Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jaTDEkWCbs.exe

Overview

General Information

Sample name:jaTDEkWCbs.exe
renamed because original name is a hash value
Original sample name:b48f94c872bb4e3596924f7f587b0a54.exe
Analysis ID:1584485
MD5:b48f94c872bb4e3596924f7f587b0a54
SHA1:748f86a0394486b577978794145328702ac77a62
SHA256:e3d17377d59312e36a5e3b503a7259ffeaac4dd742222be0ad9a8ea443d3f7de
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jaTDEkWCbs.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\jaTDEkWCbs.exe" MD5: B48F94C872BB4E3596924F7F587B0A54)
    • schtasks.exe (PID: 7012 cmdline: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Svc.exe (PID: 7160 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" MD5: B48F94C872BB4E3596924F7F587B0A54)
      • schtasks.exe (PID: 5328 cmdline: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SIHClient.exe (PID: 7012 cmdline: C:\Windows\System32\sihclient.exe /cv Bp2r6cK9Lk66qUuk5S0sFA.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
  • Svc.exe (PID: 5308 cmdline: C:\Users\user\AppData\Roaming\SubDir\Svc.exe MD5: B48F94C872BB4E3596924F7F587B0A54)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "154.216.19.144:7000;", "SubDirectory": "SubDir", "InstallName": "Svc.exe", "MutexName": "9aaccf69-ec3a-44b7-854b-ecd43ee8e151", "Tag": "Miner", "LogDirectoryName": "Logs", "ServerSignature": "VVpP7qlO+WCSGk63A4r5vwmkI1gTKL3LAPMGPvS40e3hTyYMgk2HEoNZ0cN80rzbzhcH1dyA0aRHp/zvwUPDo4Q+uCBK78p8T75QnziTfZX+Yt5xSraMBKIyXuf2LLEXEMoRnUXmFucq0kVeK4VMki/fI5FiRHf9nLnWwjfZ84ggpMhdW2Zv9yv6ffkIa7ZCwRpN16d+FHquZDZHpYS2RjA+Ch23/RL98whYgiKCjfjC8agAuNEDREfj6/DgMKu6gkKLLFj6JcLVFeTMcRL9u0jZQymHf6W4qY7ys3R3aL5siREOnnSTZJjYGyjZ1gT2XMtVP56ObfVWqSoOWXGeurYMjWYCO1RpByZy299Biz0EKikH0eswLiM+3DhMKa5vnWROVeqI+dtYKMNfd8m67w4/cU7+r9tl4z5T8JDN+5i/x2/RGa+kVoLt96d9HeE4DQsmmgl36asol+LvfcUS9MvoE4tbYW6PxpIYx886/WuKLlYTAaLGJBOOt04WgMdS44nbjuG/dVGmVaIHsOwXD3YMpKfyiw0CVcNgcO+3GKOQMKd+xcEm2tzbzsrkwmVBltccEaQo0THL/kwqsBbufwUhN8v7eOvZ3RaJdTVRlRMXiE4daZ+yBR8lHHTxTKpNHj4mCIR+JzG/fRQ3kMRmMH/xuDtE3MboLO/sX7XIoKc=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKktG63dlQi4A+aZo9V9WzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMjE3MDczNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAh91UxE+/zHm+0X/4pEW3JLysbL5Sx5Bcp0lxBlSckIwaahZPx4ZVHwYNhydTPnrwRg40091F0Xaj1S8a4MLRUi8ueaXzQ7BYcwomUJWEPkiWK6luXjNSx+7Eif1oJ4Rt9m8FsuN3Vdp4axqgnQoy0gcbKNAVrMsyaGc5sPXSchsawA16Zo0Jn9MTTYCCAab3X73Vti3kdvdGn0fpVd4q4CiNLNtVcQhp28jyxq7IqBzRhzoJBfQ5fBbU/xo0vt8627iS/TY+28vcvMMeAybAY6Bh1Pps/wq8Zo77ugu6tHMiGNMLjhMrlq8sTLEZIGh0qvvyOwe9yh1n8qKuiPoHQ2M5szox0wGl70QgbgW6XWzBt6r3anELdvjVJHD+Yy/sdaaaqhWhzVtAWp3L17TJpNDLVoaoGKhKyxeceRORPRWrW8LzkwrUYRE6i02nDLfQdzI84+JIHRTLZJLMMMjkzglyCzk8NR1QyDzRZf3QqWAQ+zTM4xQQYlWen0r73nzqkPgAFSul7mLD51VjPkLXFR2CyZPxgyIZEdAguSUxVbD0ja1hHr2ahZScCXrbDLvj3VNMyYxHMsAqVrmojqfhQGKYpTAECvOuk560TKiDjzGxpSenLjiLfUHbkth5qNo/VZIynuEozn1v4thW+IyRqvBaVZRXMzYzLCeIEbbSmGUCAwEAAaMyMDAwHQYDVR0OBBYEFOHwxXxwAMd6OgkHnhtOMdB/S/TkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEgUcIJ0gRLR37J/uyrO0LsXr2oJOWIkCNGVYpe5CPN527fkYgUfMK4KLL9x9v7nzFxABhgaALBhDryW1qHuQdzLwlytAT87Y8I3G9E8yOiPLA00jTAh0++dQokT8lj5m5XYjdZzHpt6NULa2yLXy9CjIC3ccDbVRLuLqmxyJ0mmKuAJD1huB4Iq8B+7QC+xcWTv4SDjYshwowvwNUHQhlehmDVgHduIDpcJqM9r/GfokC6TSKeu8JRNj3hjNGGboW8to+lscpq5UXu7SClGBbj73E+/KlVZotCUJjkKb3TDAYdn7fn8FIxvxH3mTsEWenkGIxDAuAeLS3uPdrg/e/pHsTALXhEzc5Vu0TF4sD5C/t+Z1As1iBXr+sp2/8wj7VAveZtaZs96vX3xaEPpzLcnYUV40e0F8V3sexAgGCvmyh3pzSxkzvzEKVljiwYdvwjgJ+Fn4N8s5cv6xsPyrRqsdSPUf845rCfjET/mD7pAIqt4/Bev2O6/p0+SLmAQtklnN2i3BvdJMu+cQ9UX/oyDAMORFkanOCegVbsiLsPwYZn9WoPSktEKGznVPM2w//3GZSE0+9pwAa7sLpemFBKyZTDB4eCo7sc5dQjxRHKQHjj6JCazSTrTos35HfxLNLp9T7lSb9Kv8dl+V++rWGh6B62Wbz++dgPTnya/qCif"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
jaTDEkWCbs.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    jaTDEkWCbs.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      jaTDEkWCbs.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28eed8:$x1: Quasar.Common.Messages
      • 0x29f201:$x1: Quasar.Common.Messages
      • 0x2ab822:$x4: Uninstalling... good bye :-(
      • 0x2ad017:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      jaTDEkWCbs.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadd4:$f1: FileZilla\recentservers.xml
      • 0x2aae14:$f2: FileZilla\sitemanager.xml
      • 0x2aae56:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab0a2:$b1: Chrome\User Data\
      • 0x2ab0f8:$b1: Chrome\User Data\
      • 0x2ab3d0:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4cc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd428:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab624:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6de:$b5: YandexBrowser\User Data\
      • 0x2ab74c:$b5: YandexBrowser\User Data\
      • 0x2ab420:$s4: logins.json
      • 0x2ab156:$a1: username_value
      • 0x2ab174:$a2: password_value
      • 0x2ab460:$a3: encryptedUsername
      • 0x2fd36c:$a3: encryptedUsername
      • 0x2ab484:$a4: encryptedPassword
      • 0x2fd38a:$a4: encryptedPassword
      • 0x2fd308:$a5: httpRealm
      jaTDEkWCbs.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab90c:$s3: Process already elevated.
      • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c93:$s5: GetKeyloggerLogsDirectory
      • 0x29e960:$s5: GetKeyloggerLogsDirectory
      • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea56:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SubDir\Svc.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\SubDir\Svc.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SubDir\Svc.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28eed8:$x1: Quasar.Common.Messages
          • 0x29f201:$x1: Quasar.Common.Messages
          • 0x2ab822:$x4: Uninstalling... good bye :-(
          • 0x2ad017:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Users\user\AppData\Roaming\SubDir\Svc.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadd4:$f1: FileZilla\recentservers.xml
          • 0x2aae14:$f2: FileZilla\sitemanager.xml
          • 0x2aae56:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab0a2:$b1: Chrome\User Data\
          • 0x2ab0f8:$b1: Chrome\User Data\
          • 0x2ab3d0:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4cc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd428:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab624:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6de:$b5: YandexBrowser\User Data\
          • 0x2ab74c:$b5: YandexBrowser\User Data\
          • 0x2ab420:$s4: logins.json
          • 0x2ab156:$a1: username_value
          • 0x2ab174:$a2: password_value
          • 0x2ab460:$a3: encryptedUsername
          • 0x2fd36c:$a3: encryptedUsername
          • 0x2ab484:$a4: encryptedPassword
          • 0x2fd38a:$a4: encryptedPassword
          • 0x2fd308:$a5: httpRealm
          C:\Users\user\AppData\Roaming\SubDir\Svc.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab90c:$s3: Process already elevated.
          • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c93:$s5: GetKeyloggerLogsDirectory
          • 0x29e960:$s5: GetKeyloggerLogsDirectory
          • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea56:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  Process Memory Space: jaTDEkWCbs.exe PID: 6856JoeSecurity_QuasarYara detected Quasar RATJoe Security
                    Click to see the 1 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.jaTDEkWCbs.exe.10000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.jaTDEkWCbs.exe.10000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.jaTDEkWCbs.exe.10000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28eed8:$x1: Quasar.Common.Messages
                        • 0x29f201:$x1: Quasar.Common.Messages
                        • 0x2ab822:$x4: Uninstalling... good bye :-(
                        • 0x2ad017:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.jaTDEkWCbs.exe.10000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadd4:$f1: FileZilla\recentservers.xml
                        • 0x2aae14:$f2: FileZilla\sitemanager.xml
                        • 0x2aae56:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab0a2:$b1: Chrome\User Data\
                        • 0x2ab0f8:$b1: Chrome\User Data\
                        • 0x2ab3d0:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4cc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd428:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab624:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6de:$b5: YandexBrowser\User Data\
                        • 0x2ab74c:$b5: YandexBrowser\User Data\
                        • 0x2ab420:$s4: logins.json
                        • 0x2ab156:$a1: username_value
                        • 0x2ab174:$a2: password_value
                        • 0x2ab460:$a3: encryptedUsername
                        • 0x2fd36c:$a3: encryptedUsername
                        • 0x2ab484:$a4: encryptedPassword
                        • 0x2fd38a:$a4: encryptedPassword
                        • 0x2fd308:$a5: httpRealm
                        0.0.jaTDEkWCbs.exe.10000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab90c:$s3: Process already elevated.
                        • 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c93:$s5: GetKeyloggerLogsDirectory
                        • 0x29e960:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea56:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Svc.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, ParentProcessId: 7160, ParentProcessName: Svc.exe, ProcessCommandLine: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, ProcessId: 5328, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jaTDEkWCbs.exe", ParentImage: C:\Users\user\Desktop\jaTDEkWCbs.exe, ParentProcessId: 6856, ParentProcessName: jaTDEkWCbs.exe, ProcessCommandLine: "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f, ProcessId: 7012, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-05T16:57:01.626351+010020355951Domain Observed Used for C2 Detected154.216.19.1447000192.168.2.449731TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-05T16:57:01.626351+010020276191Domain Observed Used for C2 Detected154.216.19.1447000192.168.2.449731TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: jaTDEkWCbs.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: jaTDEkWCbs.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "154.216.19.144:7000;", "SubDirectory": "SubDir", "InstallName": "Svc.exe", "MutexName": "9aaccf69-ec3a-44b7-854b-ecd43ee8e151", "Tag": "Miner", "LogDirectoryName": "Logs", "ServerSignature": "VVpP7qlO+WCSGk63A4r5vwmkI1gTKL3LAPMGPvS40e3hTyYMgk2HEoNZ0cN80rzbzhcH1dyA0aRHp/zvwUPDo4Q+uCBK78p8T75QnziTfZX+Yt5xSraMBKIyXuf2LLEXEMoRnUXmFucq0kVeK4VMki/fI5FiRHf9nLnWwjfZ84ggpMhdW2Zv9yv6ffkIa7ZCwRpN16d+FHquZDZHpYS2RjA+Ch23/RL98whYgiKCjfjC8agAuNEDREfj6/DgMKu6gkKLLFj6JcLVFeTMcRL9u0jZQymHf6W4qY7ys3R3aL5siREOnnSTZJjYGyjZ1gT2XMtVP56ObfVWqSoOWXGeurYMjWYCO1RpByZy299Biz0EKikH0eswLiM+3DhMKa5vnWROVeqI+dtYKMNfd8m67w4/cU7+r9tl4z5T8JDN+5i/x2/RGa+kVoLt96d9HeE4DQsmmgl36asol+LvfcUS9MvoE4tbYW6PxpIYx886/WuKLlYTAaLGJBOOt04WgMdS44nbjuG/dVGmVaIHsOwXD3YMpKfyiw0CVcNgcO+3GKOQMKd+xcEm2tzbzsrkwmVBltccEaQo0THL/kwqsBbufwUhN8v7eOvZ3RaJdTVRlRMXiE4daZ+yBR8lHHTxTKpNHj4mCIR+JzG/fRQ3kMRmMH/xuDtE3MboLO/sX7XIoKc=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKktG63dlQi4A+aZo9V9WzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMjE3MDczNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAh91UxE+/zHm+0X/4pEW3JLysbL5Sx5Bcp0lxBlSckIwaahZPx4ZVHwYNhydTPnrwRg40091F0Xaj1S8a4MLRUi8ueaXzQ7BYcwomUJWEPkiWK6luXjNSx+7Eif1oJ4Rt9m8FsuN3Vdp4axqgnQoy0gcbKNAVrMsyaGc5sPXSchsawA16Zo0Jn9MTTYCCAab3X73Vti3kdvdGn0fpVd4q4CiNLNtVcQhp28jyxq7IqBzRhzoJBfQ5fBbU/xo0vt8627iS/TY+28vcvMMeAybAY6Bh1Pps/wq8Zo77ugu6tHMiGNMLjhMrlq8sTLEZIGh0qvvyOwe9yh1n8qKuiPoHQ2M5szox0wGl70QgbgW6XWzBt6r3anELdvjVJHD+Yy/sdaaaqhWhzVtAWp3L17TJpNDLVoaoGKhKyxeceRORPRWrW8LzkwrUYRE6i02nDLfQdzI84+JIHRTLZJLMMMjkzglyCzk8NR1QyDzRZf3QqWAQ+zTM4xQQYlWen0r73nzqkPgAFSul7mLD51VjPkLXFR2CyZPxgyIZEdAguSUxVbD0ja1hHr2ahZScCXrbDLvj3VNMyYxHMsAqVrmojqfhQGKYpTAECvOuk560TKiDjzGxpSenLjiLfUHbkth5qNo/VZIynuEozn1v4thW+IyRqvBaVZRXMzYzLCeIEbbSmGUCAwEAAaMyMDAwHQYDVR0OBBYEFOHwxXxwAMd6OgkHnhtOMdB/S/TkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEgUcIJ0gRLR37J/uyrO0LsXr2oJOWIkCNGVYpe5CPN527fkYgUfMK4KLL9x9v7nzFxABhgaALBhDryW1qHuQdzLwlytAT87Y8I3G9E8yOiPLA00jTAh0++dQokT8lj5m5XYjdZzHpt6NULa2yLXy9CjIC3ccDbVRLuLqmxyJ0mmKuAJD1huB4Iq8B+7QC+xcWTv4SDjYshwowvwNUHQhlehmDVgHduIDpcJqM9r/GfokC6TSKeu8JRNj3hjNGGboW8to+lscpq5UXu7SClGBbj73E+/KlVZotCUJjkKb3TDAYdn7fn8FIxvxH3mTsEWenkGIxDAuAeLS3uPdrg/e/pHsTALXhEzc5Vu0TF4sD5C/t+Z1As1iBXr+sp2/8wj7VAveZtaZs96vX3xaEPpzLcnYUV40e0F8V3sexAgGCvmyh3pzSxkzvzEKVljiwYdvwjgJ+Fn4N8s5cv6xsPyrRqsdSPUf845rCfjET/mD7pAIqt4/Bev2O6/p0+SLmAQtklnN2i3BvdJMu+cQ9UX/oyDAMORFkanOCegVbsiLsPwYZn9WoPSktEKGznVPM2w//3GZSE0+9pwAa7sLpemFBKyZTDB4eCo7sc5dQjxRHKQHjj6JCazSTrTos35HfxLNLp9T7lSb9Kv8dl+V++rWGh6B62Wbz++dgPTnya/qCif"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeReversingLabs: Detection: 76%
                        Multi AV Scanner detection for submitted file
                        Source: jaTDEkWCbs.exeReversingLabs: Detection: 76%
                        Source: jaTDEkWCbs.exeVirustotal: Detection: 83%Perma Link
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jaTDEkWCbs.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jaTDEkWCbs.exe PID: 6856, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Svc.exe PID: 7160, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: jaTDEkWCbs.exeJoe Sandbox ML: detected
                        Source: jaTDEkWCbs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: jaTDEkWCbs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 154.216.19.144:7000 -> 192.168.2.4:49731
                        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.19.144:7000 -> 192.168.2.4:49731
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 154.216.19.144
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: jaTDEkWCbs.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.4:49731 -> 154.216.19.144:7000
                        Source: global trafficTCP traffic: 192.168.2.4:55545 -> 162.159.36.2:53
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ipwho.is
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.144
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: SIHClient.exe, 00000007.00000003.2123691398.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842226805.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842641547.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1841186582.00000200E91AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                        Source: Svc.exe, 00000003.00000002.4121697949.000000001BEEC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: SIHClient.exe, 00000007.00000003.1841105870.00000200E9B41000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.7.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41571.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                        Source: SIHClient.exe, 00000007.00000003.1841186582.00000200E91AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2d7ac7e
                        Source: Svc.exe, 00000003.00000002.4112725497.0000000001528000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enamDa
                        Source: SIHClient.exe, 00000007.00000003.1841407204.00000200E9134000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?863d
                        Source: Svc.exe, 00000003.00000002.4113781005.00000000035E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: Svc.exe, 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: jaTDEkWCbs.exe, 00000000.00000002.1674040606.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Svc.exe, 00000003.00000002.4113781005.0000000003239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: jaTDEkWCbs.exe, Svc.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: Svc.exe, 00000003.00000002.4113781005.00000000035CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: jaTDEkWCbs.exe, Svc.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: jaTDEkWCbs.exe, Svc.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: jaTDEkWCbs.exe, Svc.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: jaTDEkWCbs.exe, Svc.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49733 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Svc.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jaTDEkWCbs.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jaTDEkWCbs.exe PID: 6856, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Svc.exe PID: 7160, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP6733.tmpJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP49C4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9F7C163_2_00007FFD9B9F7C16
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9FEB293_2_00007FFD9B9FEB29
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9E92713_2_00007FFD9B9E9271
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9FCAD53_2_00007FFD9B9FCAD5
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9F8A0F3_2_00007FFD9B9F8A0F
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9EAFDD3_2_00007FFD9B9EAFDD
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9FB8513_2_00007FFD9B9FB851
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9E9FD03_2_00007FFD9B9E9FD0
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9FFE803_2_00007FFD9B9FFE80
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9E55D63_2_00007FFD9B9E55D6
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9E621F3_2_00007FFD9B9E621F
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9F77193_2_00007FFD9B9F7719
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9BB023213_2_00007FFD9BB02321
                        Source: jaTDEkWCbs.exe, 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs jaTDEkWCbs.exe
                        Source: jaTDEkWCbs.exe, 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs jaTDEkWCbs.exe
                        Source: jaTDEkWCbs.exeBinary or memory string: OriginalFilenameClient.exe. vs jaTDEkWCbs.exe
                        Source: jaTDEkWCbs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: jaTDEkWCbs.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/13@1/2
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMutant created: NULL
                        Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMutant created: \Sessions\1\BaseNamedObjects\Local\9aaccf69-ec3a-44b7-854b-ecd43ee8e151
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
                        Source: jaTDEkWCbs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: jaTDEkWCbs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: jaTDEkWCbs.exeReversingLabs: Detection: 76%
                        Source: jaTDEkWCbs.exeVirustotal: Detection: 83%
                        Source: jaTDEkWCbs.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeFile read: C:\Users\user\Desktop\jaTDEkWCbs.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\jaTDEkWCbs.exe "C:\Users\user\Desktop\jaTDEkWCbs.exe"
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Svc.exe "C:\Users\user\AppData\Roaming\SubDir\Svc.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Svc.exe C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv Bp2r6cK9Lk66qUuk5S0sFA.0.2
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Svc.exe "C:\Users\user\AppData\Roaming\SubDir\Svc.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07369A67-07A6-4608-ABEA-379491CB7C46}\InprocServer32Jump to behavior
                        Source: jaTDEkWCbs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: jaTDEkWCbs.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: jaTDEkWCbs.exeStatic file information: File size 3265536 > 1048576
                        Source: jaTDEkWCbs.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
                        Source: jaTDEkWCbs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeCode function: 0_2_00007FFD9B7800BD pushad ; iretd 0_2_00007FFD9B7800C1
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B65D2A5 pushad ; iretd 3_2_00007FFD9B65D2A6
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B772BE5 pushad ; iretd 3_2_00007FFD9B772C3D
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B772B85 pushad ; iretd 3_2_00007FFD9B772C3D
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B7700BD pushad ; iretd 3_2_00007FFD9B7700C1
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9E336E push eax; ret 3_2_00007FFD9B9E340C
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B9FF03A push esp; iretd 3_2_00007FFD9B9FF03C
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9BB02321 push edx; retf 5F1Fh3_2_00007FFD9BB05A3B
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 4_2_00007FFD9B7500BD pushad ; iretd 4_2_00007FFD9B7500C1

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Svc.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeFile opened: C:\Users\user\Desktop\jaTDEkWCbs.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Svc.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Svc.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeMemory allocated: 970000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeMemory allocated: 1A620000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMemory allocated: 1840000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMemory allocated: 1B200000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeMemory allocated: 1A8D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeCode function: 3_2_00007FFD9B77F1F2 str ax3_2_00007FFD9B77F1F2
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWindow / User API: threadDelayed 2366Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWindow / User API: threadDelayed 7454Jump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exe TID: 6916Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 1848Thread sleep count: 31 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 1848Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 7096Thread sleep count: 2366 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 7096Thread sleep count: 7454 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 5544Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe TID: 3592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\SIHClient.exe TID: 6920Thread sleep time: -90000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Svc.exe, 00000003.00000002.4121697949.000000001BEEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`;
                        Source: SIHClient.exe, 00000007.00000003.1841479417.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000002.2125216207.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.2124150743.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.2123691398.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842226805.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842641547.00000200E916A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWyQY
                        Source: Svc.exe, 00000003.00000002.4120723237.000000001BB80000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.2124150743.00000200E9117000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1841479417.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000002.2125216207.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.2124150743.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.2123691398.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842226805.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000002.2125216207.00000200E9117000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842641547.00000200E916A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1841450512.00000200E911A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Svc.exe "C:\Users\user\AppData\Roaming\SubDir\Svc.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeQueries volume information: C:\Users\user\Desktop\jaTDEkWCbs.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Svc.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Svc.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\jaTDEkWCbs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jaTDEkWCbs.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jaTDEkWCbs.exe PID: 6856, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Svc.exe PID: 7160, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: jaTDEkWCbs.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.jaTDEkWCbs.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: jaTDEkWCbs.exe PID: 6856, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Svc.exe PID: 7160, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		11
                        Input Capture                        		33
                        System Information Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Obfuscated Files or Information                        		LSASS Memory1
                        Query Registry                        		Remote Desktop Protocol11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        Scheduled Task/Job                        		1
                        Install Root Certificate                        		Security Account Manager121
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        DLL Side-Loading                        		NTDS61
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                        Masquerading                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeylogging113
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Modify Registry                        		Cached Domain Credentials1
                        Remote System Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items61
                        Virtualization/Sandbox Evasion                        		DCSync1
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Hidden Files and Directories                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584485 Sample: jaTDEkWCbs.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 33 ipwho.is 2->33 35 bg.microsoft.map.fastly.net 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 9 jaTDEkWCbs.exe 5 2->9         started        13 Svc.exe 3 2->13         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\...\Svc.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\...\jaTDEkWCbs.exe.log, CSV 9->31 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 9->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->59 15 Svc.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        21 SIHClient.exe 6 9->21         started        signatures6 process7 dnsIp8 37 154.216.19.144, 49731, 7000 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 15->37 39 ipwho.is 195.201.57.90, 443, 49733 HETZNER-ASDE Germany 15->39 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Installs new ROOT certificates 15->45 47 3 other signatures 15->47 23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        jaTDEkWCbs.exe76%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                        jaTDEkWCbs.exe83%VirustotalBrowse
                        jaTDEkWCbs.exe100%AviraHEUR/AGEN.1307453
                        jaTDEkWCbs.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\SubDir\Svc.exe100%AviraHEUR/AGEN.1307453
                        C:\Users\user\AppData\Roaming\SubDir\Svc.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\SubDir\Svc.exe76%ReversingLabsByteCode-MSIL.Backdoor.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        154.216.19.1440%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalse
                          		high
                          ipwho.is
                          		195.201.57.90
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://ipwho.is/false
                              		high
                              154.216.19.144true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/jaTDEkWCbs.exe, Svc.exe.0.drfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354jaTDEkWCbs.exe, Svc.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354sCannotjaTDEkWCbs.exe, Svc.exe.0.drfalse
                                    		high
                                    http://schemas.datacontract.org/2004/07/Svc.exe, 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejaTDEkWCbs.exe, 00000000.00000002.1674040606.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Svc.exe, 00000003.00000002.4113781005.0000000003239000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ipwho.isSvc.exe, 00000003.00000002.4113781005.00000000035E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;jaTDEkWCbs.exe, Svc.exe.0.drfalse
                                            		high
                                            https://ipwho.isSvc.exe, 00000003.00000002.4113781005.00000000035CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microsSIHClient.exe, 00000007.00000003.2123691398.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842226805.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1842641547.00000200E91AD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000007.00000003.1841186582.00000200E91AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                154.216.19.144
                                                		unknownSeychelles
                                                		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                                195.201.57.90
                                                		ipwho.isGermany
                                                		24940HETZNER-ASDEfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1584485
                                                Start date and time:2025-01-05 16:56:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 8m 0s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:jaTDEkWCbs.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:b48f94c872bb4e3596924f7f587b0a54.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@11/13@1/2
                                                EGA Information:
                                                • Successful, ratio: 66.7%
                                                HCA Information:
                                                • Successful, ratio: 92%
                                                • Number of executed functions: 58
                                                • Number of non-executed functions: 2
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 199.232.210.172, 4.245.163.56, 199.232.214.172, 20.3.187.198, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Svc.exe, PID 5308 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                10:57:00API Interceptor15719261x Sleep call for process: Svc.exe modified
                                                10:57:15API Interceptor3x Sleep call for process: SIHClient.exe modified
                                                15:56:59Task SchedulerRun new task: Svc path: C:\Users\user\AppData\Roaming\SubDir\Svc.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                • /?output=json
                                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                • /?output=json
                                                ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                • ipwhois.app/xml/
                                                cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • /?output=json
                                                Clipper.exeGet hashmaliciousUnknownBrowse
                                                • /?output=json
                                                cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • /?output=json

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ipwho.is2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • 108.181.61.49
                                                msgde.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                • 108.181.61.49
                                                StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                bg.microsoft.map.fastly.net3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                • 199.232.214.172
                                                Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                • 199.232.214.172
                                                N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                • 199.232.210.172
                                                setup64v9.3.4.msiGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                • 199.232.210.172
                                                c2.htaGet hashmaliciousRemcosBrowse
                                                • 199.232.214.172
                                                phishingtest.emlGet hashmaliciousUnknownBrowse
                                                • 199.232.214.172
                                                a36r7SLgH7.exeGet hashmaliciousAsyncRATBrowse
                                                • 199.232.214.172
                                                3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                • 199.232.214.172

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                SKHT-ASShenzhenKatherineHengTechnologyInformationCoz0r0.i686.elfGet hashmaliciousMiraiBrowse
                                                • 156.230.19.138
                                                154.216.18.23-boatnet.arm-2025-01-03T11_40_59.elfGet hashmaliciousMiraiBrowse
                                                • 154.216.18.23
                                                154.216.18.23-boatnet.arm7-2025-01-03T11_41_00.elfGet hashmaliciousMiraiBrowse
                                                • 154.216.18.23
                                                arm4.elfGet hashmaliciousUnknownBrowse
                                                • 154.216.19.231
                                                RBI-MontaryFramework.jsGet hashmaliciousWSHRATBrowse
                                                • 154.216.18.17
                                                Hilix.ppc.elfGet hashmaliciousMiraiBrowse
                                                • 156.241.11.76
                                                Hilix.mpsl.elfGet hashmaliciousMiraiBrowse
                                                • 45.207.239.71
                                                2.exeGet hashmaliciousXWormBrowse
                                                • 45.207.215.58
                                                1.exeGet hashmaliciousXWormBrowse
                                                • 45.207.215.58
                                                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                • 154.216.17.216
                                                HETZNER-ASDENpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                                                • 88.198.29.97
                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                • 85.10.220.49
                                                1.elfGet hashmaliciousUnknownBrowse
                                                • 138.201.212.111
                                                RisingStrip.exeGet hashmaliciousVidarBrowse
                                                • 116.203.13.109
                                                ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 135.181.65.216
                                                2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                3.elfGet hashmaliciousUnknownBrowse
                                                • 195.201.78.91
                                                2.elfGet hashmaliciousUnknownBrowse
                                                • 212.127.42.203
                                                https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63Get hashmaliciousHTMLPhisherBrowse
                                                • 138.201.139.144
                                                https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                • 138.201.139.144

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0e3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                c2.htaGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                • 195.201.57.90
                                                CEFA-FAS_LicMgr.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                Category:dropped
                                                Size (bytes):71954
                                                Entropy (8bit):7.996617769952133
                                                Encrypted:true
                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):340
                                                Entropy (8bit):3.544866006301853
                                                Encrypted:false
                                                SSDEEP:6:kKTvilC8wZl0iG7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:7vi4pl0zLkPlE99SCQl2DUeXJlOA
                                                MD5:A9DEB9F578A8774CC09316D37C70F04C
                                                SHA1:B7E0CFDF203CC43ED9A9F968EF43837CAF9E8F1D
                                                SHA-256:2DE4A2C4EF99EA828C300441657DD4155922CF881B9C887B4FD32D93583F83A4
                                                SHA-512:7337A13EBD8C19D8803D525F789140D03B79281943B444913CC58817F778812255799B8BC98EC1436A009F723BCACAB69EB9CA3618F2F63D975540A16B38A838
                                                Malicious:false
                                                Reputation:low
                                                Preview:p...... ...........}._..(................................................-.@... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):328
                                                Entropy (8bit):3.247897867253902
                                                Encrypted:false
                                                SSDEEP:6:kK3n9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:eDImsLNkPlE99SNxAhUe/3
                                                MD5:167CB36B66BB98ADBD127E7030175D59
                                                SHA1:A84DFD81A2435C903DC49CA2810B32A4C0EBA3E8
                                                SHA-256:3D0310E8C082767C97D5D33A348D846738111F5B794BF9E30E564BEEF784C003
                                                SHA-512:1E3F9B6854533AA900962BC351B359D46C98C914756DA8730BE2AAF0385BE46253B6F8E4EC8D992FEE65A9F7D999BCB2140AD8986D92FBFD7CCF87E7934C747F
                                                Malicious:false
                                                Reputation:low
                                                Preview:p...... ..........._..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Svc.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):1281
                                                Entropy (8bit):5.370111951859942
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jaTDEkWCbs.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\jaTDEkWCbs.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):1281
                                                Entropy (8bit):5.370111951859942
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                Malicious:true
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                C:\Users\user\AppData\Roaming\SubDir\Svc.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\jaTDEkWCbs.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):3265536
                                                Entropy (8bit):6.083948899993219
                                                Encrypted:false
                                                SSDEEP:49152:yvtt62XlaSFNWPjljiFa2RoUYIDHxEESEQk/iRLoGdv1THHB72eh2NT:yvP62XlaSFNWPjljiFXRoUYIbxEh
                                                MD5:B48F94C872BB4E3596924F7F587B0A54
                                                SHA1:748F86A0394486B577978794145328702AC77A62
                                                SHA-256:E3D17377D59312E36A5E3B503A7259FFEAAC4DD742222BE0AD9A8EA443D3F7DE
                                                SHA-512:2704C862668C3AD9F9222761B91861B1C84D84021C1309B309F5CD267FC77E542CA2C821DCCB2D9FF2F2063DBC5B604204C2969FA68C7A0DE3F2E40039655DA1
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Joe Security
                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Florian Roth
                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: ditekSHen
                                                • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: ditekshen
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 76%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.K.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                                C:\Windows\Logs\SIH\SIH.20250105.105713.066.1.etl

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):12288
                                                Entropy (8bit):3.286749267011675
                                                Encrypted:false
                                                SSDEEP:192:Fgr0JU1vK2Q7hXdXPXOcMXUXjXdbAX0XjXCiNs4fR:F7JU1vK2Q7hXdXPXOtXUXjXd0X0XjXCK
                                                MD5:E92048BBA48324D51A2AF16D8803F970
                                                SHA1:BC3220BF216436CB54B2357A535162626DB309D3
                                                SHA-256:C330BD4FA6A9B0FCDC8ADB7431C2252B99FF978F29EAF640EDF19B6490404536
                                                SHA-512:29F7184EE826177CC906098F64DC30596A50454AD6166428AB0075DD6624D68EB1A5D7D614676B9DD77BC2143F3AB0B99CF8001A80924BD0FA623057A80A1ED3
                                                Malicious:false
                                                Preview:....P...P.......................................P...!...........................<...d....JUl....................eJ......y.p.._..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O..............*|._..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.0.5...1.0.5.7.1.3...0.6.6...1...e.t.l.......P.P.<...d....JUl....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP6733.tmp

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                Category:dropped
                                                Size (bytes):17126
                                                Entropy (8bit):7.3117215578334935
                                                Encrypted:false
                                                SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                Malicious:false
                                                Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                Category:dropped
                                                Size (bytes):24490
                                                Entropy (8bit):7.629144636744632
                                                Encrypted:false
                                                SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                                MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                                SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                                SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                                SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                                Malicious:false
                                                Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                                C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP49C4.tmp

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                Category:modified
                                                Size (bytes):19826
                                                Entropy (8bit):7.454351722487538
                                                Encrypted:false
                                                SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                                                MD5:455385A0D5098033A4C17F7B85593E6A
                                                SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                                                SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                                                SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                                                Malicious:false
                                                Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

                                                C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                Category:dropped
                                                Size (bytes):30005
                                                Entropy (8bit):7.7369400192915085
                                                Encrypted:false
                                                SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                                                MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                                                SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                                                SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                                                SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                                                Malicious:false
                                                Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

                                                C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                Category:dropped
                                                Size (bytes):4761
                                                Entropy (8bit):7.945585251880973
                                                Encrypted:false
                                                SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                Malicious:false
                                                Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                Download File
                                                Process:C:\Windows\System32\SIHClient.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):340
                                                Entropy (8bit):3.250706039037137
                                                Encrypted:false
                                                SSDEEP:6:kK/oYi+kNlq5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:3QBLkPlE99SCQl2DUeXJlOA
                                                MD5:F6E81C2A5FFBFD366379C5597945A28A
                                                SHA1:09B61632386691795B5C688E88759B24E86E59F0
                                                SHA-256:E069A4A08E50F66C8353072230471037CC1D8379DBC60B4306801188F1B0D866
                                                SHA-512:D3776477EDFD7EC1793816823EF9CBEE7F40DE76C17A638688745B790B89D2AB69054D75C961478154053151580D3D4DD64ACA9D8E56B7B14941D526BA0F562D
                                                Malicious:false
                                                Preview:p...... .........Z.}._..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.083948899993219
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:jaTDEkWCbs.exe
                                                File size:3'265'536 bytes
                                                MD5:b48f94c872bb4e3596924f7f587b0a54
                                                SHA1:748f86a0394486b577978794145328702ac77a62
                                                SHA256:e3d17377d59312e36a5e3b503a7259ffeaac4dd742222be0ad9a8ea443d3f7de
                                                SHA512:2704c862668c3ad9f9222761b91861b1c84d84021c1309b309f5cd267fc77e542ca2c821dccb2d9ff2f2063dbc5b604204c2969fa68c7a0de3f2e40039655da1
                                                SSDEEP:49152:yvtt62XlaSFNWPjljiFa2RoUYIDHxEESEQk/iRLoGdv1THHB72eh2NT:yvP62XlaSFNWPjljiFXRoUYIbxEh
                                                TLSH:03E55B143BF85F23E1BBE273D5B0441667F0E81AB3A3EB1B1191677E1C93B5058426AB
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x71e3de
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3900x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x31c3e40x31c4008ec6cf35289b805e60209e1f38806379unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x3200000xa930xc00cdeae95ac72e9e58017d2bcc89d2fbeaFalse0.36328125data4.653972105845318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x3220000xc0x200576e09f300aa2216eb4d32ea1fecea5fFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x3200a00x31cdata0.4484924623115578
                                                RT_MANIFEST0x3203bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-05T16:57:01.626351+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1154.216.19.1447000192.168.2.449731TCP
                                                2025-01-05T16:57:01.626351+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1154.216.19.1447000192.168.2.449731TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 5, 2025 16:57:00.917324066 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:00.924310923 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:00.924396992 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:00.934417009 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:00.941242933 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:01.617970943 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:01.617986917 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:01.618045092 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:01.621536016 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:01.626351118 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:01.830532074 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:01.877422094 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:02.737772942 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:02.737876892 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:02.737946987 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:02.738918066 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:02.738956928 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.617000103 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.617100954 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:03.624456882 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:03.624490976 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.624747992 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.630697012 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:03.671341896 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.827655077 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.827733994 CET44349733195.201.57.90192.168.2.4
                                                Jan 5, 2025 16:57:03.828341961 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:03.907145977 CET49733443192.168.2.4195.201.57.90
                                                Jan 5, 2025 16:57:04.169897079 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:04.175508022 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:04.176736116 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:04.182610989 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.404987097 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.405201912 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.405211926 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.405272007 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:05.405308962 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.405369997 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:05.405502081 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:05.405544996 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:30.408798933 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:30.413738966 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:57:42.588594913 CET5554553192.168.2.4162.159.36.2
                                                Jan 5, 2025 16:57:42.593408108 CET5355545162.159.36.2192.168.2.4
                                                Jan 5, 2025 16:57:42.593480110 CET5554553192.168.2.4162.159.36.2
                                                Jan 5, 2025 16:57:42.593508005 CET5554553192.168.2.4162.159.36.2
                                                Jan 5, 2025 16:57:42.598354101 CET5355545162.159.36.2192.168.2.4
                                                Jan 5, 2025 16:57:43.214215040 CET5355545162.159.36.2192.168.2.4
                                                Jan 5, 2025 16:57:43.215198040 CET5554553192.168.2.4162.159.36.2
                                                Jan 5, 2025 16:57:43.220191956 CET5355545162.159.36.2192.168.2.4
                                                Jan 5, 2025 16:57:43.220241070 CET5554553192.168.2.4162.159.36.2
                                                Jan 5, 2025 16:57:55.424473047 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:57:55.429313898 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:58:20.440231085 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:58:20.444984913 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:58:45.483995914 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:58:45.488825083 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:59:10.534115076 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:59:10.538923979 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 16:59:35.583985090 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 16:59:35.588877916 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 17:00:00.659370899 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 17:00:00.664309978 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 17:00:25.674957991 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 17:00:25.679754972 CET700049731154.216.19.144192.168.2.4
                                                Jan 5, 2025 17:00:50.691334963 CET497317000192.168.2.4154.216.19.144
                                                Jan 5, 2025 17:00:50.697097063 CET700049731154.216.19.144192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 5, 2025 16:57:02.726628065 CET6325553192.168.2.41.1.1.1
                                                Jan 5, 2025 16:57:02.734045029 CET53632551.1.1.1192.168.2.4
                                                Jan 5, 2025 16:57:42.587914944 CET5364932162.159.36.2192.168.2.4
                                                Jan 5, 2025 16:57:43.230022907 CET53505671.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 5, 2025 16:57:02.726628065 CET192.168.2.41.1.1.10xd391Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 5, 2025 16:57:01.955919981 CET1.1.1.1192.168.2.40x1e92No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Jan 5, 2025 16:57:01.955919981 CET1.1.1.1192.168.2.40x1e92No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Jan 5, 2025 16:57:02.734045029 CET1.1.1.1192.168.2.40xd391No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                                Jan 5, 2025 16:57:15.071770906 CET1.1.1.1192.168.2.40xcac5No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Jan 5, 2025 16:57:15.071770906 CET1.1.1.1192.168.2.40xcac5No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ipwho.is

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449733195.201.57.904437160C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-05 15:57:03 UTC150OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                Host: ipwho.is
                                                Connection: Keep-Alive
                                                2025-01-05 15:57:03 UTC223INHTTP/1.1 200 OK
                                                Date: Sun, 05 Jan 2025 15:57:03 GMT
                                                Content-Type: application/json; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Server: ipwhois
                                                Access-Control-Allow-Headers: *
                                                X-Robots-Tag: noindex
                                                2025-01-05 15:57:03 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:10:56:55
                                                Start date:05/01/2025
                                                Path:C:\Users\user\Desktop\jaTDEkWCbs.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\jaTDEkWCbs.exe"
                                                Imagebase:0x10000
                                                File size:3'265'536 bytes
                                                MD5 hash:B48F94C872BB4E3596924F7F587B0A54
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1646873443.0000000000330000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1676683355.000000001AF32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1646539698.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:10:56:57
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f
                                                Imagebase:0x7ff76f990000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:10:56:57
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:10:56:57
                                                Start date:05/01/2025
                                                Path:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Roaming\SubDir\Svc.exe"
                                                Imagebase:0xcd0000
                                                File size:3'265'536 bytes
                                                MD5 hash:B48F94C872BB4E3596924F7F587B0A54
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.4113781005.0000000003633000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Joe Security
                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: Florian Roth
                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: ditekSHen
                                                • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Svc.exe, Author: ditekshen
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 76%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:10:56:59
                                                Start date:05/01/2025
                                                Path:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Roaming\SubDir\Svc.exe
                                                Imagebase:0x350000
                                                File size:3'265'536 bytes
                                                MD5 hash:B48F94C872BB4E3596924F7F587B0A54
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:10:56:59
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f
                                                Imagebase:0x7ff76f990000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:10:56:59
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:10:57:13
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\SIHClient.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\sihclient.exe /cv Bp2r6cK9Lk66qUuk5S0sFA.0.2
                                                Imagebase:0x7ff64dac0000
                                                File size:380'720 bytes
                                                MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:16.6%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:6
                                                  Total number of Limit Nodes:0
                                                  execution_graph 1746 7ffd9b783569 1747 7ffd9b783571 DeleteFileW 1746->1747 1749 7ffd9b783616 1747->1749 1750 7ffd9b783525 1751 7ffd9b783531 DeleteFileW 1750->1751 1753 7ffd9b783616 1751->1753

                                                  Executed Functions

                                                  Function 00007FFD9B783525 Relevance: 1.6, APIs: 1, Instructions: 117fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1677384767.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b780000_jaTDEkWCbs.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: a0e3eaff6c9b6c641f70be9f964ffcc25febafe9f6e9b0c1bc9ef54c14c97e5c
                                                  • Instruction ID: 905dd9ab8f0646058215c342d929309090bfcd0ad36c1328b145a1d03e51d480
                                                  • Opcode Fuzzy Hash: a0e3eaff6c9b6c641f70be9f964ffcc25febafe9f6e9b0c1bc9ef54c14c97e5c
                                                  • Instruction Fuzzy Hash: 2C31233190CB5C8FDB19DB688859AE9BFF0EF56311F0542ABD049C71A2CB346805CB91
                                                  Function 00007FFD9B783569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 11 7ffd9b783569-7ffd9b7835d8 16 7ffd9b7835e2-7ffd9b783614 DeleteFileW 11->16 17 7ffd9b7835da-7ffd9b7835df 11->17 18 7ffd9b78361c-7ffd9b78364a 16->18 19 7ffd9b783616 16->19 17->16 19->18
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1677384767.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b780000_jaTDEkWCbs.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 2e89e1d193981ea81464b461834107ec21e5f5619fd36c362ba4618c0fdf0040
                                                  • Instruction ID: 184e1700ea52d7c661a6c0159627d146cc9311f025a09428461700209ba1728b
                                                  • Opcode Fuzzy Hash: 2e89e1d193981ea81464b461834107ec21e5f5619fd36c362ba4618c0fdf0040
                                                  • Instruction Fuzzy Hash: D431D23190CB5C8FDB19DB688859AE9BBF0FF65311F04426BD049D32A2DB74A805CB91

                                                  Execution Graph

                                                  Execution Coverage:7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:8
                                                  Total number of Limit Nodes:1
                                                  execution_graph 51801 7ffd9b9ee6f9 51803 7ffd9b9ee70f 51801->51803 51802 7ffd9b9ee7bb 51803->51802 51804 7ffd9b9ee8b4 SetWindowsHookExW 51803->51804 51805 7ffd9b9ee8f6 51804->51805 51806 7ffd9b773569 51807 7ffd9b773571 DeleteFileW 51806->51807 51809 7ffd9b773616 51807->51809

                                                  Executed Functions

                                                  Function 00007FFD9BB02321 Relevance: 7.4, Strings: 1, Instructions: 6198COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 228995fb29e7fb75b6806a6f1febb9085df6493eacc2e54011220799f5d0dade
                                                  • Instruction ID: 8821d5d6f0503d41338250071290149760c048fb7e5277fd496a12ee50eb265f
                                                  • Opcode Fuzzy Hash: 228995fb29e7fb75b6806a6f1febb9085df6493eacc2e54011220799f5d0dade
                                                  • Instruction Fuzzy Hash: 9283D412B1AE4F0BE7B596AC04B527956D3FFDC654B5A01BAD09EC32FAED18ED064300
                                                  Function 00007FFD9B9FCAD5 Relevance: 3.9, Strings: 2, Instructions: 1421COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: V0_H$W%_L
                                                  • API String ID: 0-1246632068
                                                  • Opcode ID: 2688005e7420fd14da3f15b9e420bcf6de1368b88922a6f2067571aef4460473
                                                  • Instruction ID: 8380c68ef08d430df4d0ccd883f088859618c88348c5f4517d415f7e1be2afe1
                                                  • Opcode Fuzzy Hash: 2688005e7420fd14da3f15b9e420bcf6de1368b88922a6f2067571aef4460473
                                                  • Instruction Fuzzy Hash: 73A24971B2EA8D5FE775DB6888666A43FE0EF55320B0601FAD04DC71B3DE186D0A8781
                                                  Function 00007FFD9B9FFE80 Relevance: 2.3, Strings: 1, Instructions: 1092COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: 3cfe2ee3cf6e522871a3a52cd2c7a68c4924ca2c9f5a067976628bb8b2afd5f5
                                                  • Instruction ID: 4261c97a5dbaa64f194b6505bd869de507ddfe375b557a6b3ca8c458c82352d9
                                                  • Opcode Fuzzy Hash: 3cfe2ee3cf6e522871a3a52cd2c7a68c4924ca2c9f5a067976628bb8b2afd5f5
                                                  • Instruction Fuzzy Hash: F172D231B1AA4D4FEBB4EB6C84A9A6837D1FF5A300F1500B9D08DC72B2DE68ED458745
                                                  Function 00007FFD9B9FB851 Relevance: 2.2, Strings: 1, Instructions: 906COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2360 7ffd9b9fb851-7ffd9b9fb8b4 2363 7ffd9b9fb8b6-7ffd9b9fb910 2360->2363 2364 7ffd9b9fb915-7ffd9b9fb919 2360->2364 2406 7ffd9b9fbeef-7ffd9b9fbf02 2363->2406 2366 7ffd9b9fb91b-7ffd9b9fb923 call 7ffd9b9e9fd0 2364->2366 2367 7ffd9b9fb92a 2364->2367 2371 7ffd9b9fb928 2366->2371 2369 7ffd9b9fb92c-7ffd9b9fb935 2367->2369 2372 7ffd9b9fb93b-7ffd9b9fb940 2369->2372 2373 7ffd9b9fba6a-7ffd9b9fba6f 2369->2373 2371->2369 2374 7ffd9b9fb946-7ffd9b9fb94b 2372->2374 2375 7ffd9b9fbf03-7ffd9b9fbf35 2372->2375 2376 7ffd9b9fbad5-7ffd9b9fbad9 2373->2376 2377 7ffd9b9fba71-7ffd9b9fba83 call 7ffd9b9e3830 2373->2377 2378 7ffd9b9fb95f-7ffd9b9fb975 call 7ffd9b9e9bf0 2374->2378 2379 7ffd9b9fb94d-7ffd9b9fb959 2374->2379 2386 7ffd9b9fbf3c-7ffd9b9fbf5f 2375->2386 2380 7ffd9b9fbadb-7ffd9b9fbaf7 call 7ffd9b9e4180 2376->2380 2381 7ffd9b9fbb2a-7ffd9b9fbb55 2376->2381 2394 7ffd9b9fba88-7ffd9b9fba8f 2377->2394 2391 7ffd9b9fb97a-7ffd9b9fba65 call 7ffd9b9ea890 2378->2391 2379->2378 2379->2386 2412 7ffd9b9fbf75-7ffd9b9fbf88 2380->2412 2413 7ffd9b9fbafd-7ffd9b9fbb25 2380->2413 2409 7ffd9b9fbb57-7ffd9b9fbb62 2381->2409 2410 7ffd9b9fbb64 2381->2410 2404 7ffd9b9fbf8c-7ffd9b9fbf91 2386->2404 2405 7ffd9b9fbf61-7ffd9b9fbf6e 2386->2405 2391->2406 2400 7ffd9b9fba85-7ffd9b9fba86 2394->2400 2401 7ffd9b9fba91-7ffd9b9fbab2 call 7ffd9b9fb6f0 2394->2401 2400->2394 2421 7ffd9b9fbab7-7ffd9b9fbad0 2401->2421 2415 7ffd9b9fbf98-7ffd9b9fbfe7 2404->2415 2405->2412 2416 7ffd9b9fbb66-7ffd9b9fbb95 2409->2416 2410->2416 2412->2404 2413->2406 2454 7ffd9b9fbfee-7ffd9b9fc030 2415->2454 2429 7ffd9b9fbb9b-7ffd9b9fbbba call 7ffd9b9e7b40 2416->2429 2430 7ffd9b9fbd77-7ffd9b9fbd7a 2416->2430 2421->2406 2442 7ffd9b9fbbc0-7ffd9b9fbbd7 call 7ffd9b9e7220 2429->2442 2443 7ffd9b9fbd6f-7ffd9b9fbd72 2429->2443 2434 7ffd9b9fbc8a-7ffd9b9fbc8c 2430->2434 2437 7ffd9b9fbc92-7ffd9b9fbcb1 call 7ffd9b9e7b40 2434->2437 2438 7ffd9b9fbd41-7ffd9b9fbd4a 2434->2438 2437->2438 2452 7ffd9b9fbcb7-7ffd9b9fbcce call 7ffd9b9e7220 2437->2452 2439 7ffd9b9fbe27-7ffd9b9fbe2c 2438->2439 2440 7ffd9b9fbd50-7ffd9b9fbd55 2438->2440 2446 7ffd9b9fbe7a-7ffd9b9fbee4 2439->2446 2447 7ffd9b9fbe2e-7ffd9b9fbe52 2439->2447 2448 7ffd9b9fbd57-7ffd9b9fbd65 2440->2448 2449 7ffd9b9fbd7f 2440->2449 2463 7ffd9b9fbbd9-7ffd9b9fbbef 2442->2463 2464 7ffd9b9fbbf0-7ffd9b9fbbfa 2442->2464 2443->2434 2470 7ffd9b9fbeeb-7ffd9b9fbeec 2446->2470 2460 7ffd9b9fbe54-7ffd9b9fbe6b 2447->2460 2461 7ffd9b9fbe72-7ffd9b9fbe73 2447->2461 2457 7ffd9b9fbd81-7ffd9b9fbd83 2448->2457 2449->2457 2479 7ffd9b9fbce7-7ffd9b9fbcee 2452->2479 2480 7ffd9b9fbcd0-7ffd9b9fbce5 2452->2480 2489 7ffd9b9fc03b-7ffd9b9fc046 2454->2489 2490 7ffd9b9fc032-7ffd9b9fc039 2454->2490 2465 7ffd9b9fbd8a-7ffd9b9fbd8f 2457->2465 2466 7ffd9b9fbd85-7ffd9b9fbd88 2457->2466 2460->2461 2461->2446 2463->2464 2472 7ffd9b9fbbfc-7ffd9b9fbc20 2464->2472 2473 7ffd9b9fbc26-7ffd9b9fbc2d 2464->2473 2475 7ffd9b9fbdba-7ffd9b9fbdbf 2465->2475 2476 7ffd9b9fbd91-7ffd9b9fbdb3 2465->2476 2474 7ffd9b9fbdc2-7ffd9b9fbdce 2466->2474 2470->2406 2472->2415 2472->2473 2473->2454 2478 7ffd9b9fbc33-7ffd9b9fbc4a 2473->2478 2492 7ffd9b9fbe1a-7ffd9b9fbe21 2474->2492 2493 7ffd9b9fbdd0-7ffd9b9fbdd3 2474->2493 2475->2474 2476->2475 2483 7ffd9b9fbc4c-7ffd9b9fbc69 2478->2483 2484 7ffd9b9fbc6b-7ffd9b9fbc84 call 7ffd9b9e7b40 2478->2484 2479->2454 2488 7ffd9b9fbcf4-7ffd9b9fbd0a 2479->2488 2480->2479 2483->2484 2484->2434 2515 7ffd9b9fbd67-7ffd9b9fbd6a 2484->2515 2494 7ffd9b9fbd0c-7ffd9b9fbd0d 2488->2494 2495 7ffd9b9fbd23-7ffd9b9fbd3b call 7ffd9b9e7b40 2488->2495 2490->2489 2496 7ffd9b9fc047-7ffd9b9fc098 2490->2496 2492->2439 2492->2440 2499 7ffd9b9fbdf8-7ffd9b9fbe16 call 7ffd9b9e53c0 2493->2499 2500 7ffd9b9fbdd5-7ffd9b9fbdf0 2493->2500 2506 7ffd9b9fbd14-7ffd9b9fbd1c 2494->2506 2495->2438 2495->2452 2499->2492 2500->2499 2506->2495 2515->2442
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d%_H
                                                  • API String ID: 0-4003640186
                                                  • Opcode ID: 380ce44c6be8d22ef52913d8116989dd4c8f7e8846dd9e59dab1ea523d322ad5
                                                  • Instruction ID: d05fd9e82a22df3688bd0487321ba797621ae730d865e92289dcd0b203eaf951
                                                  • Opcode Fuzzy Hash: 380ce44c6be8d22ef52913d8116989dd4c8f7e8846dd9e59dab1ea523d322ad5
                                                  • Instruction Fuzzy Hash: A152F271B29A0D4FDBA8EF6884A56797BD2FF98310F11017DD44EC32A6DE24BD418781
                                                  Function 00007FFD9B9E55D6 Relevance: 2.1, Instructions: 2122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59bf3d2015b04efc50e0929967374207170b9e002fa62eb3f00c3c52abdceeb6
                                                  • Instruction ID: bbc4415bad3bd76aa32a6d2d71ae8bd564ef84e6ec8f4649402a37d23d013845
                                                  • Opcode Fuzzy Hash: 59bf3d2015b04efc50e0929967374207170b9e002fa62eb3f00c3c52abdceeb6
                                                  • Instruction Fuzzy Hash: 3BF2B270A19A0D8FDFA8EF68C494BA977E1FF58304F1141A9D04ED72A6DE34EA41CB40
                                                  Function 00007FFD9B9E9FD0 Relevance: 1.1, Instructions: 1074COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d62d2ed0687c06c41c59eab93660a29fbff38910f9464f20e9941bb17a2591c1
                                                  • Instruction ID: 92a17690e0cbfd0d440a9fd9f0eed2ef6b6c71c535b18dfab415bf2fd3a31d3d
                                                  • Opcode Fuzzy Hash: d62d2ed0687c06c41c59eab93660a29fbff38910f9464f20e9941bb17a2591c1
                                                  • Instruction Fuzzy Hash: 36624831B2D94D5FEBA8EB2CD465A7937D1EF98310B0601BAE44EC72B2DD24ED028341
                                                  Function 00007FFD9B9FEB29 Relevance: .9, Instructions: 947COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d758378a546a7ec68a0f407ce91cf21f918c877945a83ff049e4a887a1caea1d
                                                  • Instruction ID: a231c14f1b04165eacb4ff91ac84577afd1a8dc844b6c6c6afb835c3c9352dd3
                                                  • Opcode Fuzzy Hash: d758378a546a7ec68a0f407ce91cf21f918c877945a83ff049e4a887a1caea1d
                                                  • Instruction Fuzzy Hash: 3A52A031B29A4E4FDB98DF1884A1BA977E2FF99314F1501A9E45AC72D6CE34EC028741
                                                  Function 00007FFD9B9EAFDD Relevance: .9, Instructions: 862COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d606e1101d6fb7769005bca85b87c8e78c7eab31f201c2914d0fb269f1f97f0a
                                                  • Instruction ID: 79635fe12f10ff4238ab26f29839c92a83e6bfa617afa9406a9d089fccf88010
                                                  • Opcode Fuzzy Hash: d606e1101d6fb7769005bca85b87c8e78c7eab31f201c2914d0fb269f1f97f0a
                                                  • Instruction Fuzzy Hash: A2525030B18A498FDBA8EF2CC4A5B6977E1FF99304F1541B9E04EC72A6DE35E8418741
                                                  Function 00007FFD9B9E9271 Relevance: .7, Instructions: 678COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf1b175cdfd7ed400b4d3658f9559c38ff392d29c82d85a43f26a1dddab82cc1
                                                  • Instruction ID: 22064862ec242eb21a823b12cff2e136e3b5e120ea58cf7981b4aabeb06db25b
                                                  • Opcode Fuzzy Hash: bf1b175cdfd7ed400b4d3658f9559c38ff392d29c82d85a43f26a1dddab82cc1
                                                  • Instruction Fuzzy Hash: 2B229230B19A0D5FEB68EB5C84A97B973E2FF98304F15417DD44EC32A2DE34AA468741
                                                  Function 00007FFD9B9E621F Relevance: .5, Instructions: 531COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e1735364a045bbcfcaa80f5bab62de67d500ff050bc0fe1730a22248ced1ba8
                                                  • Instruction ID: ea76e958fade7adcf6b3571e819064987ba747d876db11d59a0952ef8f1baf66
                                                  • Opcode Fuzzy Hash: 2e1735364a045bbcfcaa80f5bab62de67d500ff050bc0fe1730a22248ced1ba8
                                                  • Instruction Fuzzy Hash: BD023C30E28A1D8FEBA8DF58C49476977E1FF98305F1541B9D44ED32A6DA34BA81CB40
                                                  Function 00007FFD9B9F7C16 Relevance: .5, Instructions: 477COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bc0c7262188832c9cf45b3e2cc05be3e69b7b1779148a2be047c87d8a032a8d
                                                  • Instruction ID: a2165517921a9b33e46fbcd44746d836d7100f760247af5ace17e3661651f076
                                                  • Opcode Fuzzy Hash: 5bc0c7262188832c9cf45b3e2cc05be3e69b7b1779148a2be047c87d8a032a8d
                                                  • Instruction Fuzzy Hash: AAF1C530A19A8D8FEBA8DF28C8557F93BD1FF54310F44426EE84DC7295CB3899458B82
                                                  Function 00007FFD9B9F8A0F Relevance: .4, Instructions: 428COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f94237b1f5a21a7a57d08cddfa9e19aa5636cef70a90544d0b1613bf810e5509
                                                  • Instruction ID: dec471736931502c5f84b97413920453738e0146005c66122cd9b0b020b1f3e8
                                                  • Opcode Fuzzy Hash: f94237b1f5a21a7a57d08cddfa9e19aa5636cef70a90544d0b1613bf810e5509
                                                  • Instruction Fuzzy Hash: B6D1A270B19A4D8FEBA8DF28C8A57E97BD1FB54311F00826EE84DC7295CF7499418B81
                                                  Function 00007FFD9B9EE6F9 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2982 7ffd9b9ee6f9-7ffd9b9ee7b9 call 7ffd9b9ee0e8 2996 7ffd9b9ee7bb-7ffd9b9ee7f7 2982->2996 2997 7ffd9b9ee7f8-7ffd9b9ee87e 2982->2997 3005 7ffd9b9ee936-7ffd9b9ee93a 2997->3005 3006 7ffd9b9ee884-7ffd9b9ee891 2997->3006 3007 7ffd9b9ee893-7ffd9b9ee8f4 SetWindowsHookExW 3005->3007 3006->3007 3011 7ffd9b9ee8fc-7ffd9b9ee935 3007->3011 3012 7ffd9b9ee8f6 3007->3012 3012->3011
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b56522b43e02f278b798585fb57b33ca721c2770bb0e7ebb6a4979ebe25b56c3
                                                  • Instruction ID: a9d5174b2fdc5dd1657f00a8d460c47320be595cdf811389db55b52c4e2de7fb
                                                  • Opcode Fuzzy Hash: b56522b43e02f278b798585fb57b33ca721c2770bb0e7ebb6a4979ebe25b56c3
                                                  • Instruction Fuzzy Hash: 38714831B1DE4D4FDB58EB6C98655B977E1EF58310B0442BBE04EC32A3DE24A94287C1
                                                  Function 00007FFD9B773525 Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3348 7ffd9b773525-7ffd9b77352f 3349 7ffd9b773571-7ffd9b7735d8 3348->3349 3350 7ffd9b773531-7ffd9b773562 3348->3350 3356 7ffd9b7735e2-7ffd9b773614 DeleteFileW 3349->3356 3357 7ffd9b7735da-7ffd9b7735df 3349->3357 3350->3349 3358 7ffd9b77361c-7ffd9b77364a 3356->3358 3359 7ffd9b773616 3356->3359 3357->3356 3359->3358
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4126613729.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b770000_Svc.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 2669fa349e936218fc2a96866a26309c976f5a5b0ece7cdd65d70c37f6b43307
                                                  • Instruction ID: 200d2dc04ef64a3f16fdeddc96fd1fe68fb3ab2ec5d1f9688d93671293791d81
                                                  • Opcode Fuzzy Hash: 2669fa349e936218fc2a96866a26309c976f5a5b0ece7cdd65d70c37f6b43307
                                                  • Instruction Fuzzy Hash: 0B414431A0DB4C8FCB19DF6888996E97BF0FF56310F0542AFD049C71A2CA64A906C791
                                                  Function 00007FFD9B773569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3415 7ffd9b773569-7ffd9b7735d8 3420 7ffd9b7735e2-7ffd9b773614 DeleteFileW 3415->3420 3421 7ffd9b7735da-7ffd9b7735df 3415->3421 3422 7ffd9b77361c-7ffd9b77364a 3420->3422 3423 7ffd9b773616 3420->3423 3421->3420 3423->3422
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4126613729.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b770000_Svc.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: bd0a00df7b58dadcc5a35d66d8850a82156c50b21c9139f2f5d7d583e0e35f55
                                                  • Instruction ID: 99aa4fdf22d60e79e06ea2bfa5e5e0831ea722e96da557ab6ef9d887c11094a8
                                                  • Opcode Fuzzy Hash: bd0a00df7b58dadcc5a35d66d8850a82156c50b21c9139f2f5d7d583e0e35f55
                                                  • Instruction Fuzzy Hash: C731C13190CB5C8FDB19DB588859AE9BBF0FF65311F04426BD049D32A2DB74A906CB91
                                                  Function 00007FFD9BB052F1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 24d4f667da86838ef4681ec7c2d9d6bed3f99b6458959c7c737cf0dd2083910a
                                                  • Instruction ID: b6207dc47adbbe6b7c6ccdba7f38f120c380d2430ca71cc1da9f60c59d62db0f
                                                  • Opcode Fuzzy Hash: 24d4f667da86838ef4681ec7c2d9d6bed3f99b6458959c7c737cf0dd2083910a
                                                  • Instruction Fuzzy Hash: C521F811B1AA4F0BF7B5AA6C04B517866C2FF98544B5A01BAD04EC76EEDD69ED424300
                                                  Function 00007FFD9BB0207D Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 545590a58ea5f7dc6a19aa628bcdb889a73192301490437c1dcdaff632a67204
                                                  • Instruction ID: 00d2f70bd05dab5cef6a5b39cdbf36e0758d55330a0778d574020ccfaa93061e
                                                  • Opcode Fuzzy Hash: 545590a58ea5f7dc6a19aa628bcdb889a73192301490437c1dcdaff632a67204
                                                  • Instruction Fuzzy Hash: 1D71AE10B2AE6B1BE7A5A7E888B177972D6EF99300F460179D14DC32E7CE5CED064381
                                                  Function 00007FFD9BB00000 Relevance: .2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b1b8bed1e2f81551ba3858c1336889eb5db026b06e5bd0fd5f0c26641b7135d
                                                  • Instruction ID: 3c764ed30426f6a980d7235b80264f0f714a8be97e8f758e76ec9f1ccca675d8
                                                  • Opcode Fuzzy Hash: 1b1b8bed1e2f81551ba3858c1336889eb5db026b06e5bd0fd5f0c26641b7135d
                                                  • Instruction Fuzzy Hash: 9541197270EA8D0FE75586684879AB13BD1EF66614F4A02FFD08DC71F7E908AD068341
                                                  Function 00007FFD9B65ED80 Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4126384052.00007FFD9B65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B65D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b65d000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73ee3f18184c6769da012096567bdb343886a785f0f94fa55b8f9199565783a4
                                                  • Instruction ID: 4f8ddb54b1333b9d737f81c3bfbd7143e5f10150077ee043d3d394e93449009b
                                                  • Opcode Fuzzy Hash: 73ee3f18184c6769da012096567bdb343886a785f0f94fa55b8f9199565783a4
                                                  • Instruction Fuzzy Hash: 0141F47150EBC84FDB56CB2898959523FF0EF56320B1906DFD0C8CB1A3D629A84AC792
                                                  Function 00007FFD9BB0014A Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b887ee38978bf47a665f555288fc2ff373cf3bb41caec9e2c757d9771a26c5f
                                                  • Instruction ID: 0977cd551e09a52cfcf99e3423ae0824c0330ea12c8494ac3f1bcd5962483a53
                                                  • Opcode Fuzzy Hash: 0b887ee38978bf47a665f555288fc2ff373cf3bb41caec9e2c757d9771a26c5f
                                                  • Instruction Fuzzy Hash: 24312922B1EA8D0FE768DA6C58366B477C1FF65614F4501BEE48EC32E6DD19AC428342
                                                  Function 00007FFD9BB00676 Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f855d194d6ba7c14747fea6e1b5260ef440bc5ca2d085054947073cf80986627
                                                  • Instruction ID: afb14ab40e1322ed958737345594a726a60bc0fa7ec1f06ed8ce5d80824aee7e
                                                  • Opcode Fuzzy Hash: f855d194d6ba7c14747fea6e1b5260ef440bc5ca2d085054947073cf80986627
                                                  • Instruction Fuzzy Hash: 46314A62B1DA4D0FE7A89A5C582A678B7C1FB69714F4501BDE0CEC32E7DD19AC018342
                                                  Function 00007FFD9BB05090 Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8efa843d7eb8c684f805f5d6dc3ec09c215373ff69011628c2feedd4c60f3cb
                                                  • Instruction ID: e3306a4a0d05cd0ef149e98571bde1ffc0f2b16910a6cb61568f5fc60e992235
                                                  • Opcode Fuzzy Hash: d8efa843d7eb8c684f805f5d6dc3ec09c215373ff69011628c2feedd4c60f3cb
                                                  • Instruction Fuzzy Hash: B621A212B1AE4E0FF6B5AA6C04F467856C3FFD865475A01BAD04EC76EAED19ED024380
                                                  Function 00007FFD9BB03D9F Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d9835a5a30f9be9882cebafbd0ae21aa45a53273749c23b6bbc2509aba0217
                                                  • Instruction ID: e51fb9f7f3b549b259f7762c1b25ba5a4fa761a0517ae40e0f36168d21e5b5c2
                                                  • Opcode Fuzzy Hash: a3d9835a5a30f9be9882cebafbd0ae21aa45a53273749c23b6bbc2509aba0217
                                                  • Instruction Fuzzy Hash: CF21B411B1AE4E0BE7B5A66C04B527856C2EFDC65475A02BAE04EC72EBED19ED024340
                                                  Function 00007FFD9BB043EE Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9aa00ac41a8158fc706fd013c941b40b401982ab81fbd482ae82bfa5c76efd80
                                                  • Instruction ID: 6dc6affe3fde363dff82dc136057adcf408a6b9d6d3aab045bf6f5a7249cadbc
                                                  • Opcode Fuzzy Hash: 9aa00ac41a8158fc706fd013c941b40b401982ab81fbd482ae82bfa5c76efd80
                                                  • Instruction Fuzzy Hash: D4212612B1AE4F0BF7B9A66C04B417852D3FFD864479A01BEE04EC72EAED18ED024340
                                                  Function 00007FFD9BB035BA Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21f5ae888e946d84e1b8aa41aaa78a353c08dae89db0ad44e5b80ebcc77d589e
                                                  • Instruction ID: 73259726cfbf39e25f68e579c9271dc66051a8b9780ef5f20c3537983ceea127
                                                  • Opcode Fuzzy Hash: 21f5ae888e946d84e1b8aa41aaa78a353c08dae89db0ad44e5b80ebcc77d589e
                                                  • Instruction Fuzzy Hash: 8021E911B1EE4E0FE7A996AC04B527856C2EFDC15479A01BAD44EC73FBED59ED024340
                                                  Function 00007FFD9BB03293 Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8c8e181e3daaeaa04b7651a2ef9226b007694777990143f4889f0cef50fe358
                                                  • Instruction ID: 172dc02f6be89f53246795698ca50c31fc986396f348b249b9df95c8a408b1dd
                                                  • Opcode Fuzzy Hash: c8c8e181e3daaeaa04b7651a2ef9226b007694777990143f4889f0cef50fe358
                                                  • Instruction Fuzzy Hash: 2321B411B1AE4F0BF7B9D6AC04B527862C2FFDC654B5A01BAD05EC32FAED59E9024340
                                                  Function 00007FFD9BB02AAF Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ce4eae60ab231f619fda55414bed86c6b3faa75f860d6e5d9a02cbbcb777103
                                                  • Instruction ID: 3a2a34d632c47f7f037800cba40afbb1ad47a471c86463f685767890d9f2d2ec
                                                  • Opcode Fuzzy Hash: 3ce4eae60ab231f619fda55414bed86c6b3faa75f860d6e5d9a02cbbcb777103
                                                  • Instruction Fuzzy Hash: 0F21DB11B1AE4E0FE7B9A5AC04B527C52C3EFD865475A01BAD05EC72FEDD19ED068340
                                                  Function 00007FFD9BB0292E Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6bc48f5b5f963d598c67a0865fce80e31de54c31a2a05061c1040ae9a0eb6a2
                                                  • Instruction ID: 199507c30a913cdd319df0d493422f2753772adb7cae82087182d5b85e93fee4
                                                  • Opcode Fuzzy Hash: f6bc48f5b5f963d598c67a0865fce80e31de54c31a2a05061c1040ae9a0eb6a2
                                                  • Instruction Fuzzy Hash: 7F21D611B1AE4E0FF7A9A6AC04B523862C2EFD855479A01BAD44EC33FFED19ED024340
                                                  Function 00007FFD9BB039C2 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1eaee6a0e9f396c428e2c1525a2f695ce1a67b68d5cce00f66753f02de2ec846
                                                  • Instruction ID: 0723ceb8b3e13b26039f32aca510e6a2d835b24a616db5270617e7a0e0ccbf11
                                                  • Opcode Fuzzy Hash: 1eaee6a0e9f396c428e2c1525a2f695ce1a67b68d5cce00f66753f02de2ec846
                                                  • Instruction Fuzzy Hash: D6218611B1AE4E0FE7B5A66C04B527866C2EFDC55475A01BBD04EC32FEDD29ED424340
                                                  Function 00007FFD9BB0555F Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 632d407d4bde3abe3fef12fc4161c7c740c0d6e9a2880a32cda818e44d53b9bc
                                                  • Instruction ID: 3b63e5fd68f8df63034ee209118846ae8465879f67aba701b870b431277f0200
                                                  • Opcode Fuzzy Hash: 632d407d4bde3abe3fef12fc4161c7c740c0d6e9a2880a32cda818e44d53b9bc
                                                  • Instruction Fuzzy Hash: 1A21C411B1AE4E0FE7B5A66C04B527862C3EFD811475A01BAE44EC76EAED28DD028340
                                                  Function 00007FFD9BB03762 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b2e710f0f39c83831bc7f245ebaff3c70affff831d70642095b506137398bc9
                                                  • Instruction ID: e7dffe2f0baa4ff64bdf11b6af1ef9d87920c62f75c546b04f134346041781a8
                                                  • Opcode Fuzzy Hash: 9b2e710f0f39c83831bc7f245ebaff3c70affff831d70642095b506137398bc9
                                                  • Instruction Fuzzy Hash: 5521D611B1AE4E0FF7B5A6AC04B467962D3EFDC11579A01BAE44EC73EAED19DD024340
                                                  Function 00007FFD9BB04E48 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f634e048b2b0a14e0ee4df6ac619b9bcccdfd99db2b37195f5c79bee7e15319f
                                                  • Instruction ID: cec0207f9f72ad64bf82e11c11554fc7411b7747fbd2bac9498662df257c2b0d
                                                  • Opcode Fuzzy Hash: f634e048b2b0a14e0ee4df6ac619b9bcccdfd99db2b37195f5c79bee7e15319f
                                                  • Instruction Fuzzy Hash: 5821B611B1AE4F0FE7B9A66C04B527962D2EFD855475A01BEE44EC32FAED29ED024340
                                                  Function 00007FFD9BB026DA Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1345bb759efd588f1c01ee50a07adc380ccc7951a6f86fa2345b73eee500bff
                                                  • Instruction ID: 6dc679c6575e27da2b12b6d36fb6442aa2b82c2225bd55422152eac980e72e77
                                                  • Opcode Fuzzy Hash: e1345bb759efd588f1c01ee50a07adc380ccc7951a6f86fa2345b73eee500bff
                                                  • Instruction Fuzzy Hash: D421D711B1AE4E0BE3B9A6AC04B127961C3FFC8115B5601BAD45EC33FADD18ED064341
                                                  Function 00007FFD9BB03CF1 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ce4286105ba29272b975dbc0772497ed625a2d9ea527ac71fd21e4cb75ff06b
                                                  • Instruction ID: 8126648ae875541fc5778e8860238e537d4d6ebe9389ffdd44e4b154b30b1478
                                                  • Opcode Fuzzy Hash: 7ce4286105ba29272b975dbc0772497ed625a2d9ea527ac71fd21e4cb75ff06b
                                                  • Instruction Fuzzy Hash: 9D21D711B1AE4E0FE7B9A66C04B527862C2EFD810475A02BAE45EC72FADD29ED024340
                                                  Function 00007FFD9BB0597E Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4055710a4bfbdac6372b96bdc9863408afaca36bfaef0c85ef3ff9e559fa40a8
                                                  • Instruction ID: 36c32d5630b52e5c3b556020feec66c6a636554a924ba0c4bb51e8e7c2aa77df
                                                  • Opcode Fuzzy Hash: 4055710a4bfbdac6372b96bdc9863408afaca36bfaef0c85ef3ff9e559fa40a8
                                                  • Instruction Fuzzy Hash: 9511B65171AE4E0FF7B5A66C04B023866C2EFD811475A01BAE45EC77EAED29ED424305
                                                  Function 00007FFD9BB05330 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4620fff629e57288c472469a70389b1579c3c196857f821ac914a6ee9aff9e25
                                                  • Instruction ID: c1d64c85a821327e18daaf6ad09586e368ef3576a97ef564906742226a43ada7
                                                  • Opcode Fuzzy Hash: 4620fff629e57288c472469a70389b1579c3c196857f821ac914a6ee9aff9e25
                                                  • Instruction Fuzzy Hash: 0B11861171AA4F0FE7B5A66C04B027866C2EFD8114B6A01BBE44EC76EEDD69ED024340
                                                  Function 00007FFD9BB03B82 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c6b87b2bfca53e1593afee7f722d374e512575025099e5c1ab663ac38290fdf
                                                  • Instruction ID: 2af6a06fc7b2b96335293b0a0e054d46a1722791cf9b54eb8320a066b578f359
                                                  • Opcode Fuzzy Hash: 1c6b87b2bfca53e1593afee7f722d374e512575025099e5c1ab663ac38290fdf
                                                  • Instruction Fuzzy Hash: B711AB2171EE4F0FFBB5A66C04B513966C2EFD851475A01BAE45EC72EBED29ED024300
                                                  Function 00007FFD9BB05268 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd45fa687cfedc952424e258a35cd2ea9b259994e4644379e028baea1b47929d
                                                  • Instruction ID: 17eca24d29187bd72eb959be43070659e5c7f8eb071445f5afd559db325b6e76
                                                  • Opcode Fuzzy Hash: cd45fa687cfedc952424e258a35cd2ea9b259994e4644379e028baea1b47929d
                                                  • Instruction Fuzzy Hash: C111AB1171AE4F0FF7B5A66C04B013865C2EFD815475A01BAE49EC76EEDD19DD414300
                                                  Function 00007FFD9BB00EE1 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4129280044.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                  • Instruction ID: be1f1dba64df287abadfe8f845752164d9f2329bd9ba6b59f0ac3e725f205b5e
                                                  • Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                  • Instruction Fuzzy Hash: A4D0C711B1A61507F21415CCA8523F8B1C5DB88714F515177D40DC72E6C8CE6DC542C2

                                                  Non-executed Functions

                                                  Function 00007FFD9B9F7719 Relevance: .4, Instructions: 417COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4128659242.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b9e0000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61eb432572792162698139e8e1ab619a40ec4f39fce9ed5d45af9c96fcacf2a8
                                                  • Instruction ID: 2458a22ac17015f23a7eb13369597c8e444c763597a6ae44040486e154562982
                                                  • Opcode Fuzzy Hash: 61eb432572792162698139e8e1ab619a40ec4f39fce9ed5d45af9c96fcacf2a8
                                                  • Instruction Fuzzy Hash: FCD1C530A19A8D5FEBA8DF28C8557E97BD1FF55310F04426EE84DC7291CB7899418782
                                                  Function 00007FFD9B77F1F2 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4126613729.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b770000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afecb03f595489ac8c11ac2c29886081fb784167a893c786c46c35ceb37ce25d
                                                  • Instruction ID: f752c7b0eaacd635d0c267c467e19e757e3ff60a32e718bfc71e799a2bf7117d
                                                  • Opcode Fuzzy Hash: afecb03f595489ac8c11ac2c29886081fb784167a893c786c46c35ceb37ce25d
                                                  • Instruction Fuzzy Hash: 61316F1FA4E1A61EE315B3BCB5B28FD3B51CF6223970842F3F19D4D0E79D09208A4A94

                                                  Executed Functions

                                                  Function 00007FFD9B750BE8 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;P_I
                                                  • API String ID: 0-1492203171
                                                  • Opcode ID: 3ace50b98b741ff9554082c82130ceeb8a00025fac1760df1f22bd667ec509d6
                                                  • Instruction ID: e8efa9df08ae28a2d1fc6ec4313f491bdf2f995d26c9320de90124e998cd78fc
                                                  • Opcode Fuzzy Hash: 3ace50b98b741ff9554082c82130ceeb8a00025fac1760df1f22bd667ec509d6
                                                  • Instruction Fuzzy Hash: F6816E7660E7894FE318D7EC54B05A93FA2AF42310F4542FAE4C8873EBED696909C341
                                                  Function 00007FFD9B7515FA Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .P_^
                                                  • API String ID: 0-3169129673
                                                  • Opcode ID: ffc0f66bf8d7f58f2915cf27152bb6f095d15dfe418dd4777989c04ed44a9194
                                                  • Instruction ID: ab25dec4ef042440d20ca2b354229f25b2090935caa5ce3c73e8b7c6db5e2a5d
                                                  • Opcode Fuzzy Hash: ffc0f66bf8d7f58f2915cf27152bb6f095d15dfe418dd4777989c04ed44a9194
                                                  • Instruction Fuzzy Hash: 7F212416B0E69E0FD315E6AC9C759F53BD1DF9622070E02F7E089CB1A3CD08590A8760
                                                  Function 00007FFD9B7520FA Relevance: .4, Instructions: 358COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43d696b468c03aa5d01d3545dcdbff28d10c5a6ffeb58307577427ab281b64db
                                                  • Instruction ID: c640004e3bac759fdd796e4efd98fff36f349c6d5e03ce0bbbbaaef3f6358f91
                                                  • Opcode Fuzzy Hash: 43d696b468c03aa5d01d3545dcdbff28d10c5a6ffeb58307577427ab281b64db
                                                  • Instruction Fuzzy Hash: 21A1D631B19A8E4FEB95EBE88465AB93792EF99340F0502B5D44DC71F7DD68AD038340
                                                  Function 00007FFD9B752DC8 Relevance: .2, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 051a184672fe3207ccb9978778e7dc339d73fead7e6c29bca82bdd7ade5fdb3a
                                                  • Instruction ID: 3ce042666e8afb7c90d5e1cbe923c54aedb2909ae62b944f9c8579962c86eb30
                                                  • Opcode Fuzzy Hash: 051a184672fe3207ccb9978778e7dc339d73fead7e6c29bca82bdd7ade5fdb3a
                                                  • Instruction Fuzzy Hash: CB717771B1990E4FEB98EB9884657BCB3D2EF98314F454179D05ED32E6CF68AC428740
                                                  Function 00007FFD9B7524A2 Relevance: .2, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c14d2085b4204b6b2a5e2f854ffc92729ad327adf09d6d270c5aec236624605
                                                  • Instruction ID: 7b84d638a0e563e65e6b6bbba56d6c1524630859908eecb6bd6339363240a6cc
                                                  • Opcode Fuzzy Hash: 8c14d2085b4204b6b2a5e2f854ffc92729ad327adf09d6d270c5aec236624605
                                                  • Instruction Fuzzy Hash: 5E51D224B1DEAE0FEB96A3B840716AD3AD39F8525074242F5E04DC72EBDD6C9D4B8341
                                                  Function 00007FFD9B752110 Relevance: .2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9da21c788b3fcc4738eba96c94bf7abe85a8a3c50bbfb4ea0a7135d8143aec29
                                                  • Instruction ID: ccfbbce24187443f81fd9e1da32dba86f14dcbcf89c0c310e8f4e1705f2c12b1
                                                  • Opcode Fuzzy Hash: 9da21c788b3fcc4738eba96c94bf7abe85a8a3c50bbfb4ea0a7135d8143aec29
                                                  • Instruction Fuzzy Hash: D2410C31B0D64D4FEB95EBE88471AF937A1EF95340F0602BAE00DC71E7CE68A9028751
                                                  Function 00007FFD9B752729 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 848fa4e5adbbeb996447f94b374ba73337ebefdb89577770303cc14f9caa1c7d
                                                  • Instruction ID: b0de9ecbce63a64e8fed74a1391f94085c1c6dbdd91d9bab98919a2f191d311d
                                                  • Opcode Fuzzy Hash: 848fa4e5adbbeb996447f94b374ba73337ebefdb89577770303cc14f9caa1c7d
                                                  • Instruction Fuzzy Hash: 1D413B21B1DB490FE758EBE894667B977D1EF95314F04027EE05EC32E6CD6869038742
                                                  Function 00007FFD9B75196D Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8543865482f710384794204b55abb50c3507a2a0332ab517b9bafc63b00155e
                                                  • Instruction ID: d81d72a4b25e788b70c0909f1ebd212c56785c8d22d0d5bbc29569685d6d8ebf
                                                  • Opcode Fuzzy Hash: f8543865482f710384794204b55abb50c3507a2a0332ab517b9bafc63b00155e
                                                  • Instruction Fuzzy Hash: EF21F630A0A64A4FD755DFA8C0D15A573A1EF94311B6583F5D018CB5BBEA68ED87C380
                                                  Function 00007FFD9B751BF5 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e0a93cbb5ee9fec2662e5f6756694a22584efec3d16a69df143fc291a28e407
                                                  • Instruction ID: ffa03de1570fecd9bf9622f10c0b7e48230c6292607dc88946c8b506122da37b
                                                  • Opcode Fuzzy Hash: 8e0a93cbb5ee9fec2662e5f6756694a22584efec3d16a69df143fc291a28e407
                                                  • Instruction Fuzzy Hash: 8B31C63C659A5D4FE308EB5C90B1AA93F62AB84304F8046E5E859833CFDE7C550CC751
                                                  Function 00007FFD9B750872 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8bafa5422ef6f208a6a6a9278fd0a001186664a24b2dc19541399125692114a8
                                                  • Instruction ID: 980d18a4d55ca5fe688ea3ab0e3b9d745dbf12d47b7f61d515aac075c4e95edb
                                                  • Opcode Fuzzy Hash: 8bafa5422ef6f208a6a6a9278fd0a001186664a24b2dc19541399125692114a8
                                                  • Instruction Fuzzy Hash: 7B213A52E1EB894FF355A7A80835AA56B91EF52740F4906FAD089CB1EBDC4828058391
                                                  Function 00007FFD9B7532DD Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: acc170cdaa7c3fb1f0a2732b5a3ea9653cacdda714f0213e59190d87a583bb80
                                                  • Instruction ID: d50f063a36ad242d3689c1c41911ab4b8aa68a47676d4240442c4f9acb8366ae
                                                  • Opcode Fuzzy Hash: acc170cdaa7c3fb1f0a2732b5a3ea9653cacdda714f0213e59190d87a583bb80
                                                  • Instruction Fuzzy Hash: 1421F131F19A5D4FD794EB6888699B873E2EF58301B4605B6E40DC72F6DE24E805C740
                                                  Function 00007FFD9B753491 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: beba1354756c94a3830cde564fd04b3672ffc149041bb7d8f6af72672c1a9834
                                                  • Instruction ID: b16295f9d404776200e80f139f33494d4720785da883967282579c8d11ffc312
                                                  • Opcode Fuzzy Hash: beba1354756c94a3830cde564fd04b3672ffc149041bb7d8f6af72672c1a9834
                                                  • Instruction Fuzzy Hash: 33119021B0EB490FE751A6B86C698F17BD1DF9022570943BBE44DC31B3CD58A6878351
                                                  Function 00007FFD9B750D90 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bb00269d93a3dfcb62364c6b65cfd250eeafbaa3f8945eff6487c30e3629fc6
                                                  • Instruction ID: fa3bbbf561d403bcb47dd828386246939da874ef709f7a1cbadc879f6477615d
                                                  • Opcode Fuzzy Hash: 9bb00269d93a3dfcb62364c6b65cfd250eeafbaa3f8945eff6487c30e3629fc6
                                                  • Instruction Fuzzy Hash: C311785362EECA0FDBA692A818755F53B91EF96310B0906FBE04DC31E7DD4869468381
                                                  Function 00007FFD9B7528D5 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b921269e52bd66e0fe7bd9200de2a992c025678f6b2986db7a8166079778db31
                                                  • Instruction ID: 19c06280f45d93f1f56e659f1ad9d2bd5a782a375f24b650d8bd41e2103dc07f
                                                  • Opcode Fuzzy Hash: b921269e52bd66e0fe7bd9200de2a992c025678f6b2986db7a8166079778db31
                                                  • Instruction Fuzzy Hash: F411E920B0EBCD0FE347E3B858A8AA43FD1AF47215B0901F7D088CB1B7C9984946C342
                                                  Function 00007FFD9B751E58 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef172bb84fe4a0ed82c222c54646334e67588639022e95d8487cf4d0e19e065f
                                                  • Instruction ID: 99d4ba66804605a4c706ad5d9b8e091080a2a36a97c092278ca83228df0c6d00
                                                  • Opcode Fuzzy Hash: ef172bb84fe4a0ed82c222c54646334e67588639022e95d8487cf4d0e19e065f
                                                  • Instruction Fuzzy Hash: E0F09022B1885D1FE754F2ED58E9EFA67C5DBA822971401B7E40CC72BBDC5498828391
                                                  Function 00007FFD9B751E70 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65161b31c60b3028fa13757c99184ffb2438aa8bea018e9f3bbb810a2bdf6a4a
                                                  • Instruction ID: 8f802fc4d15d40e88c4af84120894ace85aa8afdfb0a497fc833461bd2a51b09
                                                  • Opcode Fuzzy Hash: 65161b31c60b3028fa13757c99184ffb2438aa8bea018e9f3bbb810a2bdf6a4a
                                                  • Instruction Fuzzy Hash: 5DE02221F18C0D0FABA4F6ED44D8F7922C1EBAC21271001B2E40CC33BACC68AC828381
                                                  Function 00007FFD9B75094D Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1707192656.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b750000_Svc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afa342bacd87308208683e4c59b0841a5bb6f984792f2d052abc252d955e0f48
                                                  • Instruction ID: b4642002a4e49584d1803ca4870d4d7f166ea6ad804816f700793f40c0102815
                                                  • Opcode Fuzzy Hash: afa342bacd87308208683e4c59b0841a5bb6f984792f2d052abc252d955e0f48
                                                  • Instruction Fuzzy Hash: AAE02622F1AA5A1BE39433B824360FC2181AF99691B81003AE40DC62EBEC1D3E430280