s5: RunHidden
      • 0x35f2b:$s5: RunHidden
      Click to see the 8 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlackshadesYara detected Blackshades RATJoe Security
        00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Quasarrat_e52df647unknownunknown
        • 0x3677a:$a1: GetKeyloggerLogsResponse
        • 0x35ee5:$a2: DoDownloadAndExecute
        • 0x40fca:$a3: http://api.ipify.org/
        • 0x3eb41:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
        • 0x3fe8f:$a5: " /sc ONLOGON /tr "
        00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
        • 0x35cd7:$s1: DoUploadAndExecute
        • 0x35ee5:$s2: DoDownloadAndExecute
        • 0x35adb:$s3: DoShellExecute
        • 0x35eaa:$s4: set_Processname
        • 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28
        • 0x7352:$op3: 00 04 03 69 91 1B 40
        • 0x7ba2:$op3: 00 04 03 69 91 1B 40
        00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpimplant_win_quasarratDetect QuasarRAT (reted from samples 2023-03)Sekoia.io
        • 0x3ffd2:$: 63 00 68 00 63 00 70 00 20 00 36 00 35 00 30 00 30 00 31 00
        • 0x40117:$: 63 00 68 00 63 00 70 00 20 00 36 00 35 00 30 00 30 00 31 00
        • 0x3ffea:$: 65 00 63 00 68 00 6F 00 20 00 44 00 4F 00 4E 00 54 00 20 00 43 00 4C 00 4F 00 53 00 45 00 20 00 54 00 48 00 49 00 53 00 20 00 57 00 49 00 4E 00 44 00 4F 00 57 00 21 00
        • 0x4012f:$: 65 00 63 00 68 00 6F 00 20 00 44 00 4F 00 4E 00 54 00 20 00 43 00 4C 00 4F 00 53 00 45 00 20 00 54 00 48 00 49 00 53 00 20 00 57 00 49 00 4E 00 44 00 4F 00 57 00 21 00
        • 0x40026:$: 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00
        • 0x4016b:$: 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00
        • 0x4005e:$: 64 00 65 00 6C 00 20 00 2F 00 61 00 20 00 2F 00 71 00 20 00 2F 00 66 00 20 00 22 00
        • 0x400a4:$: 64 00 65 00 6C 00 20 00 2F 00 61 00 20 00 2F 00 71 00 20 00 2F 00 66 00 20 00 22 00
        • 0x35adb:$: DoShellExecute
        • 0x369ba:$: DoShellExecute
        • 0x3a70b:$: DoShellExecute
        • 0x35a2d:$: DoDownloadFile
        • 0x35a3c:$: DoDownloadFile
        • 0x365e8:$: DoDownloadFile
        • 0x3a3bf:$: DoDownloadFile
        • 0x3a3d4:$: DoDownloadFile
        • 0x3aa96:$: DoDownloadFile
        00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpQuasardetect Remcos in memoryJPCERT/CC Incident Response Group
        • 0x3f84e:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"]
        • 0x3f462:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2}
        • 0x31372:$class: Core.MouseKeyHook.WinApi
        Click to see the 2 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.kthiokadjg.exe.3c0000.0.unpackJoeSecurity_BlackshadesYara detected Blackshades RATJoe Security
          0.0.kthiokadjg.exe.3c0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.0.kthiokadjg.exe.3c0000.0.unpackWindows_Trojan_Quasarrat_e52df647unknownunknown
            • 0x3697a:$a1: GetKeyloggerLogsResponse
            • 0x360e5:$a2: DoDownloadAndExecute
            • 0x411ca:$a3: http://api.ipify.org/
            • 0x3ed41:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
            • 0x4008f:$a5: " /sc ONLOGON /tr "
            0.0.kthiokadjg.exe.3c0000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0x35ed7:$s1: DoUploadAndExecute
            • 0x360e5:$s2: DoDownloadAndExecute
            • 0x35cdb:$s3: DoShellExecute
            • 0x360aa:$s4: set_Processname
            • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x7552:$op3: 00 04 03 69 91 1B 40
            • 0x7da2:$op3: 00 04 03 69 91 1B 40
            0.0.kthiokadjg.exe.3c0000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
            • 0x3697a:$x1: GetKeyloggerLogsResponse
            • 0x36bba:$s1: DoShellExecuteResponse
            • 0x36533:$s2: GetPasswordsResponse
            • 0x36a8d:$s3: GetStartupItemsResponse
            • 0x35eeb:$s5: RunHidden
            • 0x35f09:$s5: RunHidden
            • 0x35f17:$s5: RunHidden
            • 0x35f2b:$s5: RunHidden
            Click to see the 8 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-03T12:43:57.042852+010020363831A Network Trojan was detected192.168.2.449730208.95.112.180TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: kthiokadjg.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: kthiokadjg.exeVirustotal: Detection: 79%Perma Link
            Source: kthiokadjg.exeReversingLabs: Detection: 86%
            Yara detected Blackshades RAT
            Source: Yara matchFile source: kthiokadjg.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kthiokadjg.exe PID: 7312, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: kthiokadjg.exeJoe Sandbox ML: detected
            Source: kthiokadjg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: kthiokadjg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: kthiokadjg.exe, 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf.exe
            Source: kthiokadjg.exe, 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [AutoRun]
            Source: kthiokadjg.exeBinary or memory string: autorun.inf.exe
            Source: kthiokadjg.exeBinary or memory string: [AutoRun]

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.4:49730 -> 208.95.112.1:80
            Yara detected Generic Downloader
            Source: Yara matchFile source: kthiokadjg.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.4:49731 -> 85.192.29.60:5173
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownTCP traffic detected without corresponding DNS query: 85.192.29.60
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: kthiokadjg.exeString found in binary or memory: http://api.ipify.org/
            Source: kthiokadjg.exeString found in binary or memory: http://freegeoip.net/xml/
            Source: kthiokadjg.exeString found in binary or memory: http://ip-api.com/json/
            Source: kthiokadjg.exe, 00000000.00000002.4106164254.0000000002889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
            Source: kthiokadjg.exe, 00000000.00000002.4106164254.0000000002889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/xClient.Core.Data
            Source: kthiokadjg.exe, 00000000.00000002.4106164254.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\kthiokadjg.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\kthiokadjg.exeJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Blackshades RAT
            Source: Yara matchFile source: kthiokadjg.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kthiokadjg.exe PID: 7312, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Yara detected RansomwareGeneric
            Source: Yara matchFile source: Process Memory Space: kthiokadjg.exe PID: 7312, type: MEMORYSTR
            Deletes shadow drive data (may be related to ransomware)
            Source: kthiokadjg.exe, 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
            Source: kthiokadjg.exeBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects Vermin Keylogger Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects Patchwork malware Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_00DBA3500_2_00DBA350
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_00DB9A800_2_00DB9A80
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_00DB97380_2_00DB9738
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_0635550F0_2_0635550F
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_063542300_2_06354230
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_0635BEA00_2_0635BEA0
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 0_2_0635E29B0_2_0635E29B
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 3_2_013FA3503_2_013FA350
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 3_2_013F9A803_2_013F9A80
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 3_2_013F97383_2_013F9738
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 3_2_013FD7B13_2_013FD7B1
            Source: C:\Users\user\Desktop\kthiokadjg.exeCode function: 3_2_013FD7C03_2_013FD7C0
            Source: kthiokadjg.exe, 00000000.00000002.4108902295.0000000006279000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs kthiokadjg.exe
            Source: kthiokadjg.exe, 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs kthiokadjg.exe
            Source: kthiokadjg.exeBinary or memory string: OriginalFilenameClient.exe" vs kthiokadjg.exe
            Source: kthiokadjg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: kthiokadjg.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8
            Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: kthiokadjg.exe, Settings.csBase64 encoded string: 'gCFjRxwluoOzqyPCNSB03407xIz+ONwlD7/vzoHXegrPvHsLpCZNCifkZT/dDk+pIpnY9lciR0jF2j/uqqXxB+QwnjYTDIaJTD/V2X5JfJM=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'qMHKxGhonXmt9akngs1YQvmLEHd0YEK3QA1WGD+I9E1uD0/CTraYDvo1l5QaKlLl1vSbSP0ZkcZ3fmp2DVfuOg==', 'Z09FV4j4jq5/J6XIkypuhtrLmI1esAav4m/9cAsmlsnjIoIm6YPVLwFYd7byBB0tMZ6F+hsGLQyFcU1qTH4GTw==', 'pgwMHLu+QYvO3CaxZ4Va949Mf+wqfg9quUboqpUDvCsxe087o39mT/05k3/lE2PIQHW1I6mhxyFN44AvAYvQnA==', 'qHDO23cSS9AKUbQTH24tM4oWT8tVc79R+3d5roSmoCTFHLwGinckzKtfebKZ0jjmOMam4ihlQIcH7z2CnP9ZrQ==', 'Zpe+h8S9A/3LuE5RW2IKiZM0cliNxHBoStgJyFJ6E8vsnN3LTczqpXMqVZCScJiHMP7aiJbjJ14XCUEuOD5bWA=='
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@5/2@1/2
            Source: C:\Users\user\Desktop\kthiokadjg.exeFile created: C:\Users\user\AppData\Roaming\LogsJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
            Source: C:\Users\user\Desktop\kthiokadjg.exeMutant created: NULL
            Source: C:\Users\user\Desktop\kthiokadjg.exeMutant created: \Sessions\1\BaseNamedObjects\QAPB6w0UbYXMvQdKRF
            Source: kthiokadjg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: kthiokadjg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\kthiokadjg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: kthiokadjg.exeVirustotal: Detection: 79%
            Source: kthiokadjg.exeReversingLabs: Detection: 86%
            Source: unknownProcess created: C:\Users\user\Desktop\kthiokadjg.exe "C:\Users\user\Desktop\kthiokadjg.exe"
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /f
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\kthiokadjg.exe C:\Users\user\Desktop\kthiokadjg.exe
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: kthiokadjg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: kthiokadjg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /f

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\kthiokadjg.exeFile opened: C:\Users\user\Desktop\kthiokadjg.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: kthiokadjg.exeBinary or memory string: SBIEDLL.DLL[SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: D70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: 2590000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeWindow / User API: threadDelayed 3425Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeWindow / User API: threadDelayed 6317Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exe TID: 7456Thread sleep time: -21213755684765971s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exe TID: 7460Thread sleep count: 3425 > 30Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exe TID: 7460Thread sleep count: 6317 > 30Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\kthiokadjg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: kthiokadjg.exeBinary or memory string: vboxtray
            Source: kthiokadjg.exeBinary or memory string: VMwareService
            Source: kthiokadjg.exeBinary or memory string: VMwareTray
            Source: kthiokadjg.exeBinary or memory string: vboxservice
            Source: kthiokadjg.exe, 00000000.00000002.4105107179.00000000008B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
            Source: kthiokadjg.exeBinary or memory string: vmtoolsd
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: kthiokadjg.exe, KeyboardNativeMethods.csReference to suspicious API methods: MapVirtualKeyEx(virtualKeyCode, 0, activeKeyboard)
            Source: kthiokadjg.exe, Firefox.csReference to suspicious API methods: NativeMethods.LoadLibrary(firefoxPath.FullName + "\\msvcr100.dll")
            Source: kthiokadjg.exe, Firefox.csReference to suspicious API methods: ((NSS_InitPtr)Marshal.GetDelegateForFunctionPointer(NativeMethods.GetProcAddress(nssModule, "NSS_Init"), typeof(NSS_InitPtr)))(firefoxProfilePath.FullName)
            Source: C:\Users\user\Desktop\kthiokadjg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /fJump to behavior
            Source: kthiokadjg.exeBinary or memory string: Program Manager
            Source: kthiokadjg.exeBinary or memory string: Shell_TrayWnd
            Source: kthiokadjg.exeBinary or memory string: Progman
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Users\user\Desktop\kthiokadjg.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Users\user\Desktop\kthiokadjg.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\kthiokadjg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: kthiokadjg.exe, CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
            Source: kthiokadjg.exe, 00000000.00000002.4108330207.0000000005088000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\Desktop\kthiokadjg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Blackshades RAT
            Source: Yara matchFile source: kthiokadjg.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kthiokadjg.exe PID: 7312, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Blackshades RAT
            Source: Yara matchFile source: kthiokadjg.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.kthiokadjg.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: kthiokadjg.exe PID: 7312, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		41
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Masquerading            		11
            Input Capture            		141
            Security Software Discovery            		Remote Services11
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)1
            DLL Side-Loading            		51
            Virtualization/Sandbox Evasion            		Security Account Manager51
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Hidden Files and Directories            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeylogging12
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync33
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            kthiokadjg.exe79%VirustotalBrowse
            kthiokadjg.exe87%ReversingLabsByteCode-MSIL.Backdoor.Quasar
            kthiokadjg.exe100%AviraHEUR/AGEN.1307418
            kthiokadjg.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.datacontract.org/2004/07/xClient.Core.Data0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ip-api.com
            		208.95.112.1
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ip-api.com/json/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://api.ipify.org/kthiokadjg.exefalse
                  		high
                  http://freegeoip.net/xml/kthiokadjg.exefalse
                    		high
                    http://schemas.datacontract.org/2004/07/kthiokadjg.exe, 00000000.00000002.4106164254.0000000002889000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekthiokadjg.exe, 00000000.00000002.4106164254.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.datacontract.org/2004/07/xClient.Core.Datakthiokadjg.exe, 00000000.00000002.4106164254.0000000002889000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        208.95.112.1
                        		ip-api.comUnited States
                        		53334TUT-ASUSfalse
                        85.192.29.60
                        		unknownRussian Federation
                        		47711LINEGROUP-ASRUfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1583704
                        Start date and time:2025-01-03 12:43:05 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 54s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:kthiokadjg.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.evad.winEXE@5/2@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 38
                        • Number of non-executed functions: 2
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:43:56API Interceptor6012205x Sleep call for process: kthiokadjg.exe modified
                        11:43:56Task SchedulerRun new task: NET framework path: C:\Users\user\Desktop\kthiokadjg.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        208.95.112.1file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                        • ip-api.com/line/?fields=hosting
                        file.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        file.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        23khy505ab.exeGet hashmaliciousNjratBrowse
                        • ip-api.com/line/?fields=hosting
                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • ip-api.com/line/?fields=hosting
                        Java32.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        mcgen.exeGet hashmaliciousBlank GrabberBrowse
                        • ip-api.com/json/?fields=225545
                        intro.avi.exeGet hashmaliciousQuasarBrowse
                        • ip-api.com/json/
                        AimStar.exeGet hashmaliciousBlank GrabberBrowse
                        • ip-api.com/json/?fields=225545
                        L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ip-api.comfile.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                        • 208.95.112.1
                        file.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        file.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        23khy505ab.exeGet hashmaliciousNjratBrowse
                        • 208.95.112.1
                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • 208.95.112.1
                        Java32.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        mcgen.exeGet hashmaliciousBlank GrabberBrowse
                        • 208.95.112.1
                        intro.avi.exeGet hashmaliciousQuasarBrowse
                        • 208.95.112.1
                        AimStar.exeGet hashmaliciousBlank GrabberBrowse
                        • 208.95.112.1
                        L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        TUT-ASUSfile.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                        • 208.95.112.1
                        file.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        file.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        23khy505ab.exeGet hashmaliciousNjratBrowse
                        • 208.95.112.1
                        XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • 208.95.112.1
                        Java32.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        mcgen.exeGet hashmaliciousBlank GrabberBrowse
                        • 208.95.112.1
                        intro.avi.exeGet hashmaliciousQuasarBrowse
                        • 208.95.112.1
                        AimStar.exeGet hashmaliciousBlank GrabberBrowse
                        • 208.95.112.1
                        L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                        • 208.95.112.1
                        LINEGROUP-ASRUfile.exeGet hashmaliciousSmokeLoaderBrowse
                        • 85.192.60.190
                        invoice_template.pdf.lnkGet hashmaliciousSmokeLoaderBrowse
                        • 85.192.60.190
                        a9rLzLY498.exeGet hashmaliciousDCRatBrowse
                        • 85.192.63.134
                        MtgwNNkkgT.exeGet hashmaliciousDCRatBrowse
                        • 85.192.63.134
                        file.exeGet hashmaliciousUnknownBrowse
                        • 85.192.63.194
                        xGSkelSjdu.exeGet hashmaliciousRaccoon Stealer v2Browse
                        • 85.192.63.15
                        ImBetter.exeGet hashmaliciousUnknownBrowse
                        • 85.192.63.32
                        B94872E1A7599AF25CAA25013FC0054E5AFFDA6CFAEF6.dllGet hashmaliciousRaccoon Stealer v2Browse
                        • 85.192.63.204
                        B94872E1A7599AF25CAA25013FC0054E5AFFDA6CFAEF6.dllGet hashmaliciousRaccoon Stealer v2Browse
                        • 85.192.63.204
                        DxIQxeHMa9.exeGet hashmaliciousAmadey, Laplas ClipperBrowse
                        • 85.192.63.121

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kthiokadjg.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\kthiokadjg.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):826
                        Entropy (8bit):5.353295152847208
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhBsXE4qdKm:MIHK5HKH1qHiYHKh3okHA
                        MD5:CBC102AE9B2B802A4E451ED79E09DEB5
                        SHA1:7102EB28C2A703B2AA74F5E419A2D72C66B97896
                        SHA-256:0763878B1A8876F16EE532AB23C36782096C2A8CD770C18C6CB1156121734EFB
                        SHA-512:CDB7367250343E2DD31876C3B337A0FF6A6E2A7E37FF71C0C8AE7072302FC014BBDE14689C16E25E80D2B1587DFC75FA6BE50AFD0D06083A2A09BD0D256151C7
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..

                        C:\Users\user\AppData\Roaming\Logs\01-03-2025

                        Download File
                        Process:C:\Users\user\Desktop\kthiokadjg.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):224
                        Entropy (8bit):7.10749708290353
                        Encrypted:false
                        SSDEEP:6:781CmIoir88ai+NWnT0HY73JEAUoii3Dc:9mIn8+4WIHAVrDc
                        MD5:8497EDAC04E912DA4D527D8984246110
                        SHA1:58D57231B968518C8B6691FA9BA77CD3D2157917
                        SHA-256:4F3CDF15A35B52FB97AC0980E2301A4FB5D67050A98D4A3E2278F9109DFBE0D7
                        SHA-512:796D1BDF173EC63093A758C07CAA4141DD95AC75807FFCCFE01EB3779163F27D3F56811F2AE15FCB976BEEDC28B4BF836D26A93646E6030AF9D01C0878928D00
                        Malicious:false
                        Reputation:low
                        Preview:rK.S.@..7F,.f..|Ph..B......c...*Y0...g%B........)D\P.%.Cy...iJ3.?.!T.......=]bj.T..."j../.-.c.+...........<..5..?m_..8.W=.*..e..?u...6.[.i.PI.#.P..>.p..?.~.w......*....a.A......P....D.q...>#.*.n..."*...X..Gs....E%

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):6.010424789479464
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:kthiokadjg.exe
                        File size:295'424 bytes
                        MD5:cc5e91e1a0c3ca5edf2bdba7fa252827
                        SHA1:004ba0788113ebb3bce8eaf63fa53c70caa91079
                        SHA256:30efa81a5d0d9bf04a00b4e30823c2f0c7bd6461383acf0195d857edf2162543
                        SHA512:14ee287465bc50dc16ad042d35a14f9e676f645dabf4c4dfbd8f225845e45ab73fee6c3d7967fe44a21994ddbd5b76d0cbd01ec0a2784f913587313c4a407249
                        SSDEEP:6144:E7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkln:6lJtTF9zVGkllbk5
                        TLSH:EE545A2527F8A93BD8BE17B4F53141094B76FC07B517F38E6A5818B82C1A38985937E3
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.jg.................v............... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x44940e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x676AAA71 [Tue Dec 24 12:34:57 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x493c00x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x800.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x4c0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x474140x476009f69c7a2e0dead1448b37991e0925969False0.4229593093257443data6.022725630683313IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x4a0000x8000x800a027b6bc741b57fb7aedeed9de1ffae2False0.4208984375data4.826065116434677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x4c0000xc0x200654372b0affac22a7ea47de03901c6e6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x4a0900x2d4data0.43646408839779005
                        RT_MANIFEST0x4a3740x478exported SGML document, Unicode text, UTF-8 (with BOM) text0.4423076923076923

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-03T12:43:57.042852+01002036383ET MALWARE Common RAT Connectivity Check Observed1192.168.2.449730208.95.112.180TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 3, 2025 12:43:56.531467915 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:43:56.536320925 CET8049730208.95.112.1192.168.2.4
                        Jan 3, 2025 12:43:56.536500931 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:43:56.536746025 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:43:56.541532040 CET8049730208.95.112.1192.168.2.4
                        Jan 3, 2025 12:43:57.001539946 CET8049730208.95.112.1192.168.2.4
                        Jan 3, 2025 12:43:57.042851925 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:43:58.193116903 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:58.198091984 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:43:58.198252916 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:58.778518915 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:43:58.810355902 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:58.815191031 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:43:58.995204926 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:43:59.042862892 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:59.130260944 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:43:59.183475971 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:59.305685043 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:43:59.310559034 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:44:24.324218035 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:44:24.329205990 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:44:49.339827061 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:44:49.344712973 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:44:52.373409033 CET8049730208.95.112.1192.168.2.4
                        Jan 3, 2025 12:44:52.373456955 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:45:14.402379990 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:45:14.407260895 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:45:37.013107061 CET4973080192.168.2.4208.95.112.1
                        Jan 3, 2025 12:45:37.017910004 CET8049730208.95.112.1192.168.2.4
                        Jan 3, 2025 12:45:39.589935064 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:45:39.594727039 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:46:04.661680937 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:46:04.666476011 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:46:29.699415922 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:46:29.704298019 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:46:54.793256998 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:46:54.801445961 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:47:19.902766943 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:47:19.907639980 CET51734973185.192.29.60192.168.2.4
                        Jan 3, 2025 12:47:44.996668100 CET497315173192.168.2.485.192.29.60
                        Jan 3, 2025 12:47:45.001777887 CET51734973185.192.29.60192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 3, 2025 12:43:56.520080090 CET6247753192.168.2.41.1.1.1
                        Jan 3, 2025 12:43:56.526783943 CET53624771.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 3, 2025 12:43:56.520080090 CET192.168.2.41.1.1.10xf969Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 3, 2025 12:43:56.526783943 CET1.1.1.1192.168.2.40xf969No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • ip-api.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730208.95.112.1807312C:\Users\user\Desktop\kthiokadjg.exe
                        TimestampBytes transferredDirectionData
                        Jan 3, 2025 12:43:56.536746025 CET144OUTGET /json/ HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                        Host: ip-api.com
                        Connection: Keep-Alive
                        Jan 3, 2025 12:43:57.001539946 CET483INHTTP/1.1 200 OK
                        Date: Fri, 03 Jan 2025 11:43:56 GMT
                        Content-Type: application/json; charset=utf-8
                        Content-Length: 306
                        Access-Control-Allow-Origin: *
                        X-Ttl: 60
                        X-Rl: 44
                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                        Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:43:54
                        Start date:03/01/2025
                        Path:C:\Users\user\Desktop\kthiokadjg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\kthiokadjg.exe"
                        Imagebase:0x3c0000
                        File size:295'424 bytes
                        MD5 hash:CC5E91E1A0C3CA5EDF2BDBA7FA252827
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Blackshades, Description: Yara detected Blackshades RAT, Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                        • Rule: implant_win_quasarrat, Description: Detect QuasarRAT (reted from samples 2023-03), Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: Sekoia.io
                        • Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000000.1653146683.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:1
                        Start time:06:43:55
                        Start date:03/01/2025
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\user\Desktop\kthiokadjg.exe" /rl HIGHEST /f
                        Imagebase:0x7b0000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:06:43:55
                        Start date:03/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:06:43:56
                        Start date:03/01/2025
                        Path:C:\Users\user\Desktop\kthiokadjg.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\kthiokadjg.exe
                        Imagebase:0xb10000
                        File size:295'424 bytes
                        MD5 hash:CC5E91E1A0C3CA5EDF2BDBA7FA252827
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:11.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:15.4%
                          Total number of Nodes:52
                          Total number of Limit Nodes:5
                          execution_graph 24009 db0848 24010 db0852 24009->24010 24012 db21a0 24009->24012 24013 db21c5 24012->24013 24017 db22b0 24013->24017 24021 db22a1 24013->24021 24019 db22d7 24017->24019 24018 db23b4 24018->24018 24019->24018 24025 db1fa4 24019->24025 24022 db22d7 24021->24022 24023 db23b4 24022->24023 24024 db1fa4 CreateActCtxA 24022->24024 24024->24023 24026 db3340 CreateActCtxA 24025->24026 24028 db3403 24026->24028 24028->24018 24029 63514a1 24033 63514d0 24029->24033 24037 63514c1 24029->24037 24030 63514ba 24034 6351512 24033->24034 24036 6351519 24033->24036 24035 635156a CallWindowProcW 24034->24035 24034->24036 24035->24036 24036->24030 24038 6351512 24037->24038 24040 6351519 24037->24040 24039 635156a CallWindowProcW 24038->24039 24038->24040 24039->24040 24040->24030 24041 6352320 24042 635233b 24041->24042 24043 6352477 24042->24043 24048 6354230 24042->24048 24053 63543fe 24042->24053 24058 6354220 24042->24058 24044 63523a4 24050 6354258 24048->24050 24049 63544e4 24049->24044 24050->24049 24063 635329c 24050->24063 24052 635464c 24056 63542b6 24053->24056 24054 63544e4 24054->24044 24055 635329c OleInitialize 24057 635464c 24055->24057 24056->24054 24056->24055 24060 635422e 24058->24060 24059 63544e4 24059->24044 24060->24044 24060->24059 24061 635329c OleInitialize 24060->24061 24062 635464c 24061->24062 24064 63532a7 24063->24064 24066 63549bb 24064->24066 24067 63532dc 24064->24067 24066->24052 24068 63549f0 OleInitialize 24067->24068 24069 6354a54 24068->24069 24069->24066 24070 635550f 24073 6355512 24070->24073 24071 6355970 WaitMessage 24071->24073 24072 635555a 24073->24071 24073->24072

                          Executed Functions

                          Function 0635BEA0 Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hxq
                          • API String ID: 0-2956916855
                          • Opcode ID: 090279c65b8f37786d3780c7a77e7e46d13a6cf52c0a119ef90534f812b58684
                          • Instruction ID: 0c533a1a2bf0204c1cf1389afbb5bffe168cc294bda0758841d839ea5e6fbbdc
                          • Opcode Fuzzy Hash: 090279c65b8f37786d3780c7a77e7e46d13a6cf52c0a119ef90534f812b58684
                          • Instruction Fuzzy Hash: 1A42D270E042598FCB55CB98C880DBDFBB2EF85308F29956DE855EB246C634D986CBD0
                          Function 0635550F Relevance: 1.9, APIs: 1, Instructions: 366COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1141 635550f-6355510 1142 6355583-6355598 1141->1142 1143 6355512-6355558 1141->1143 1146 635559e-63555b2 1142->1146 1147 63559c9 1142->1147 1168 6355561-6355580 1143->1168 1169 635555a-635555c 1143->1169 1149 63555b4-63555de 1146->1149 1150 63555e1-6355600 1146->1150 1151 63559ce-63559e4 1147->1151 1149->1150 1160 6355602-6355608 1150->1160 1161 6355618-635561a 1150->1161 1159 6355a1a-6355a2f 1151->1159 1164 635560c-635560e 1160->1164 1165 635560a 1160->1165 1166 635561c-6355634 1161->1166 1167 6355639-6355642 1161->1167 1164->1161 1165->1161 1166->1151 1170 635564a-6355651 1167->1170 1168->1142 1169->1159 1171 6355653-6355659 1170->1171 1172 635565b-6355662 1170->1172 1173 635566f-635568c call 6355050 1171->1173 1174 6355664-635566a 1172->1174 1175 635566c 1172->1175 1178 63557e1-63557e5 1173->1178 1179 6355692-6355699 1173->1179 1174->1173 1175->1173 1180 63559b4-63559c7 1178->1180 1181 63557eb-63557ef 1178->1181 1179->1147 1182 635569f-63556dc 1179->1182 1180->1151 1183 63557f1-6355804 1181->1183 1184 6355809-6355812 1181->1184 1190 63556e2-63556e7 1182->1190 1191 63559aa-63559ae 1182->1191 1183->1151 1185 6355814-635583e 1184->1185 1186 6355841-6355848 1184->1186 1185->1186 1188 63558e7-63558fc 1186->1188 1189 635584e-6355855 1186->1189 1188->1191 1204 6355902-6355904 1188->1204 1193 6355884-63558a6 1189->1193 1194 6355857-6355881 1189->1194 1195 6355719-635572e call 6355074 1190->1195 1196 63556e9-63556f7 call 635505c 1190->1196 1191->1170 1191->1180 1193->1188 1231 63558a8-63558b2 1193->1231 1194->1193 1202 6355733-6355737 1195->1202 1196->1195 1206 63556f9-6355712 call 6355068 1196->1206 1207 6355739-635574b call 6355080 1202->1207 1208 63557a8-63557b5 1202->1208 1209 6355906-635593f 1204->1209 1210 6355951-635596e call 6355050 1204->1210 1216 6355717 1206->1216 1235 635574d-635577d 1207->1235 1236 635578b-63557a3 1207->1236 1208->1191 1223 63557bb-63557c5 call 6355090 1208->1223 1226 6355941-6355947 1209->1226 1227 6355948-635594f 1209->1227 1210->1191 1222 6355970-635599c WaitMessage 1210->1222 1216->1202 1228 63559a3 1222->1228 1229 635599e 1222->1229 1237 63557d4-63557dc call 63550a8 1223->1237 1238 63557c7-63557cf call 635509c 1223->1238 1226->1227 1227->1191 1228->1191 1229->1228 1242 63558b4-63558ba 1231->1242 1243 63558ca-63558e5 1231->1243 1245 6355784 1235->1245 1246 635577f 1235->1246 1236->1151 1237->1191 1238->1191 1249 63558bc 1242->1249 1250 63558be-63558c0 1242->1250 1243->1188 1243->1231 1245->1236 1246->1245 1249->1243 1250->1243
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18260a7c0e3117fb133b6e5b1aa0c67402a1f6014f509e5a5af633847c09e40c
                          • Instruction ID: 718297485e12e7b642bb1c745901a93c449cea535a27fb7df8f453f0f38d4583
                          • Opcode Fuzzy Hash: 18260a7c0e3117fb133b6e5b1aa0c67402a1f6014f509e5a5af633847c09e40c
                          • Instruction Fuzzy Hash: ADE14970E00209CFDB54DFA9C944FADBBF1BF88324F168159E809AF265DB74A945CB81
                          Function 06354230 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1421 6354230-63542b0 1429 63544e4-63544ee 1421->1429 1430 63542b6-63542e2 1421->1430 1435 63544d7-63544de 1430->1435 1436 63542e8-63542f8 1430->1436 1435->1429 1435->1430 1436->1435 1438 63542fe-635430a 1436->1438 1438->1435 1440 6354310-635431d 1438->1440 1442 6354323-6354356 1440->1442 1443 63544ef-6354554 1440->1443 1450 6354389-635438d 1442->1450 1451 6354358-635437f 1442->1451 1454 635455b-635461a 1443->1454 1453 6354393-63543aa 1450->1453 1450->1454 1463 6354386 1451->1463 1529 63543ad call 6354f58 1453->1529 1530 63543ad call 6354f48 1453->1530 1481 6354900-635490c 1454->1481 1482 6354620-6354627 1454->1482 1463->1450 1464 63543b3-63543b5 1466 63543d7-63543f0 1464->1466 1467 63543b7-63543d5 1464->1467 1471 63543f2 1466->1471 1472 63543fb 1466->1472 1467->1466 1471->1472 1472->1435 1483 6354632-6354668 call 635329c call 63532ac 1482->1483 1484 6354629-6354631 1482->1484 1490 635466e-6354673 1483->1490 1491 635483a-635483e 1483->1491 1490->1491 1494 6354679-63546af call 63532ac 1490->1494 1492 6354854-635485b 1491->1492 1493 6354840-6354850 1491->1493 1495 63548e1-63548fd 1492->1495 1496 6354861-63548a4 1492->1496 1493->1492 1509 63546b5-63546ee 1494->1509 1510 6354820-6354824 1494->1510 1503 63548fe 1495->1503 1531 63548a7 call 6354c70 1496->1531 1532 63548a7 call 6354c60 1496->1532 1503->1503 1509->1510 1522 63546f4-63546f9 1509->1522 1510->1491 1511 6354826-6354830 1510->1511 1511->1491 1517 6354832 1511->1517 1512 63548ad-63548ba 1515 63548d3-63548d9 1512->1515 1516 63548bc-63548cb 1512->1516 1515->1495 1516->1515 1520 63548cd-63548d0 1516->1520 1517->1491 1520->1515 1522->1510 1523 63546ff-6354745 1522->1523 1523->1510 1529->1464 1530->1464 1531->1512 1532->1512
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'tq
                          • API String ID: 0-257826263
                          • Opcode ID: 1a8c89274ba03b4019d9314156213e99b2f085851c7629a7ecf64bc0d413f389
                          • Instruction ID: 803e241c8712d081b5d6c1c99ab0381c65ab9adcfe4814fe16b63221d1294687
                          • Opcode Fuzzy Hash: 1a8c89274ba03b4019d9314156213e99b2f085851c7629a7ecf64bc0d413f389
                          • Instruction Fuzzy Hash: 6FE18070A003099FDB58DFA5D854AAEBBF6FF88300F158469D806AB351DB34ED45CB91
                          Function 00DB9A80 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105727755.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_db0000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vcm
                          • API String ID: 0-3044874373
                          • Opcode ID: 87cd9732fce8df82ac188e9a43e92da7bbd1dd085191b04af988f6341bd983c9
                          • Instruction ID: 538e581299ae42bc645249dd0e48e402c870d55524a6370a08b30f46bed5583d
                          • Opcode Fuzzy Hash: 87cd9732fce8df82ac188e9a43e92da7bbd1dd085191b04af988f6341bd983c9
                          • Instruction Fuzzy Hash: F7B17F70E00249CFDF14CFA9D8957DEFBF2AF88304F188529E516A7294EB749845CBA1
                          Function 00DBA350 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105727755.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_db0000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 300c5007166323c4701f85383150f21b906989e595059971fcf60c9390977f71
                          • Instruction ID: 09c16a33604163566e5e8dc4f5009c26c194a28c519a1cc0164f072c44e5028f
                          • Opcode Fuzzy Hash: 300c5007166323c4701f85383150f21b906989e595059971fcf60c9390977f71
                          • Instruction Fuzzy Hash: C6B14EB0E00209CFDF14CFADD8857DDBBF2AF88714F188529D41AA7294EB749845CB92
                          Function 00DB3334 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1533 db3334-db3339 1534 db333b-db339f 1533->1534 1535 db33a1-db3401 CreateActCtxA 1533->1535 1534->1535 1537 db340a-db3464 1535->1537 1538 db3403-db3409 1535->1538 1545 db3473-db3477 1537->1545 1546 db3466-db3469 1537->1546 1538->1537 1547 db3479-db3485 1545->1547 1548 db3488-db349e 1545->1548 1546->1545 1547->1548
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00DB33F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105727755.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_db0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 152d9b641a98a5169e6f05950c62fc694ec191c42354eb16ce55a23145630531
                          • Instruction ID: 2f474d23bb15c9db2496529b2c09b8ce7b6a7bd655463876e2acb74751aa3884
                          • Opcode Fuzzy Hash: 152d9b641a98a5169e6f05950c62fc694ec191c42354eb16ce55a23145630531
                          • Instruction Fuzzy Hash: F941D4B0D00659CFDB24CFA9C845BCEBBF5BF49314F20806AD409AB251EB756946DFA0
                          Function 00DB1FA4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1554 db1fa4-db3401 CreateActCtxA 1557 db340a-db3464 1554->1557 1558 db3403-db3409 1554->1558 1565 db3473-db3477 1557->1565 1566 db3466-db3469 1557->1566 1558->1557 1567 db3479-db3485 1565->1567 1568 db3488-db349e 1565->1568 1566->1565 1567->1568
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00DB33F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105727755.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_db0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 412f889e81e78c090e6466c7237e1fa9b4d4ea50658635e26a3b629a2db51a82
                          • Instruction ID: e0dc12d8830f84ecb26e8d5bde3fe2ed2ab3f4c6cafd309cb6cbcd2091214f9e
                          • Opcode Fuzzy Hash: 412f889e81e78c090e6466c7237e1fa9b4d4ea50658635e26a3b629a2db51a82
                          • Instruction Fuzzy Hash: D041C2B0D00719CBDB25CFA9C884BDEBBF5BF49304F24806AD409AB251DB756945DFA0
                          Function 063514D0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 06351591
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: 6233f344488c8fd77fe894968b465ec62831f1d726b303c08a1dea6ad9b7f952
                          • Instruction ID: cd39991ae267bb886bd14fe060363fd0e871ed1d9a2851cc4a82acf5e199f399
                          • Opcode Fuzzy Hash: 6233f344488c8fd77fe894968b465ec62831f1d726b303c08a1dea6ad9b7f952
                          • Instruction Fuzzy Hash: F34115B4900249CFCB54CF99C848EAABBF5FF88314F258859D919AB321D774A945CFA0
                          Function 063532DC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                          Download Yara Rule
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 06354A45
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: 647ce1bcc148d544fc907be15a728d4ead9a58e25f5c08987f844049baafba0a
                          • Instruction ID: 7e69b8b4e1b9eb713fdeef280fb98310c430629bb536983720ea4de485887565
                          • Opcode Fuzzy Hash: 647ce1bcc148d544fc907be15a728d4ead9a58e25f5c08987f844049baafba0a
                          • Instruction Fuzzy Hash: 401115B5800348CFDB60DF9AD545BDEBBF8EB48320F258459D918A7601C379A944CFE5
                          Function 063549E8 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                          Download Yara Rule
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 06354A45
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: e1bc408fe3b46f4b0df4dda20fe4022c4c8c92a4f8b0a68b9dccd2a68a6c5441
                          • Instruction ID: 8505ea26d4e23c4ebe3ea8d3f80366138a584c6b7ad32a3a6ed74ccfd571fdcd
                          • Opcode Fuzzy Hash: e1bc408fe3b46f4b0df4dda20fe4022c4c8c92a4f8b0a68b9dccd2a68a6c5441
                          • Instruction Fuzzy Hash: 361112B5C00748CFDB10DF9AD945BDEBBF4AB48320F24895AD528A7741C378A544CFA5
                          Function 06320618 Relevance: .3, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 10f388e9429246f2e092cf9337171a64af88b153fff124f93eeb2dec3afb3978
                          • Instruction ID: f96da09bac2c34c6b9a4ac3b098215282e5a67082a2eda55c34a7e21ac92c46f
                          • Opcode Fuzzy Hash: 10f388e9429246f2e092cf9337171a64af88b153fff124f93eeb2dec3afb3978
                          • Instruction Fuzzy Hash: 87D11974A10225CFDB58DF68C598AAD7BF2EF49714B2181A9E406EB371DB30DC49CB90
                          Function 063202D0 Relevance: .2, Instructions: 164COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab299a9ffa8a8114d2d8033354f46b2a9ba2d5afd27c44746096614235ed7311
                          • Instruction ID: 92fe50eecbf0e48d027afe457f52b216a41d239a8e04914ff34f72f44cd06f60
                          • Opcode Fuzzy Hash: ab299a9ffa8a8114d2d8033354f46b2a9ba2d5afd27c44746096614235ed7311
                          • Instruction Fuzzy Hash: 7C5191B0A006149FDB14DBB9C851FAEBBB6EFC9700F24815DE505AB395DB709C06CBA1
                          Function 063202E0 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a8075d6a2011bd13d29b3335484a986e4ef412693385e0d985362e6f9eb38f7
                          • Instruction ID: cde26d5d1016e20336e1870bcecc890a8c82700e21a6744db49467135ba49ce0
                          • Opcode Fuzzy Hash: 0a8075d6a2011bd13d29b3335484a986e4ef412693385e0d985362e6f9eb38f7
                          • Instruction Fuzzy Hash: 385181B0B006189FDB14DB79C855B6EBBF6EFC9700F248169E505AB394DB709C06CBA1
                          Function 063210C8 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 881bf4f668850f62f9d4940e8c8dc4cbf619681d2bedc19517e50cdc685b12ff
                          • Instruction ID: 07d112105b5926e8151b31f411dc23efb642113bb68684c44ba83b5fe2e62ee9
                          • Opcode Fuzzy Hash: 881bf4f668850f62f9d4940e8c8dc4cbf619681d2bedc19517e50cdc685b12ff
                          • Instruction Fuzzy Hash: A1414875E002299FDB54CBAAD944AEDB7B5FF89311F048165EA08E7360DB30AC85CBD1
                          Function 06320609 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 456902cb29243144e664a090930d79f5cd39e489404c314379e8577c4fe0ca92
                          • Instruction ID: 6594b0ea9b7e545912579aebabbc7c9b67b32ce9ae3886039350c287267d0181
                          • Opcode Fuzzy Hash: 456902cb29243144e664a090930d79f5cd39e489404c314379e8577c4fe0ca92
                          • Instruction Fuzzy Hash: 5641E674A101258FCB58DF68D998A6CB7F1BF48711B2185A9E405DB3B2DB30DC45CF50
                          Function 063207B8 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce3c18afb45c869d4947b60a3eaa36969e89c5dcf2b221bec7e4ad2bff40e857
                          • Instruction ID: deff107458b596b90ebc2d1c240430ac42cf4ac623679a435afe5d6847e3fe69
                          • Opcode Fuzzy Hash: ce3c18afb45c869d4947b60a3eaa36969e89c5dcf2b221bec7e4ad2bff40e857
                          • Instruction Fuzzy Hash: 1641E475A10125CFCB88DF68C598A6977F1AF4D720B2581A9E506DB3B1DB30EC49CB90
                          Function 06320006 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52844fe5aa556d6186251759330c01a20e4f7ec35e5af1976b45b6e8df64ba18
                          • Instruction ID: 2a68b473a559cf02f6989c49e8f350d87c2a4d989523b0baf1344745f922d4b0
                          • Opcode Fuzzy Hash: 52844fe5aa556d6186251759330c01a20e4f7ec35e5af1976b45b6e8df64ba18
                          • Instruction Fuzzy Hash: 3631D270905362CFDB5A9F74C4106ED7FF2AF4A214F0544AAC081EB252DB389889CBE2
                          Function 06320AE0 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe3cae485ad82ae54cad1d068c6fbe798cde13c076d0fbbffa73accd9cfe12b0
                          • Instruction ID: cecedcda8eff55611381612c1f752958ce765fd4ab902fca8f7d6b2bd50abae0
                          • Opcode Fuzzy Hash: fe3cae485ad82ae54cad1d068c6fbe798cde13c076d0fbbffa73accd9cfe12b0
                          • Instruction Fuzzy Hash: 9E219174E04225CFDB68EF78D4546ADBBF6EF4C208F204469D406AB365CB34D849CBA1
                          Function 00BCD3EC Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105515838.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bcd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9f175dbd950297858820469fc6528fbd5cd81a72a827a173be23bdc37faf318
                          • Instruction ID: 7409aa0c21c790c1f54e40eb3791255c23e9358bd89da3ad00f212d5f4acbaa2
                          • Opcode Fuzzy Hash: f9f175dbd950297858820469fc6528fbd5cd81a72a827a173be23bdc37faf318
                          • Instruction Fuzzy Hash: 2B21B0B5504244EFDB099F14D9C0F26BBA5FB98324F24C6BDEA090B356C336E856C6A1
                          Function 06320AF0 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5347eb802e581ca254d1c18d97de4be86c722c829f32bc53983bf3c67df21844
                          • Instruction ID: a8c03a6b7173324603270019d47fdafdb87ce1f2c14bcc1ce832e522801f4d19
                          • Opcode Fuzzy Hash: 5347eb802e581ca254d1c18d97de4be86c722c829f32bc53983bf3c67df21844
                          • Instruction Fuzzy Hash: 1A216D74A00225CFDB68EB78D4546AD77B6EB8C208F204068D406AB3A4DF35DC09CBE1
                          Function 00BDD1F0 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105542821.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bdd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e3393a49a3239c94dce6797d32ab8ff35327fd16bc9eb22883d553068f0ec5ac
                          • Instruction ID: ea3bdfadc1a64b4841d82bf96588cdc1105e4fddc00c554782048df14613347e
                          • Opcode Fuzzy Hash: e3393a49a3239c94dce6797d32ab8ff35327fd16bc9eb22883d553068f0ec5ac
                          • Instruction Fuzzy Hash: E32134B1504204EFDB10DF54D9C0B26FBE5FB98314F24C9AEE8894B356D336D806CA61
                          Function 0632015F Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47170ad71e211da7f75444f7d6d65cc381d782ab09e1fccd00b7e89e670ba48c
                          • Instruction ID: 137f8439b087a49022ccc88eedd7cf0cf30f5e8cfaa3ddee0afeb4a41f92e04e
                          • Opcode Fuzzy Hash: 47170ad71e211da7f75444f7d6d65cc381d782ab09e1fccd00b7e89e670ba48c
                          • Instruction Fuzzy Hash: BE21AF74A00325CFDB59DB78C8146ED7BB6AF4D314F100069D406AB2A5DB389C45CBE6
                          Function 06320960 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7c0e6676f5175312166a11b19e086ccf9261710d537e1912725c66d9d959ac1
                          • Instruction ID: 8ca5afe5f7d07e96eb88ea8cd6c816520939a49ef71798d1ac36498a9f200d79
                          • Opcode Fuzzy Hash: e7c0e6676f5175312166a11b19e086ccf9261710d537e1912725c66d9d959ac1
                          • Instruction Fuzzy Hash: 1E216D70E00225CFEB58EB79D4546AD77B6AF4D304F204069D406AB3A4DB359C49CBE1
                          Function 06320170 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1161d59e609d64effa9042ef2daa52150635efd949ba699e432f0e495759e17d
                          • Instruction ID: 7c99e86c89b8c571e49cd15b4f865a01ef8fb42dca6ed8de6eec3604c615fd7b
                          • Opcode Fuzzy Hash: 1161d59e609d64effa9042ef2daa52150635efd949ba699e432f0e495759e17d
                          • Instruction Fuzzy Hash: 8C215E74A00225CFDF59EB78C4546AD7BB6EF8D314F100069D406AB394DF359845CBE6
                          Function 06320040 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 878c5dbf7a19c46e7a51f3cb007d7d8c2648db6c9a74a103ca51370abc154ae5
                          • Instruction ID: f996d89adb058b0486ff716ab37cc4e721be961456f8c732a99a1e2f0992e60f
                          • Opcode Fuzzy Hash: 878c5dbf7a19c46e7a51f3cb007d7d8c2648db6c9a74a103ca51370abc154ae5
                          • Instruction Fuzzy Hash: C5117F70A00229CBDB58EF74C4546ED7BB6AF8D304F104428C406BB394DF399849CBE6
                          Function 00BCD3E7 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105515838.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bcd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                          • Instruction ID: 6e8c52c8803f6adf6e9fc39e4d0ddfc7a98ed632b8d4c1aa482d74ac1eb8010e
                          • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                          • Instruction Fuzzy Hash: 8911DF76504280DFCB06CF00D5C0B16BFA2FB94320F24C6ADD9090B656C33AE85ACBA1
                          Function 00BDD1EB Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105542821.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_bdd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                          • Instruction ID: 789586f0f7f896078b5540d9e85dd10671d2729da1162804df62ba2ef5bacd35
                          • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                          • Instruction Fuzzy Hash: 0E11BB75504284CFDB12CF54D5C4B15FBA1FB84314F24C6AAD8894B756C33AD80ACB62
                          Function 063210A0 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4108996656.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6320000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dd574782993085a5a45dfa36b6d60e82a4ec742d30c7dd2e861bdf65e7bdda60
                          • Instruction ID: f2cff151646880a7ecfa7f7755cd38efb191e4da06c385285cb1d79e46e2cd91
                          • Opcode Fuzzy Hash: dd574782993085a5a45dfa36b6d60e82a4ec742d30c7dd2e861bdf65e7bdda60
                          • Instruction Fuzzy Hash: D701F772E052949BCB068FA8CD106CDBFB5AF86110F0880ABD984EB253D730544AC7A2

                          Non-executed Functions

                          Function 0635E29B Relevance: 4.6, Strings: 3, Instructions: 857COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4109028636.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6350000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID: !$?$Hxq
                          • API String ID: 0-4209759933
                          • Opcode ID: 33914f1442a246fcffe6a57ee834247921f05ebf3dab7a5f5a7e2913bebdbb9b
                          • Instruction ID: 12be7822da4101699b84373312168e5deceec173ab6d05f97dd6b99579cf43b4
                          • Opcode Fuzzy Hash: 33914f1442a246fcffe6a57ee834247921f05ebf3dab7a5f5a7e2913bebdbb9b
                          • Instruction Fuzzy Hash: EB828F30E146598FDF55CF58C980AADFBF2FF80304F298959C855AB246D770AA86CF90
                          Function 00DB9738 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4105727755.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_db0000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vcm
                          • API String ID: 0-3044874373
                          • Opcode ID: 64e1852b0584395e63cae771d23106aebf531261e8422c7521cecf02ee7ee44b
                          • Instruction ID: a41385449587f1dabda7b2991e8182d58e9a1dba78e1d8e4dca9ce6dc781e239
                          • Opcode Fuzzy Hash: 64e1852b0584395e63cae771d23106aebf531261e8422c7521cecf02ee7ee44b
                          • Instruction Fuzzy Hash: 0D916E70E00249CFDF14CFA9C8957DDFBF2AF88314F188529E506A7294DB749845CBA1

                          Execution Graph

                          Execution Coverage:7.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:42
                          Total number of Limit Nodes:4
                          execution_graph 10284 13fccf8 DuplicateHandle 10285 13fcd8e 10284->10285 10296 13f0848 10297 13f0852 10296->10297 10299 13f21a0 10296->10299 10300 13f21c5 10299->10300 10304 13f22a3 10300->10304 10309 13f22b0 10300->10309 10305 13f21cf 10304->10305 10307 13f22af 10304->10307 10305->10297 10306 13f23b4 10306->10306 10307->10306 10313 13f1fa4 10307->10313 10311 13f22d7 10309->10311 10310 13f23b4 10310->10310 10311->10310 10312 13f1fa4 CreateActCtxA 10311->10312 10312->10310 10314 13f3340 CreateActCtxA 10313->10314 10316 13f3403 10314->10316 10316->10316 10286 13fcab0 10287 13fcaf6 GetCurrentProcess 10286->10287 10289 13fcb48 GetCurrentThread 10287->10289 10291 13fcb41 10287->10291 10290 13fcb85 GetCurrentProcess 10289->10290 10292 13fcb7e 10289->10292 10295 13fcbbb 10290->10295 10291->10289 10292->10290 10293 13fcbe3 GetCurrentThreadId 10294 13fcc14 10293->10294 10295->10293 10317 13fd2c0 10318 13fd2d5 10317->10318 10324 13fd2e8 10318->10324 10325 13fc968 10318->10325 10320 13fd2f6 10321 13fc968 OleInitialize 10320->10321 10320->10324 10322 13fd327 10321->10322 10322->10324 10329 13fca3c 10322->10329 10326 13fc973 10325->10326 10327 13fca3c OleInitialize 10326->10327 10328 13fd3b1 10326->10328 10327->10328 10328->10320 10331 13fca47 10329->10331 10330 13fd6eb 10330->10324 10331->10330 10333 13fca58 10331->10333 10334 13fd720 OleInitialize 10333->10334 10335 13fd784 10334->10335 10335->10330

                          Executed Functions

                          Function 013FCAB0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 316 13fcab0-13fcb3f GetCurrentProcess 320 13fcb48-13fcb7c GetCurrentThread 316->320 321 13fcb41-13fcb47 316->321 322 13fcb7e-13fcb84 320->322 323 13fcb85-13fcbb9 GetCurrentProcess 320->323 321->320 322->323 324 13fcbbb-13fcbc1 323->324 325 13fcbc2-13fcbdd call 13fcc80 323->325 324->325 329 13fcbe3-13fcc12 GetCurrentThreadId 325->329 330 13fcc1b-13fcc7d 329->330 331 13fcc14-13fcc1a 329->331 331->330
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 013FCB2E
                          • GetCurrentThread.KERNEL32 ref: 013FCB6B
                          • GetCurrentProcess.KERNEL32 ref: 013FCBA8
                          • GetCurrentThreadId.KERNEL32 ref: 013FCC01
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: b9412cbc10f6cba59893c0b6532dc20b5399d12d50c681b003446b26b3227f3c
                          • Instruction ID: cb8bc7faef92cc655351b629e4607b9adedf42a12b718a033ffc2baa01d194c9
                          • Opcode Fuzzy Hash: b9412cbc10f6cba59893c0b6532dc20b5399d12d50c681b003446b26b3227f3c
                          • Instruction Fuzzy Hash: 505164B4D00649CFDB18CFAAC948B9EBBF1EF88318F208559E509A7360DB745984CB61
                          Function 013FCAAF Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 13fcaaf-13fcb3f GetCurrentProcess 298 13fcb48-13fcb7c GetCurrentThread 294->298 299 13fcb41-13fcb47 294->299 300 13fcb7e-13fcb84 298->300 301 13fcb85-13fcbb9 GetCurrentProcess 298->301 299->298 300->301 302 13fcbbb-13fcbc1 301->302 303 13fcbc2-13fcbdd call 13fcc80 301->303 302->303 307 13fcbe3-13fcc12 GetCurrentThreadId 303->307 308 13fcc1b-13fcc7d 307->308 309 13fcc14-13fcc1a 307->309 309->308
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 013FCB2E
                          • GetCurrentThread.KERNEL32 ref: 013FCB6B
                          • GetCurrentProcess.KERNEL32 ref: 013FCBA8
                          • GetCurrentThreadId.KERNEL32 ref: 013FCC01
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 05a93d7e06f38f9a6ef82ec02fa7139da596596922cf1f44d74aff021e5bdf22
                          • Instruction ID: affc8dec1ebcb46108b7fe3abcc033ec4dc668cf975732fd2135bfb0e26111a2
                          • Opcode Fuzzy Hash: 05a93d7e06f38f9a6ef82ec02fa7139da596596922cf1f44d74aff021e5bdf22
                          • Instruction Fuzzy Hash: 925166B4D006498FDB18CFAAC548BAEBFF1EF88318F208559E509A7360DB745944CF61
                          Function 013F3334 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1006 13f3334-13f3339 1007 13f330b-13f330c call 13f3311 1006->1007 1008 13f333b-13f3401 CreateActCtxA 1006->1008 1007->1006 1011 13f340a-13f3464 1008->1011 1012 13f3403-13f3409 1008->1012 1019 13f3466-13f3469 1011->1019 1020 13f3473-13f3477 1011->1020 1012->1011 1019->1020 1021 13f3479-13f3485 1020->1021 1022 13f3488 1020->1022 1021->1022 1023 13f3489 1022->1023 1023->1023
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 013F33F1
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: a07934cd91cc1d5356ed3bfa9ad4e55edd4459b3917784c621871c9798b495df
                          • Instruction ID: 84fae435c4501a42326c6d2798856eb27aaab9c5b8b50fab6e485abc7b141bf6
                          • Opcode Fuzzy Hash: a07934cd91cc1d5356ed3bfa9ad4e55edd4459b3917784c621871c9798b495df
                          • Instruction Fuzzy Hash: 4441E3B4C0065DCEDB25DFA9C844BDDBBB5BF45308F20806AD508AB251DB756946CF90
                          Function 013F1FA4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1025 13f1fa4-13f3401 CreateActCtxA 1028 13f340a-13f3464 1025->1028 1029 13f3403-13f3409 1025->1029 1036 13f3466-13f3469 1028->1036 1037 13f3473-13f3477 1028->1037 1029->1028 1036->1037 1038 13f3479-13f3485 1037->1038 1039 13f3488 1037->1039 1038->1039 1040 13f3489 1039->1040 1040->1040
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 013F33F1
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 9a1f80c9c9ca80fa2b8fc3ebfadb5380601e50a06b0cc4eb63b32dec03d44bf0
                          • Instruction ID: a35ed3907c1430a183d2a137147d25aeaa5dd2637c91111513bbb2d8b54de4e0
                          • Opcode Fuzzy Hash: 9a1f80c9c9ca80fa2b8fc3ebfadb5380601e50a06b0cc4eb63b32dec03d44bf0
                          • Instruction Fuzzy Hash: E341C2B4D0065DCEDB24CFA9C844B9EFBF5BF45308F20806AD509AB251DB756946CF90
                          Function 013FCCF0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1042 13fccf0-13fccf6 1043 13fccf8-13fcd8c DuplicateHandle 1042->1043 1044 13fcd8e-13fcd94 1043->1044 1045 13fcd95-13fcdb2 1043->1045 1044->1045
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FCD7F
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: b019b0659660cacb67d888f0979802eb8fbe1b3a465b4621dfe02788b2c68339
                          • Instruction ID: 8ba132bda77597237cd153c4e42d0c5a5223c0e5bdda1967ff3093fd697f11f0
                          • Opcode Fuzzy Hash: b019b0659660cacb67d888f0979802eb8fbe1b3a465b4621dfe02788b2c68339
                          • Instruction Fuzzy Hash: 8721F3B5900248DFDB10CFAAD585ADEFFF8EB48320F14841AE918A7250D378A944CFA1
                          Function 013FCCF8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1048 13fccf8-13fcd8c DuplicateHandle 1049 13fcd8e-13fcd94 1048->1049 1050 13fcd95-13fcdb2 1048->1050 1049->1050
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FCD7F
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 6c36424296cdb00c5600e79e78ea07a53c001740c579e69f132fceec5fce3c0f
                          • Instruction ID: 4f7b7a467d64898e1aa785df23a2b8a2ff988cb26003574114796c518aed6fea
                          • Opcode Fuzzy Hash: 6c36424296cdb00c5600e79e78ea07a53c001740c579e69f132fceec5fce3c0f
                          • Instruction Fuzzy Hash: 3921B5B5D002489FDB10CFAAD584ADEFFF8EB48324F14841AE914A7250D375A954CFA5
                          Function 013FCA58 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1053 13fca58-13fd782 OleInitialize 1055 13fd78b-13fd7a8 1053->1055 1056 13fd784-13fd78a 1053->1056 1056->1055
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 013FD775
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: 41e96074beccb099536f4ba686759d7ffbe45bf17480d4011ef4c61f6dee0ab0
                          • Instruction ID: c4190d1c39f397ad531ec2b91d61f87fb1edcc9cf93eb8184241f4b7efab170c
                          • Opcode Fuzzy Hash: 41e96074beccb099536f4ba686759d7ffbe45bf17480d4011ef4c61f6dee0ab0
                          • Instruction Fuzzy Hash: C61115B5800288CFDB20DF9AC448B9EFBF8EB48324F248559D518A7210C379A944CFA5
                          Function 013FD718 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1059 13fd718-13fd71b 1060 13fd720-13fd782 OleInitialize 1059->1060 1061 13fd78b-13fd7a8 1060->1061 1062 13fd784-13fd78a 1060->1062 1062->1061
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 013FD775
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693971648.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_13f0000_kthiokadjg.jbxd
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: 206d6db75007521ceae25a67e70b94188bbe70d2fac7473a3e0c518c3c83dae3
                          • Instruction ID: 209e527576fb25a943572059ee034ddd7119f6a71f83e96a2d9ac0b5c5e8e6b4
                          • Opcode Fuzzy Hash: 206d6db75007521ceae25a67e70b94188bbe70d2fac7473a3e0c518c3c83dae3
                          • Instruction Fuzzy Hash: A71115B5C002898FDB10CF9AC944BDEFBF4EB48324F248959D518A7310D379A545CFA5
                          Function 00FFD3EC Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693597128.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_ffd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a121f33f6fd8ae0e3af09c632f8cf441be45c1fe2b2841d990337252ebbfcae
                          • Instruction ID: aaebb4d39ee9f07beaf5fd58d79eb35d25c4ee16b19bc49d6693bc7774a9206c
                          • Opcode Fuzzy Hash: 5a121f33f6fd8ae0e3af09c632f8cf441be45c1fe2b2841d990337252ebbfcae
                          • Instruction Fuzzy Hash: 2A210D72504248DFDB05DF14D5C0B36BF66FF98324F24C569DA090B266C336E856D7A1
                          Function 00FFD3E7 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.1693597128.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_ffd000_kthiokadjg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                          • Instruction ID: b071c55d789c595e0b143f905fd867301d026f986c060717a59797c68104ccaf
                          • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                          • Instruction Fuzzy Hash: 21112972804244CFDB05CF00D5C0B26BF72FF94324F24C6A9D9090B666C33AD456DBA2