Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XIiRHEaA9R.exe

Overview

General Information

Sample Name:XIiRHEaA9R.exe
Analysis ID:731879
MD5:7be93d4cd0ae4d9e467c354e87d02dd0
SHA1:8852ce4a69274193debac56979519e650a3358d3
SHA256:23733904b1979abe6be5aede5a1dfb125c65e13fb682136a1222da4a70d2cdee
Tags:exeQuasarRATRAT
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Quasar RAT
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Yara detected Generic Downloader
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • XIiRHEaA9R.exe (PID: 4204 cmdline: C:\Users\user\Desktop\XIiRHEaA9R.exe MD5: 7BE93D4CD0AE4D9E467C354E87D02DD0)
  • XIiRHEaA9R.exe (PID: 3124 cmdline: "C:\Users\user\Desktop\XIiRHEaA9R.exe" MD5: 7BE93D4CD0AE4D9E467C354E87D02DD0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XIiRHEaA9R.exeVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
  • 0x3867a:$x3: GetKeyloggerLogsResponse
  • 0x38b77:$x4: GetKeyloggerLogs
  • 0x38e46:$s1: <RunHidden>k__BackingField
  • 0x38848:$s2: set_SystemInfos
  • 0x38e6f:$s3: set_RunHidden
  • 0x38a75:$s4: set_RemotePath
  • 0x48bf8:$s6: Client.exe
  • 0x48c60:$s6: Client.exe
  • 0x3dfee:$s7: xClient.Core.ReverseProxy.Packets
XIiRHEaA9R.exexRAT_1Detects Patchwork malwareFlorian Roth
  • 0x29673:$x4: xClient.Properties.Resources.resources
  • 0x29555:$s4: Client.exe
  • 0x38e6f:$s7: set_RunHidden
XIiRHEaA9R.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x38e33:$s1: DoUploadAndExecute
  • 0x3e8cc:$s2: DoDownloadAndExecute
  • 0x38c01:$s3: DoShellExecute
  • 0x3902b:$s4: set_Processname
  • 0x114f8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x1141c:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x11e89:$op3: 00 04 03 69 91 1B 40
  • 0x126e8:$op3: 00 04 03 69 91 1B 40
XIiRHEaA9R.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
  • 0x3867a:$x1: GetKeyloggerLogsResponse
  • 0x388c0:$s1: DoShellExecuteResponse
  • 0x31f9f:$s2: GetPasswordsResponse
  • 0x38793:$s3: GetStartupItemsResponse
  • 0x2f4d9:$s4: <GetGenReader>b__7
  • 0x38e47:$s5: RunHidden
  • 0x38e65:$s5: RunHidden
  • 0x38e73:$s5: RunHidden
  • 0x38e87:$s5: RunHidden
XIiRHEaA9R.exeCN_disclosed_20180208_KeyLogger_1Detects malware from disclosed CN malware setFlorian Roth
  • 0x40f99:$x2: Process already elevated.
  • 0x3a098:$x4: get_encryptedPassword
  • 0x3e8cc:$x5: DoDownloadAndExecute
Click to see the 5 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x38c33:$s1: DoUploadAndExecute
  • 0x3e6cc:$s2: DoDownloadAndExecute
  • 0x38a01:$s3: DoShellExecute
  • 0x38e2b:$s4: set_Processname
  • 0x112f8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x1121c:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x11c89:$op3: 00 04 03 69 91 1B 40
  • 0x124e8:$op3: 00 04 03 69 91 1B 40
00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Quasarrat_e52df647unknownunknown
    • 0x3847a:$a1: GetKeyloggerLogsResponse
    • 0x3e6cc:$a2: DoDownloadAndExecute
    • 0x4459c:$a3: http://api.ipify.org/
    • 0x43103:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
    Process Memory Space: XIiRHEaA9R.exe PID: 4204JoeSecurity_QuasarYara detected Quasar RATJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.XIiRHEaA9R.exe.680000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3867a:$x3: GetKeyloggerLogsResponse
      • 0x38b77:$x4: GetKeyloggerLogs
      • 0x38e46:$s1: <RunHidden>k__BackingField
      • 0x38848:$s2: set_SystemInfos
      • 0x38e6f:$s3: set_RunHidden
      • 0x38a75:$s4: set_RemotePath
      • 0x48bf8:$s6: Client.exe
      • 0x48c60:$s6: Client.exe
      • 0x3dfee:$s7: xClient.Core.ReverseProxy.Packets
      0.0.XIiRHEaA9R.exe.680000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x29673:$x4: xClient.Properties.Resources.resources
      • 0x29555:$s4: Client.exe
      • 0x38e6f:$s7: set_RunHidden
      0.0.XIiRHEaA9R.exe.680000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x38e33:$s1: DoUploadAndExecute
      • 0x3e8cc:$s2: DoDownloadAndExecute
      • 0x38c01:$s3: DoShellExecute
      • 0x3902b:$s4: set_Processname
      • 0x114f8:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x1141c:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x11e89:$op3: 00 04 03 69 91 1B 40
      • 0x126e8:$op3: 00 04 03 69 91 1B 40
      0.0.XIiRHEaA9R.exe.680000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3867a:$x1: GetKeyloggerLogsResponse
      • 0x388c0:$s1: DoShellExecuteResponse
      • 0x31f9f:$s2: GetPasswordsResponse
      • 0x38793:$s3: GetStartupItemsResponse
      • 0x2f4d9:$s4: <GetGenReader>b__7
      • 0x38e47:$s5: RunHidden
      • 0x38e65:$s5: RunHidden
      • 0x38e73:$s5: RunHidden
      • 0x38e87:$s5: RunHidden
      0.0.XIiRHEaA9R.exe.680000.0.unpackCN_disclosed_20180208_KeyLogger_1Detects malware from disclosed CN malware setFlorian Roth
      • 0x40f99:$x2: Process already elevated.
      • 0x3a098:$x4: get_encryptedPassword
      • 0x3e8cc:$x5: DoDownloadAndExecute
      Click to see the 5 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.3104.26.15.7349700802814030 10/27/22-13:22:05.740946
      SID:2814030
      Source Port:49700
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.388.198.193.21349697802814031 10/27/22-13:22:05.495329
      SID:2814031
      Source Port:49697
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: XIiRHEaA9R.exeReversingLabs: Detection: 80%
      Source: XIiRHEaA9R.exeVirustotal: Detection: 68%Perma Link
      Antivirus / Scanner detection for submitted sample
      Source: XIiRHEaA9R.exeAvira: detected
      Yara detected Quasar RAT
      Source: Yara matchFile source: XIiRHEaA9R.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: XIiRHEaA9R.exe PID: 4204, type: MEMORYSTR
      Machine Learning detection for sample
      Source: XIiRHEaA9R.exeJoe Sandbox ML: detected
      Source: XIiRHEaA9R.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: XIiRHEaA9R.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2814031 ETPRO TROJAN W32/Quasar RAT Connectivity Check 192.168.2.3:49697 -> 88.198.193.213:80
      Source: TrafficSnort IDS: 2814030 ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 192.168.2.3:49700 -> 104.26.15.73:80
      May check the online IP address of the machine
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: freegeoip.net
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeDNS query: name: api.ipify.org
      Yara detected Generic Downloader
      Source: Yara matchFile source: XIiRHEaA9R.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPE
      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
      Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
      Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.com
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.org
      Source: global trafficTCP traffic: 192.168.2.3:49702 -> 123.99.198.201:24252
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org.herokudns.com
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
      Source: XIiRHEaA9R.exeString found in binary or memory: http://api.ipify.org/3
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org45kxl
      Source: XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgD85kp
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net/shutdown
      Source: XIiRHEaA9R.exeString found in binary or memory: http://freegeoip.net/xml/
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.net45k
      Source: XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.netD85k
      Source: XIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: XIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://telize.com
      Source: XIiRHEaA9R.exeString found in binary or memory: http://telize.com/geoip
      Source: XIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://telize.com45k
      Source: XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://telize.comD85k
      Source: XIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.telize.com
      Source: XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.telize.com/geoip
      Source: XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.telize.com45k
      Source: XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.telize.comD85k
      Source: unknownDNS traffic detected: queries for: telize.com
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.com
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.org

      E-Banking Fraud

      barindex
      Yara detected Quasar RAT
      Source: Yara matchFile source: XIiRHEaA9R.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: XIiRHEaA9R.exe PID: 4204, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
      Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
      Source: XIiRHEaA9R.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
      Source: XIiRHEaA9R.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
      Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_05A50DB80_2_05A50DB8
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_0620BEA00_2_0620BEA0
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_0620AD800_2_0620AD80
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_0620E2ED0_2_0620E2ED
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_06204BA00_2_06204BA0
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_06204B9A0_2_06204B9A
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_062030780_2_06203078
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 1_2_04BCEDD01_2_04BCEDD0
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 1_2_04BCF6A01_2_04BCF6A0
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 1_2_04BCEA881_2_04BCEA88
      Source: XIiRHEaA9R.exe, 00000000.00000000.244719784.00000000006CC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe4 vs XIiRHEaA9R.exe
      Source: XIiRHEaA9R.exe, 00000000.00000002.510923787.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs XIiRHEaA9R.exe
      Source: XIiRHEaA9R.exeBinary or memory string: OriginalFilenameClient.exe4 vs XIiRHEaA9R.exe
      Source: XIiRHEaA9R.exeReversingLabs: Detection: 80%
      Source: XIiRHEaA9R.exeVirustotal: Detection: 68%
      Source: XIiRHEaA9R.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\XIiRHEaA9R.exe C:\Users\user\Desktop\XIiRHEaA9R.exe
      Source: unknownProcess created: C:\Users\user\Desktop\XIiRHEaA9R.exe "C:\Users\user\Desktop\XIiRHEaA9R.exe"
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XIiRHEaA9R.exe.logJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/1@6/4
      Source: XIiRHEaA9R.exe, ??uf86b??????uf36e???u31c0??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: XIiRHEaA9R.exe, ??uf86b??????uf36e???u31c0??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, ??uf86b??????uf36e???u31c0??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, ??uf86b??????uf36e???u31c0??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: XIiRHEaA9R.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: XIiRHEaA9R.exe, ???????????ue0b0??u05feuaa3e????.csBase64 encoded string: 'qQ0qccNAw+MGYI6F0NLtDPFOIymUHeLSfeVpf/mKtN28+H/f/sT67WOzFksjgI4g'
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, ???????????ue0b0??u05feuaa3e????.csBase64 encoded string: 'qQ0qccNAw+MGYI6F0NLtDPFOIymUHeLSfeVpf/mKtN28+H/f/sT67WOzFksjgI4g'
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_n8GOVHrdpEnwtMst7i
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: XIiRHEaA9R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: XIiRHEaA9R.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_0620897B push es; iretd 0_2_0620897C
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B6E push ss; retf 0_2_066C2B70
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B78 push ss; retf 0_2_066C2B7A
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B47 push ss; retf 0_2_066C2B48
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B51 push ss; retf 0_2_066C2B52
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B3D push ss; retf 0_2_066C2B3E
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B33 push ss; retf 0_2_066C2B34
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B1E push ss; retf 0_2_066C2B20
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B14 push ss; retf 0_2_066C2B16
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BE6 push ss; retf 0_2_066C2BE8
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BC8 push ss; retf 0_2_066C2BCA
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BDD push ss; retf 0_2_066C2BDE
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BA1 push ss; retf 0_2_066C2BA2
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BBE push ss; retf 0_2_066C2BC0
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2BB4 push ss; retf 0_2_066C2BB6
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B8D push ss; retf 0_2_066C2B8E
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2B97 push ss; retf 0_2_066C2B98
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 0_2_066C2C05 push ss; retf 0_2_066C2C06
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 1_2_04BC8DEF push E801035Eh; retf 1_2_04BC8E01
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeCode function: 1_2_04BC1DA8 pushfd ; ret 1_2_04BC1DA9

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeFile opened: C:\Users\user\Desktop\XIiRHEaA9R.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exe TID: 4940Thread sleep time: -52500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exe TID: 5128Thread sleep count: 1031 > 30Jump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exe TID: 1652Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeWindow / User API: threadDelayed 1031Jump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: XIiRHEaA9R.exe, 00000000.00000002.514331098.0000000000E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      .NET source code references suspicious native API functions
      Source: XIiRHEaA9R.exe, u0fd3????u0cd3???????????u2787ufffduab5c.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('???????????????????P', 'GetProcAddress@kernel32.dll')
      Source: XIiRHEaA9R.exe, ?ue86fu19f1???u2655????ufffd???u2bc3????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, u0fd3????u0cd3???????????u2787ufffduab5c.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('???????????????????P', 'GetProcAddress@kernel32.dll')
      Source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, ?ue86fu19f1???u2655????ufffd???u2bc3????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Users\user\Desktop\XIiRHEaA9R.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Users\user\Desktop\XIiRHEaA9R.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\XIiRHEaA9R.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected Quasar RAT
      Source: Yara matchFile source: XIiRHEaA9R.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: XIiRHEaA9R.exe PID: 4204, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Quasar RAT
      Source: Yara matchFile source: XIiRHEaA9R.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.XIiRHEaA9R.exe.680000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: XIiRHEaA9R.exe PID: 4204, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts111
      Windows Management Instrumentation      		Path Interception1
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts1
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory31
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
      Virtualization/Sandbox Evasion      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Ingress Tool Transfer      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Process Injection      		NTDS1
      Remote System Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer2
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories      		LSA Secrets1
      System Network Configuration Discovery      		SSHKeyloggingData Transfer Size Limits12
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common11
      Obfuscated Files or Information      		Cached Domain Credentials113
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      XIiRHEaA9R.exe80%ReversingLabsByteCode-MSIL.Trojan.Tinclex
      XIiRHEaA9R.exe68%VirustotalBrowse
      XIiRHEaA9R.exe100%AviraTR/Dropper.Gen
      XIiRHEaA9R.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.0.XIiRHEaA9R.exe.680000.0.unpack100%AviraHEUR/AGEN.1235887Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://api.ipify.org.herokudns.com0%URL Reputationsafe
      http://api.ipify.org45kxl0%Avira URL Cloudsafe
      http://telize.comD85k0%Avira URL Cloudsafe
      http://freegeoip.net45k0%Avira URL Cloudsafe
      http://freegeoip.netD85k0%Avira URL Cloudsafe
      http://telize.com45k0%Avira URL Cloudsafe
      http://www.telize.comD85k0%Avira URL Cloudsafe
      http://www.telize.com45k0%Avira URL Cloudsafe
      http://telize.com/geoip0%Avira URL Cloudsafe
      http://www.telize.com0%Avira URL Cloudsafe
      http://www.telize.com/geoip0%Avira URL Cloudsafe
      http://api.ipify.orgD85kp0%Avira URL Cloudsafe
      http://telize.com0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      api.ipify.org.herokudns.com
      		54.91.59.199
      		truefalse
        		unknown
        telize.com
        		88.198.193.213
        		truetrue
          		unknown
          www.telize.com
          		88.198.193.213
          		truetrue
            		unknown
            e2.luyouxia.net
            		123.99.198.201
            		truefalse
              		unknown
              freegeoip.net
              		104.26.15.73
              		truefalse
                		high
                aa9064aa.e2.luyouxia.net
                		unknown
                		unknowntrue
                  		unknown
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://freegeoip.net/xml/false
                      		high
                      http://www.telize.com/geoiptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://telize.com/geoiptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://api.ipify.org/false
                        		high
                        http://freegeoip.net/shutdownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://api.ipify.org45kxlXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://telize.com45kXIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.telize.com45kXIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://api.ipify.org.herokudns.comXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://freegeoip.netD85kXIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://freegeoip.net45kXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://telize.comD85kXIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.telize.comD85kXIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.telize.comXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://freegeoip.netXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://api.ipify.orgD85kpXIiRHEaA9R.exe, 00000000.00000002.515431263.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://api.ipify.org/3XIiRHEaA9R.exefalse
                                		high
                                http://api.ipify.orgXIiRHEaA9R.exe, 00000000.00000002.515179784.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://telize.comXIiRHEaA9R.exe, 00000000.00000002.515123725.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, XIiRHEaA9R.exe, 00000000.00000002.515158144.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  54.91.59.199
                                  		api.ipify.org.herokudns.comUnited States
                                  		14618AMAZON-AESUSfalse
                                  88.198.193.213
                                  		telize.comGermany
                                  		24940HETZNER-ASDEtrue
                                  123.99.198.201
                                  		e2.luyouxia.netChina
                                  		58461CT-HANGZHOU-IDCNo288Fu-chunRoadCNfalse
                                  104.26.15.73
                                  		freegeoip.netUnited States
                                  		13335CLOUDFLARENETUSfalse

                                  General Information

                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                  Analysis ID:731879
                                  Start date and time:2022-10-27 13:21:11 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 6m 49s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:XIiRHEaA9R.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:13
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@2/1@6/4
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 30
                                  • Number of non-executed functions: 5
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 93.184.220.29, 8.241.126.249, 8.238.189.126, 8.238.88.254, 8.238.88.248, 8.238.85.126, 173.222.108.210, 173.222.108.226, 209.197.3.8
                                  • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, cs9.wac.phicdn.net, ocsp.digicert.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  13:22:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\Desktop\XIiRHEaA9R.exe"

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  54.91.59.199gf3YTNoH1Q.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  DHL Special Clearance Fees 01012022_sg.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  Documento contrattuale 22201008 Spec22201009.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  na.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  ConsoleApp8.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  if.bin.dllGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  D1768Y2157.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  gSbSxwWtqG.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  gPZ7cR9v89.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  mixshop_20211229-065147.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  iff.bin.dllGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  SecuriteInfo.com.Heur.31820.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  229C7DF4.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  0617_1876522156924.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  Whrw7Kmlni.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  gelfor.dllGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  invoice_860500.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  httpdGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  1103_788528522604.docGet hashmaliciousBrowse
                                  • api.ipify.org/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  api.ipify.org.herokudns.comKDd8lqhKxc.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  M7F8YEFWWv.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  Signed-2X4OHQ-Orders03910.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  SecuriteInfo.com.Win32.DropperX-gen.16741.4455.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  PO#JB2210-0005.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  SecuriteInfo.com.Win32.PWSX-gen.1881.7490.exeGet hashmaliciousBrowse
                                  • 3.232.242.170
                                  SecuriteInfo.com.Win32.PWSX-gen.3796.18565.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  SecuriteInfo.com.Win32.PWSX-gen.9611.11799.exeGet hashmaliciousBrowse
                                  • 3.232.242.170
                                  SecuriteInfo.com.Win32.PWSX-gen.18409.25600.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  SecuriteInfo.com.W32.MSIL_Kryptik.FSG.gen.Eldorado.26850.7318.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  Ovk0WXVSZZ.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  Conf_pedido_1205515.vbsGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  SecuriteInfo.com.Win32.PWSX-gen.20834.31079.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  Remittance Advice.exeGet hashmaliciousBrowse
                                  • 3.232.242.170
                                  Conf_pedido_1205515.vbsGet hashmaliciousBrowse
                                  • 54.91.59.199
                                  4Z9QSa3Mj0.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  iirWPHKXWA.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  iirWPHKXWA.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  IFGRvBK3OH.exeGet hashmaliciousBrowse
                                  • 54.91.59.199
                                  Invoice No. STB42022.exeGet hashmaliciousBrowse
                                  • 54.91.59.199

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  AMAZON-AESUSKDd8lqhKxc.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  M7F8YEFWWv.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  Signed-2X4OHQ-Orders03910.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  SecuriteInfo.com.Win32.DropperX-gen.16741.4455.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  PO#JB2210-0005.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  SecuriteInfo.com.Win32.PWSX-gen.1881.7490.exeGet hashmaliciousBrowse
                                  • 3.232.242.170
                                  SecuriteInfo.com.Win32.PWSX-gen.3796.18565.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  https://business-prosapol.brizy.site/Get hashmaliciousBrowse
                                  • 34.237.47.210
                                  a4uGwa9Z3a.elfGet hashmaliciousBrowse
                                  • 54.10.208.238
                                  htLydZrM9h.elfGet hashmaliciousBrowse
                                  • 100.24.190.8
                                  SecuriteInfo.com.Win32.PWSX-gen.9611.11799.exeGet hashmaliciousBrowse
                                  • 3.232.242.170
                                  SecuriteInfo.com.Win32.PWSX-gen.18409.25600.exeGet hashmaliciousBrowse
                                  • 52.20.78.240
                                  https://networkpubcurated.com/18077-126132/69994?uid=abcTQzVhUJGet hashmaliciousBrowse
                                  • 23.21.213.51
                                  SecuriteInfo.com.W32.MSIL_Kryptik.FSG.gen.Eldorado.26850.7318.exeGet hashmaliciousBrowse
                                  • 3.220.57.224
                                  8qXT8R93FL.elfGet hashmaliciousBrowse
                                  • 23.21.215.60
                                  OXj1SOPt3X.elfGet hashmaliciousBrowse
                                  • 18.233.10.33
                                  https://transfer.pcloud.com/download.html?code=5Zg49uVZQEdQilmt5DVZPbbIZ7lM5DVhAx10tMgq7X1UScY6skgqk&label=Transfer%20-%20files%20sent%20%28to%20recipient%29#Get hashmaliciousBrowse
                                  • 23.22.254.206
                                  https://tskt.link/esattlnk-etGet hashmaliciousBrowse
                                  • 52.72.49.79
                                  zdXmxM5X4Q.exeGet hashmaliciousBrowse
                                  • 3.232.1.119
                                  https://bit.ly/3F3VnjDGet hashmaliciousBrowse
                                  • 35.175.36.71
                                  HETZNER-ASDEhttp://akcheshoes.comGet hashmaliciousBrowse
                                  • 116.202.19.234
                                  9v5EYGHfan.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  lkShsFR8OE.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  https://viewstripo.email/template/272eef75-75a1-43bd-b0c5-3a0d3acc29bfGet hashmaliciousBrowse
                                  • 5.161.43.247
                                  v0s1P7lYRn.apkGet hashmaliciousBrowse
                                  • 144.76.58.8
                                  L8CTPgf3se.exeGet hashmaliciousBrowse
                                  • 148.251.234.83
                                  9CHXxfbaXY.exeGet hashmaliciousBrowse
                                  • 148.251.234.83
                                  BhKW5hToDW.exeGet hashmaliciousBrowse
                                  • 148.251.234.83
                                  CWX9KlZ5ZI.exeGet hashmaliciousBrowse
                                  • 148.251.234.83
                                  YkV2OcGzDE.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  bIyUSnR1t8.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  YQ1u1r2mGC.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  5nRH8oHvUE.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  LRFo5PcmB1.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  vPMLS1HVsL.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  zI7l8fZQl7.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  7102856b7e81454d903c903302d33df0175a66b7923bd.exeGet hashmaliciousBrowse
                                  • 95.217.29.33
                                  Ld2f3BHF1O.exeGet hashmaliciousBrowse
                                  • 176.9.247.226
                                  https://transfer.pcloud.com/download.html?code=5Zg49uVZQEdQilmt5DVZPbbIZ7lM5DVhAx10tMgq7X1UScY6skgqk&label=Transfer%20-%20files%20sent%20%28to%20recipient%29#Get hashmaliciousBrowse
                                  • 78.46.106.103
                                  m8IAF198uJ.exeGet hashmaliciousBrowse
                                  • 95.217.29.33

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XIiRHEaA9R.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):701
                                  Entropy (8bit):5.333763980888323
                                  Encrypted:false
                                  SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKz:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pe
                                  MD5:BA746AE3F262831576BFC85A583D459B
                                  SHA1:454EF29E0DF1C81CD890FAAC211FFFCDE6ED37A3
                                  SHA-256:81F25A1B2B3AA48F1CA416DBDB0099493353B2A4EA667F688220A9E4D4355FC7
                                  SHA-512:2AE73EC4CCAEAFF14761FB3F53A2F7E166CBB7B3FA3BFCEF58D8EFC7CA6BF545D8DD0223C28CAA2B6213651AE4DC048C2FD6E99F1841DCF8CAF240434AB621B1
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):4.430172686905627
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:XIiRHEaA9R.exe
                                  File size:488396
                                  MD5:7be93d4cd0ae4d9e467c354e87d02dd0
                                  SHA1:8852ce4a69274193debac56979519e650a3358d3
                                  SHA256:23733904b1979abe6be5aede5a1dfb125c65e13fb682136a1222da4a70d2cdee
                                  SHA512:9be6ed40c6e287feb306162e6dd63add623aabe0dd2a2b91e7d1ba097fb5d94cd2961e26c2c247990e6c62a767edca3089e34fe3ee488879d3d1f2aa5d7052e5
                                  SSDEEP:6144:VwbrjkaZKt+pxSrNgx7KLHbRgKIiZAZjC419pCnnnnjnnn/Y1:i98YpxSrqZcM1
                                  TLSH:C4A46D2063E8872BD6EE0779E6740108C7F5D817F91AE7CB5F9070B86CA33959D026A7
                                  File Content Preview:MZ......................@...............................................!..L.!This 53170389cannot be run in DOS mode....$.......PE..L.....Uc................................. ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x44a70e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x635513D3 [Sun Oct 23 10:13:39 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4a6b80x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x800.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x487140x48800False0.5118399784482759data6.388309341102076IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x4c0000x8000x800False0.4013671875data4.701816115281701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x4e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x4c0a00x244data
                                  RT_MANIFEST0x4c2e80x478exported SGML document, Unicode text, UTF-8 (with BOM) text

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.3104.26.15.7349700802814030 10/27/22-13:22:05.740946TCP2814030ETPRO TROJAN W32/Quasar RAT Connectivity Check 24970080192.168.2.3104.26.15.73
                                  192.168.2.388.198.193.21349697802814031 10/27/22-13:22:05.495329TCP2814031ETPRO TROJAN W32/Quasar RAT Connectivity Check4969780192.168.2.388.198.193.213

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2022 13:22:05.464781046 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.486810923 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.487021923 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.495328903 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.517117977 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.517144918 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.546022892 CEST4969880192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.567841053 CEST804969888.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.568576097 CEST4969880192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.568857908 CEST4969880192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.569541931 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.590368986 CEST804969888.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.590408087 CEST804969888.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.590562105 CEST4969880192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.611340046 CEST4969880192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.612623930 CEST4969980192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.632935047 CEST804969888.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.634044886 CEST804969988.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.634155989 CEST4969980192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.634567976 CEST4969980192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.656001091 CEST804969988.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.656028032 CEST804969988.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.656116962 CEST4969980192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.656265974 CEST4969980192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:05.678030968 CEST804969988.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:05.723280907 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.740281105 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.740433931 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.740946054 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.757934093 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.774003029 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.775881052 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.792895079 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.815707922 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.815788984 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.815841913 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:05.815881014 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.866417885 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:05.896625996 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:06.035980940 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:22:06.036230087 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:06.037389994 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:06.176995039 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:22:06.183392048 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:22:06.183516979 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:22:06.183589935 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:06.884967089 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:07.102647066 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:22:07.102806091 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:07.640811920 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:22:07.694716930 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:07.775280952 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.797174931 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.798336983 CEST4970380192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.820265055 CEST804970388.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.820466995 CEST4970380192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.820914984 CEST4970380192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.842683077 CEST804970388.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.842706919 CEST804970388.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.842956066 CEST4970380192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.843089104 CEST4970380192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.844166040 CEST4970480192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.850963116 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.864898920 CEST804970388.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.865947008 CEST804970488.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.866040945 CEST4970480192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.867060900 CEST4970480192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.888860941 CEST804970488.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.888892889 CEST804970488.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.889061928 CEST4970480192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.889619112 CEST4970480192.168.2.388.198.193.213
                                  Oct 27, 2022 13:22:07.905378103 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:07.911545992 CEST804970488.198.193.213192.168.2.3
                                  Oct 27, 2022 13:22:07.922312021 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:07.931761980 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:07.934763908 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:07.960078955 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:07.960108995 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:07.960122108 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:22:07.960551977 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:22:07.961554050 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:08.102243900 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:22:08.147989988 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:22:08.386555910 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:08.809278011 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:22:08.851190090 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:33.821917057 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:34.068227053 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:22:59.074217081 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:22:59.321309090 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:23:08.103003025 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:23:08.103163958 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:23:22.797566891 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:23:22.797732115 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:23:24.326200008 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:23:24.572607994 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:23:47.798899889 CEST4969780192.168.2.388.198.193.213
                                  Oct 27, 2022 13:23:47.820641041 CEST804969788.198.193.213192.168.2.3
                                  Oct 27, 2022 13:23:48.000494957 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:23:48.018194914 CEST8049700104.26.15.73192.168.2.3
                                  Oct 27, 2022 13:23:48.018402100 CEST4970080192.168.2.3104.26.15.73
                                  Oct 27, 2022 13:23:48.143403053 CEST4970180192.168.2.354.91.59.199
                                  Oct 27, 2022 13:23:48.281968117 CEST804970154.91.59.199192.168.2.3
                                  Oct 27, 2022 13:23:49.578408957 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:23:49.824837923 CEST2425249702123.99.198.201192.168.2.3
                                  Oct 27, 2022 13:24:14.846159935 CEST4970224252192.168.2.3123.99.198.201
                                  Oct 27, 2022 13:24:15.104890108 CEST2425249702123.99.198.201192.168.2.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2022 13:22:05.413897991 CEST6270453192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:05.442637920 CEST53627048.8.8.8192.168.2.3
                                  Oct 27, 2022 13:22:05.525307894 CEST4997753192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:05.544632912 CEST53499778.8.8.8192.168.2.3
                                  Oct 27, 2022 13:22:05.698283911 CEST5784053192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:05.721601009 CEST53578408.8.8.8192.168.2.3
                                  Oct 27, 2022 13:22:05.845635891 CEST5799053192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:05.864444971 CEST53579908.8.8.8192.168.2.3
                                  Oct 27, 2022 13:22:05.875752926 CEST5238753192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:05.894567013 CEST53523878.8.8.8192.168.2.3
                                  Oct 27, 2022 13:22:06.774370909 CEST5692453192.168.2.38.8.8.8
                                  Oct 27, 2022 13:22:06.882405043 CEST53569248.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Oct 27, 2022 13:22:05.413897991 CEST192.168.2.38.8.8.80x7566Standard query (0)telize.comA (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.525307894 CEST192.168.2.38.8.8.80x491bStandard query (0)www.telize.comA (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.698283911 CEST192.168.2.38.8.8.80x263cStandard query (0)freegeoip.netA (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.845635891 CEST192.168.2.38.8.8.80x9712Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.875752926 CEST192.168.2.38.8.8.80x96b6Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:06.774370909 CEST192.168.2.38.8.8.80xfa59Standard query (0)aa9064aa.e2.luyouxia.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Oct 27, 2022 13:22:05.442637920 CEST8.8.8.8192.168.2.30x7566No error (0)telize.com88.198.193.213A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.544632912 CEST8.8.8.8192.168.2.30x491bNo error (0)www.telize.com88.198.193.213A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.721601009 CEST8.8.8.8192.168.2.30x263cNo error (0)freegeoip.net104.26.15.73A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.721601009 CEST8.8.8.8192.168.2.30x263cNo error (0)freegeoip.net172.67.75.176A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.721601009 CEST8.8.8.8192.168.2.30x263cNo error (0)freegeoip.net104.26.14.73A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.864444971 CEST8.8.8.8192.168.2.30x9712No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.864444971 CEST8.8.8.8192.168.2.30x9712No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.864444971 CEST8.8.8.8192.168.2.30x9712No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.864444971 CEST8.8.8.8192.168.2.30x9712No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.864444971 CEST8.8.8.8192.168.2.30x9712No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.894567013 CEST8.8.8.8192.168.2.30x96b6No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.894567013 CEST8.8.8.8192.168.2.30x96b6No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.894567013 CEST8.8.8.8192.168.2.30x96b6No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.894567013 CEST8.8.8.8192.168.2.30x96b6No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:05.894567013 CEST8.8.8.8192.168.2.30x96b6No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:06.882405043 CEST8.8.8.8192.168.2.30xfa59No error (0)aa9064aa.e2.luyouxia.nete2.luyouxia.netCNAME (Canonical name)IN (0x0001)false
                                  Oct 27, 2022 13:22:06.882405043 CEST8.8.8.8192.168.2.30xfa59No error (0)e2.luyouxia.net123.99.198.201A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:06.882405043 CEST8.8.8.8192.168.2.30xfa59No error (0)e2.luyouxia.net43.248.129.34A (IP address)IN (0x0001)false
                                  Oct 27, 2022 13:22:06.882405043 CEST8.8.8.8192.168.2.30xfa59No error (0)e2.luyouxia.net180.97.221.120A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • telize.com
                                  • www.telize.com
                                  • freegeoip.net
                                  • api.ipify.org

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.34969788.198.193.21380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:05.495328903 CEST137OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: telize.com
                                  Connection: Keep-Alive
                                  Oct 27, 2022 13:22:05.517144918 CEST137INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 27 Oct 2022 11:22:05 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: keep-alive
                                  Location: http://www.telize.com/geoip
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
                                  Oct 27, 2022 13:22:07.775280952 CEST144OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: telize.com
                                  Oct 27, 2022 13:22:07.797174931 CEST144INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 27 Oct 2022 11:22:07 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: keep-alive
                                  Location: http://www.telize.com/geoip
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.34969888.198.193.21380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:05.568857908 CEST138OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  2192.168.2.34969988.198.193.21380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:05.634567976 CEST138OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  3192.168.2.349700104.26.15.7380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:05.740946054 CEST139OUTGET /xml/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: freegeoip.net
                                  Connection: Keep-Alive
                                  Oct 27, 2022 13:22:05.774003029 CEST140INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 27 Oct 2022 11:22:05 GMT
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 27 Oct 2022 12:22:05 GMT
                                  Location: http://freegeoip.net/shutdown
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dHMzdMBqLJzVWvggkk6N%2BdxctBDErHeWQwWiYQbrkZEjGZhLeKOn5XMBTxzAswWfClFuMebNRUel%2FOD73pYTxFvPgDxu9Iyb%2BqRI7LGOffzL9lQqgdvp0beDtXz6PWQ%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 760b0d49ed6c8ff8-FRA
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Oct 27, 2022 13:22:05.775881052 CEST140OUTGET /shutdown HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: freegeoip.net
                                  Oct 27, 2022 13:22:05.815707922 CEST141INHTTP/1.1 200 OK
                                  Date: Thu, 27 Oct 2022 11:22:05 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  vary: Accept-Encoding
                                  x-powered-by: PHP/8.1.9
                                  expires: Sat, 26 Jul 1997 05:00:00 GMT
                                  cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0
                                  pragma: no-cache
                                  last-modified: Thu, 13 Oct 2022 09:19:43 GMT
                                  x-cache-miss-from: parking-5bff5c5465-25xjb
                                  CF-Cache-Status: HIT
                                  Age: 1216942
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FVhr0dYJiUN7fga95%2BUMdli08b%2Fi3nQEtA%2Fj84rjjsaR1CnH%2BFlJ5QJWxtxlxRBLp%2B9JIZ0hPWkgTrGzefEIxQZhBhgIjG4Tw%2F7MQFAOnXNJqMLdrUkvBNWM7Tp65O0%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 760b0d4a2dc78ff8-FRA
                                  Data Raw: 34 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 65 67 65 6f 69 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20 20 20 20
                                  Data Ascii: 400<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>freegeoip.net</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height:
                                  Oct 27, 2022 13:22:05.815788984 CEST142INData Raw: 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20
                                  Data Ascii: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline;
                                  Oct 27, 2022 13:22:05.815841913 CEST142INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Oct 27, 2022 13:22:07.905378103 CEST146OUTGET /xml/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: freegeoip.net
                                  Oct 27, 2022 13:22:07.931761980 CEST147INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 27 Oct 2022 11:22:07 GMT
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 27 Oct 2022 12:22:07 GMT
                                  Location: http://freegeoip.net/shutdown
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IlfwWBuxWqAdU5xCQ9TExCerJtLgrU3fYdC03SgMzpD9Zot2DZRqYqX7b9WyoXwpd%2B1soMY%2Fydy7IegCtUiiwMj9R4QJI6I9qQOcz8f7GNDzCuRk43iB%2BxT1ywCpSu4%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 760b0d576b288ff8-FRA
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Oct 27, 2022 13:22:07.934763908 CEST147OUTGET /shutdown HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: freegeoip.net
                                  Oct 27, 2022 13:22:07.960078955 CEST148INHTTP/1.1 200 OK
                                  Date: Thu, 27 Oct 2022 11:22:07 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  vary: Accept-Encoding
                                  x-powered-by: PHP/8.1.9
                                  expires: Sat, 26 Jul 1997 05:00:00 GMT
                                  cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0
                                  pragma: no-cache
                                  last-modified: Thu, 13 Oct 2022 09:19:43 GMT
                                  x-cache-miss-from: parking-5bff5c5465-25xjb
                                  CF-Cache-Status: HIT
                                  Age: 1216944
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BSH11Q2w9QV0nF57%2BVSng6mR69jWuC1ZlmApCDQc0Nnlq79l%2B6yyPRByTcVSwZpNFysOlZbWl%2FSFk45M1mxBIzsbVfU5QoJrDyf1LpQWWL0QLebJ1Q1zze2gEpY1%2B6I%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 760b0d579b798ff8-FRA
                                  Data Raw: 34 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 65 67 65 6f 69 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20 20 20 20 20 20
                                  Data Ascii: 400<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>freegeoip.net</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height:
                                  Oct 27, 2022 13:22:07.960108995 CEST149INData Raw: 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline;
                                  Oct 27, 2022 13:22:07.960122108 CEST149INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  4192.168.2.34970154.91.59.19980C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:06.037389994 CEST143OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: api.ipify.org
                                  Connection: Keep-Alive
                                  Oct 27, 2022 13:22:06.183392048 CEST143INHTTP/1.1 200 OK
                                  Server: Cowboy
                                  Connection: keep-alive
                                  Content
                                  Data Raw:
                                  Data Ascii:
                                  Oct 27, 2022 13:22:06.183516979 CEST143INData Raw: 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 56 61 72 79 3a 20 4f 72 69 67 69 6e 0d 0a 44 61 74 65 3a 20 54 68 75 2c 20 32 37 20 4f 63 74 20 32 30 32 32 20 31 31 3a 32 32 3a 30 36 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74
                                  Data Ascii: Type: text/plainVary: OriginDate: Thu, 27 Oct 2022 11:22:06 GMTContent-Length: 14Via: 1.1 vegur102.129.143.15
                                  Oct 27, 2022 13:22:07.961554050 CEST149OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: api.ipify.org
                                  Oct 27, 2022 13:22:08.102243900 CEST149INHTTP/1.1 200 OK
                                  Server: Cowboy
                                  Connection: keep-alive
                                  Content-Type: text/plain
                                  Vary: Origin
                                  Date: Thu, 27 Oct 2022 11:22:08 GMT
                                  Content-Length: 14
                                  Via: 1.1 vegur
                                  Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 35
                                  Data Ascii: 102.129.143.15


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  5192.168.2.34970388.198.193.21380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:07.820914984 CEST145OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  6192.168.2.34970488.198.193.21380C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  TimestampkBytes transferredDirectionData
                                  Oct 27, 2022 13:22:07.867060900 CEST146OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:22:03
                                  Start date:27/10/2022
                                  Path:C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  Imagebase:0x680000
                                  File size:488396 bytes
                                  MD5 hash:7BE93D4CD0AE4D9E467C354E87D02DD0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.244677239.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:13:22:17
                                  Start date:27/10/2022
                                  Path:C:\Users\user\Desktop\XIiRHEaA9R.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\XIiRHEaA9R.exe"
                                  Imagebase:0x420000
                                  File size:488396 bytes
                                  MD5 hash:7BE93D4CD0AE4D9E467C354E87D02DD0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:low

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:13.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:95
                                    Total number of Limit Nodes:8
                                    execution_graph 22525 5a5df70 DuplicateHandle 22526 5a5e006 22525->22526 22428 620a7e8 22429 620a810 22428->22429 22432 620a83c 22428->22432 22430 620a819 22429->22430 22433 6209b0c 22429->22433 22435 6209b17 22433->22435 22434 620ab33 22434->22432 22435->22434 22437 6209b28 22435->22437 22438 620ab68 OleInitialize 22437->22438 22439 620abcc 22438->22439 22439->22434 22535 6206318 22536 6206380 CreateWindowExW 22535->22536 22538 620643c 22536->22538 22440 c7d04c 22441 c7d064 22440->22441 22442 c7d0be 22441->22442 22447 62064c0 22441->22447 22451 620335c 22441->22451 22460 62075a8 22441->22460 22469 62064d0 22441->22469 22448 62064d0 22447->22448 22449 620335c CallWindowProcW 22448->22449 22450 6206517 22449->22450 22450->22442 22454 6203367 22451->22454 22452 6207619 22456 6207617 22452->22456 22489 620721c 22452->22489 22454->22452 22455 6207609 22454->22455 22473 6207740 22455->22473 22478 620780c 22455->22478 22484 6207732 22455->22484 22464 6207556 22460->22464 22461 6207619 22462 6207617 22461->22462 22463 620721c CallWindowProcW 22461->22463 22463->22462 22464->22460 22464->22461 22465 6207609 22464->22465 22466 6207740 CallWindowProcW 22465->22466 22467 6207732 CallWindowProcW 22465->22467 22468 620780c CallWindowProcW 22465->22468 22466->22462 22467->22462 22468->22462 22470 62064f6 22469->22470 22471 620335c CallWindowProcW 22470->22471 22472 6206517 22471->22472 22472->22442 22474 6207754 22473->22474 22493 62077e7 22474->22493 22497 62077f8 22474->22497 22475 62077e0 22475->22456 22479 62077ca 22478->22479 22480 620781a 22478->22480 22482 62077e7 CallWindowProcW 22479->22482 22483 62077f8 CallWindowProcW 22479->22483 22481 62077e0 22481->22456 22482->22481 22483->22481 22486 6207740 22484->22486 22485 62077e0 22485->22456 22487 62077e7 CallWindowProcW 22486->22487 22488 62077f8 CallWindowProcW 22486->22488 22487->22485 22488->22485 22490 6207227 22489->22490 22491 6208ada CallWindowProcW 22490->22491 22492 6208a89 22490->22492 22491->22492 22492->22456 22494 62077f8 22493->22494 22495 6207809 22494->22495 22500 6208a10 22494->22500 22495->22475 22498 6207809 22497->22498 22499 6208a10 CallWindowProcW 22497->22499 22498->22475 22499->22498 22501 6208a1d 22500->22501 22502 620721c CallWindowProcW 22501->22502 22503 6208a2a 22502->22503 22503->22495 22504 5a53028 22506 5a53047 22504->22506 22505 5a530c3 22506->22505 22510 5a55a41 22506->22510 22517 5a55a68 22506->22517 22507 5a53147 22511 5a55a53 22510->22511 22513 5a55a88 DeleteFileW 22510->22513 22521 5a53878 22511->22521 22515 5a55b0f 22513->22515 22515->22507 22518 5a55a76 22517->22518 22519 5a53878 DeleteFileW 22518->22519 22520 5a55a7d 22519->22520 22520->22507 22523 5a55a90 DeleteFileW 22521->22523 22524 5a55a7d 22523->22524 22524->22507 22527 5a5dd48 GetCurrentProcess 22528 5a5ddc2 GetCurrentThread 22527->22528 22531 5a5ddbb 22527->22531 22529 5a5ddff GetCurrentProcess 22528->22529 22530 5a5ddf8 22528->22530 22534 5a5de35 22529->22534 22530->22529 22531->22528 22532 5a5de5d GetCurrentThreadId 22533 5a5de8e 22532->22533 22534->22532 22539 5a5d2d8 22540 5a5d3af 22539->22540 22541 5a5d2ed 22539->22541 22541->22540 22542 5a5c91c LoadLibraryExW GetModuleHandleW 22541->22542 22542->22541

                                    Executed Functions

                                    Function 0620BEA0 Relevance: .7, Instructions: 696COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23f28c0e1fc7287f9ee38c3d107f65022aa05e44ffdc21f524f06c48d96344e3
                                    • Instruction ID: fb74ec92ee600c4a48b49da026d2a327d69f3dca1e213aa395b28eff2fc14b64
                                    • Opcode Fuzzy Hash: 23f28c0e1fc7287f9ee38c3d107f65022aa05e44ffdc21f524f06c48d96344e3
                                    • Instruction Fuzzy Hash: 0C42E4B0F1415A8FDB65DB98C8809BDFBB3EF85305F28C669E455E7286C7349882CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A50DB8 Relevance: .3, Instructions: 337COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef8234834626cc7f02c357d017251155763e12445f5154e3ca8633df88b7fc1e
                                    • Instruction ID: dbf304b6e1c071525f27b660ef0b898cf0fb1e2338b4d81dd41d3869f1ae1076
                                    • Opcode Fuzzy Hash: ef8234834626cc7f02c357d017251155763e12445f5154e3ca8633df88b7fc1e
                                    • Instruction Fuzzy Hash: CAD16D71E002099FCB14DFA8D484EAEFBF2FF48324F158559E925AB351DB34A946CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A5DD39 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05A5DDA8
                                    • GetCurrentThread.KERNEL32 ref: 05A5DDE5
                                    • GetCurrentProcess.KERNEL32 ref: 05A5DE22
                                    • GetCurrentThreadId.KERNEL32 ref: 05A5DE7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 29ba2e1b9e126838bc6358f2aefdd6af3333cece4d469d478b005bd22d4bbce7
                                    • Instruction ID: 425f7d4998c2a5f0615c0ad47b81339a69728702a7aa59748e1a401f982c2887
                                    • Opcode Fuzzy Hash: 29ba2e1b9e126838bc6358f2aefdd6af3333cece4d469d478b005bd22d4bbce7
                                    • Instruction Fuzzy Hash: 2D5184B09053498FDB50CFAAD588BEEBBF0FF89314F2484A9E919A7250C7346944CF21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A5DD48 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05A5DDA8
                                    • GetCurrentThread.KERNEL32 ref: 05A5DDE5
                                    • GetCurrentProcess.KERNEL32 ref: 05A5DE22
                                    • GetCurrentThreadId.KERNEL32 ref: 05A5DE7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 67be085a829486e222a10d8ebdceec47149d6dcf56477dad2f4dbc51453c148d
                                    • Instruction ID: daaa664be8d6accee990e0ae26d477c56bd62cc6fa161fa33b29900074184315
                                    • Opcode Fuzzy Hash: 67be085a829486e222a10d8ebdceec47149d6dcf56477dad2f4dbc51453c148d
                                    • Instruction Fuzzy Hash: E95153B0D043498FDB54CFAAD588BEEBBF0BF89314F248469E919A7350C7346944CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06204270 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 371 6204270-6204295 call 62031b0 374 6204297 371->374 375 62042ab-62042af 371->375 426 620429d call 6204508 374->426 427 620429d call 62044f9 374->427 376 62042b1-62042bb 375->376 377 62042c3-6204304 375->377 376->377 382 6204311-620431f 377->382 383 6204306-620430e 377->383 378 62042a3-62042a5 378->375 381 62043e0-62044a0 378->381 419 62044a2-62044a5 381->419 420 62044a8-62044d3 GetModuleHandleW 381->420 385 6204321-6204326 382->385 386 6204343-6204345 382->386 383->382 387 6204331 385->387 388 6204328-620432f call 62031bc 385->388 389 6204348-620434f 386->389 394 6204333-6204341 387->394 388->394 390 6204351-6204359 389->390 391 620435c-6204363 389->391 390->391 395 6204370-6204379 391->395 396 6204365-620436d 391->396 394->389 400 6204386-620438b 395->400 401 620437b-6204383 395->401 396->395 403 62043a9-62043ad 400->403 404 620438d-6204394 400->404 401->400 424 62043b0 call 62047b8 403->424 425 62043b0 call 62047c8 403->425 404->403 405 6204396-62043a6 call 6200a24 call 62031cc 404->405 405->403 407 62043b3-62043b6 409 62043b8-62043d6 407->409 410 62043d9-62043df 407->410 409->410 419->420 421 62044d5-62044db 420->421 422 62044dc-62044f0 420->422 421->422 424->407 425->407 426->378 427->378
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 062044C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: ad3d0c9ac8201716b24db59add3dc09c7b89f9d2c450964f45b4a6c975d10509
                                    • Instruction ID: f373bd77197840454aad8066c6f31bee632120ba8269b43f02aa2804c0223707
                                    • Opcode Fuzzy Hash: ad3d0c9ac8201716b24db59add3dc09c7b89f9d2c450964f45b4a6c975d10509
                                    • Instruction Fuzzy Hash: 65714670A10B058FE764DF2AD44479ABBF1FF88304F10892ED99AD7A81D774E819CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066C0048 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 536 66c0048-66c0086 538 66c008c 536->538 539 66c0f24-66c0fb3 536->539 540 66c042c-66c0449 538->540 541 66c00ee-66c0105 538->541 542 66c03ee-66c0405 538->542 543 66c01a9-66c01c0 538->543 544 66c032a-66c0341 538->544 545 66c0124-66c013b 538->545 546 66c02a5-66c02bc 538->546 547 66c0362-66c0379 538->547 548 66c027c-66c02a0 538->548 549 66c037e-66c0395 538->549 550 66c01ff-66c0216 538->550 551 66c00b8-66c00cf 538->551 552 66c02f9-66c0325 538->552 553 66c03b6-66c03cd 538->553 554 66c0470-66c048d 538->554 555 66c0171-66c0188 538->555 556 66c018d-66c01a4 538->556 557 66c044e-66c046b 538->557 558 66c010a-66c011f 538->558 559 66c040a-66c0427 538->559 560 66c024b-66c0277 538->560 561 66c01c5-66c01fa 538->561 562 66c0346-66c035d 538->562 563 66c0140-66c016c 538->563 564 66c02c1-66c02d8 538->564 565 66c009c-66c00b3 538->565 566 66c02dd-66c02f4 538->566 567 66c039a-66c03b1 538->567 568 66c021b-66c0246 538->568 569 66c00d4-66c00e9 538->569 570 66c03d2-66c03e9 538->570 571 66c0093-66c0097 538->571 573 66c0f1a-66c0f21 540->573 541->573 542->573 543->573 544->573 545->573 546->573 547->573 548->573 549->573 550->573 551->573 552->573 553->573 554->573 555->573 556->573 557->573 558->573 559->573 560->573 561->573 562->573 563->573 564->573 565->573 566->573 567->573 568->573 569->573 570->573 571->573
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.516092291.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66c0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Pm6k
                                    • API String ID: 0-4181369192
                                    • Opcode ID: 80b870b58e44f180347f4198e953576b8f913eb25c4b9739ebd29cf55b0f6c05
                                    • Instruction ID: af6d9ad9e03b26c2da675e945de06b0f5dd590f3e165f9a8511711e226d53f71
                                    • Opcode Fuzzy Hash: 80b870b58e44f180347f4198e953576b8f913eb25c4b9739ebd29cf55b0f6c05
                                    • Instruction Fuzzy Hash: 11E1D271B0460ACFEB51DF64C4809EDB3FAFFC8314B50812AD816DB249DB31AE568B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0620630E Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 648 620630e-620637e 650 6206380-6206386 648->650 651 6206389-6206390 648->651 650->651 652 6206392-6206398 651->652 653 620639b-62063d3 651->653 652->653 654 62063db-620643a CreateWindowExW 653->654 655 6206443-620647b 654->655 656 620643c-6206442 654->656 660 6206488 655->660 661 620647d-6206480 655->661 656->655 662 6206489 660->662 661->660 662->662
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0620642A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: bc1f9c58e6f46362b4c3ef26c6801e44c66600c35a31ead7b1e08e8a02dae0a1
                                    • Instruction ID: f5383437851022c63174d9e2bb295a4520fd21e5a962b6826503bda48cb51417
                                    • Opcode Fuzzy Hash: bc1f9c58e6f46362b4c3ef26c6801e44c66600c35a31ead7b1e08e8a02dae0a1
                                    • Instruction Fuzzy Hash: 6751D0B1C10349AFEB24CFA9C884ADEBFB5BF48310F24852AE814AB251D7749855CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06206318 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 663 6206318-620637e 664 6206380-6206386 663->664 665 6206389-6206390 663->665 664->665 666 6206392-6206398 665->666 667 620639b-620643a CreateWindowExW 665->667 666->667 669 6206443-620647b 667->669 670 620643c-6206442 667->670 674 6206488 669->674 675 620647d-6206480 669->675 670->669 676 6206489 674->676 675->674 676->676
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0620642A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 29632714e22d50aeb290e9e0d6d2e5215271cc922c43c670aad3f633d302c6ce
                                    • Instruction ID: 1330e6e6d6905e4d4a74033885ae1267236a4bcd64ccb234ba51d3a8aca42930
                                    • Opcode Fuzzy Hash: 29632714e22d50aeb290e9e0d6d2e5215271cc922c43c670aad3f633d302c6ce
                                    • Instruction Fuzzy Hash: FD41C2B1D10309EFEB14CF9AC884ADEBBB5FF48310F24852AE819AB251D7749855CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0620721C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 761 620721c-6208a7c 764 6208a82-6208a87 761->764 765 6208b2c-6208b4c call 620335c 761->765 766 6208a89-6208ac0 764->766 767 6208ada-6208b12 CallWindowProcW 764->767 772 6208b4f-6208b5c 765->772 775 6208ac2-6208ac8 766->775 776 6208ac9-6208ad8 766->776 769 6208b14-6208b1a 767->769 770 6208b1b-6208b2a 767->770 769->770 770->772 775->776 776->772
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06208B01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: fdcb290983d55e3089add1ee3a2b1a8d5a8c53787ce979fe3a3fe246c7fe5b04
                                    • Instruction ID: ebc2592f1e171493c86417b6ce3bb0fe8f3adefb516c327dd27efe7f189de106
                                    • Opcode Fuzzy Hash: fdcb290983d55e3089add1ee3a2b1a8d5a8c53787ce979fe3a3fe246c7fe5b04
                                    • Instruction Fuzzy Hash: 074129B4A10305CFEB54CF99C488BABBBF5FB88314F248859D919A7361D774A841CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A55A41 Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 778 5a55a41-5a55a51 779 5a55a53-5a55a78 call 5a53878 778->779 780 5a55a88-5a55ada 778->780 788 5a55a7d-5a55a7e 779->788 783 5a55ae2-5a55b0d DeleteFileW 780->783 784 5a55adc-5a55adf 780->784 786 5a55b16-5a55b3e 783->786 787 5a55b0f-5a55b15 783->787 784->783 787->786
                                    APIs
                                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05A55A7D), ref: 05A55B00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 4b5476683cf9477940a22180487b3b756d88d980c53f8151562ec05900fd7abe
                                    • Instruction ID: 2267ac24e73e0466b831cb198f1ba4fc7c2fbf5bdfe9249528de5c9b146feecb
                                    • Opcode Fuzzy Hash: 4b5476683cf9477940a22180487b3b756d88d980c53f8151562ec05900fd7abe
                                    • Instruction Fuzzy Hash: 9431DFB2D0421A8FDB10DFAAD445BDEBBF0FF49320F11816AC818A7241E738A905CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A5DF68 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 791 5a5df68-5a5df6e 792 5a5df70-5a5e004 DuplicateHandle 791->792 793 5a5e006-5a5e00c 792->793 794 5a5e00d-5a5e02a 792->794 793->794
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A5DFF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 3e1d054bd4f368ce5a8678f21ba07d19e7de3a618a098e5e7c239697a50b27b6
                                    • Instruction ID: 42914aae4890c12c8c8e23637edc7b3b179042251cf54103243bcdc7ab34cc1d
                                    • Opcode Fuzzy Hash: 3e1d054bd4f368ce5a8678f21ba07d19e7de3a618a098e5e7c239697a50b27b6
                                    • Instruction Fuzzy Hash: DB21F2B5900248AFDB10CFAAD584ADEBFF8FB48320F14841AE954A3210C374AA44CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A5DF70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 797 5a5df70-5a5e004 DuplicateHandle 798 5a5e006-5a5e00c 797->798 799 5a5e00d-5a5e02a 797->799 798->799
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A5DFF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 94b28247ec06c60a96a36b2273adef84d9b6caddfe329eec52a9a6db1346627f
                                    • Instruction ID: 784a457ff77fb064ee57bc33e4ac04d3461ad396502e620539a0c499a6a36e45
                                    • Opcode Fuzzy Hash: 94b28247ec06c60a96a36b2273adef84d9b6caddfe329eec52a9a6db1346627f
                                    • Instruction Fuzzy Hash: 3F21E0B59002499FDB10CFAAD984ADEBBF8FB48320F14841AE914A3210D378A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A53878 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 802 5a53878-5a55ada 805 5a55ae2-5a55b0d DeleteFileW 802->805 806 5a55adc-5a55adf 802->806 807 5a55b16-5a55b3e 805->807 808 5a55b0f-5a55b15 805->808 806->805 808->807
                                    APIs
                                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05A55A7D), ref: 05A55B00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515728842.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5a50000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 5811647926f44075861c8d3f16c6ae2f6e07b45fe6a312413b7943af4bf02294
                                    • Instruction ID: ac50a2f444e4235ad64bde426d32427f290dada6ed9b7c8bc521f04d476bf035
                                    • Opcode Fuzzy Hash: 5811647926f44075861c8d3f16c6ae2f6e07b45fe6a312413b7943af4bf02294
                                    • Instruction Fuzzy Hash: E42127B1C0461A9BDB10CF9AD444BAEFBF4FB48324F158129D919B7640D778A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 062031F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06204541,00000800,00000000,00000000), ref: 06204732
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 33d689b5d03e75ab2fe4b30adb585f3baff70f0d409fbb371aec55f18c3123b5
                                    • Instruction ID: 916f2018894f0e1bcc4a518e496f6b1133e67bb4199ee9985679af0812a50d16
                                    • Opcode Fuzzy Hash: 33d689b5d03e75ab2fe4b30adb585f3baff70f0d409fbb371aec55f18c3123b5
                                    • Instruction Fuzzy Hash: 481103B6D00249CFEB10DF9AD448BDEBBF4AB88314F05842AD915A7250C374A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 062046C1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06204541,00000800,00000000,00000000), ref: 06204732
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 90bff01e771e92759ce8816271cbd60c6d4100ada47995b538f027adcc0900f8
                                    • Instruction ID: 9a64e9891d445dff5e3e36f997985071fc2d942995ef9b9bb30b4f44b92e7aae
                                    • Opcode Fuzzy Hash: 90bff01e771e92759ce8816271cbd60c6d4100ada47995b538f027adcc0900f8
                                    • Instruction Fuzzy Hash: 561114B6D00249DFDB10DF9AD484BDEFBF4AB88324F15842AD955A7210C374A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0620AB60 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleInitialize.OLE32(00000000), ref: 0620ABBD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Initialize
                                    • String ID:
                                    • API String ID: 2538663250-0
                                    • Opcode ID: 129c08de57b19a3faf2cc28295f7834fdee1781c1dd46f5a7baefa75d3cb5d46
                                    • Instruction ID: 41d8bd4c0c03888d281d079374ef9b5d1a42aeed058d00de12e60a83729f82e7
                                    • Opcode Fuzzy Hash: 129c08de57b19a3faf2cc28295f7834fdee1781c1dd46f5a7baefa75d3cb5d46
                                    • Instruction Fuzzy Hash: F51133B1C003098FDB20CF9AD485BDEBBF8EB48324F108819D558A3200D374A544CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06204460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 062044C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 4687c0bf3185310484fb6d7cccd99b8297fcb7bcc17f3b7e50a7d8cfe0c76638
                                    • Instruction ID: 930510c7af4686388e89cd39eaf87f7d7ba29bc7c5052c7b99b5b45eb1d05ff0
                                    • Opcode Fuzzy Hash: 4687c0bf3185310484fb6d7cccd99b8297fcb7bcc17f3b7e50a7d8cfe0c76638
                                    • Instruction Fuzzy Hash: 861113B5C00249CFDB10DF9AC444BDEFBF4EB88224F14851AD919B7600C374A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06209B28 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleInitialize.OLE32(00000000), ref: 0620ABBD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Initialize
                                    • String ID:
                                    • API String ID: 2538663250-0
                                    • Opcode ID: db4bd63053e44a68b61e19dd6e8e68c46f5e87b60117136e3363ca02298b1b8e
                                    • Instruction ID: 2d04c8c3a73d62e5c9d8da89712ace4ecf756ee154db463b8361a05152ad5787
                                    • Opcode Fuzzy Hash: db4bd63053e44a68b61e19dd6e8e68c46f5e87b60117136e3363ca02298b1b8e
                                    • Instruction Fuzzy Hash: EA1145B1D003498FDB60DF9AD448BDEBBF4EB48324F108459D918A7301D378A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066C2E91 Relevance: .2, Instructions: 245COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.516092291.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66c0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b110ad27bff08f79ca6a7066feb500488dd418dc3ebe9af2c57a7fb2550c1188
                                    • Instruction ID: 17e69b6aa87defeabe6188004712d025e755c5e9a743bb01b295361f6496971e
                                    • Opcode Fuzzy Hash: b110ad27bff08f79ca6a7066feb500488dd418dc3ebe9af2c57a7fb2550c1188
                                    • Instruction Fuzzy Hash: 9171D435136B985BC323DB35C855CEBBFAAEF45109388894DECC247647CB24A916CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C6D514 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511121836.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c6d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80abbef5d8225f02bc522b332cb7d27d757fb9361b093141efcb2da30d525bb9
                                    • Instruction ID: e0c3feff17d3d59a1f78b5681de92a3f7cc15f98b34483d2e617eaf01f335d82
                                    • Opcode Fuzzy Hash: 80abbef5d8225f02bc522b332cb7d27d757fb9361b093141efcb2da30d525bb9
                                    • Instruction Fuzzy Hash: 3D213AF1A04340DFDB24DF14D8C0F26BB65FB88318F248569E9074B606C336D956DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C6D428 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511121836.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c6d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab225ef47a0a038cf938277c5da388d1fd52391f07af4572071a645a1550d35d
                                    • Instruction ID: a16f4931ee47554ae990dd8fc3aafc524d1a0e4d8350cc4c891c1c0d8c1d9141
                                    • Opcode Fuzzy Hash: ab225ef47a0a038cf938277c5da388d1fd52391f07af4572071a645a1550d35d
                                    • Instruction Fuzzy Hash: EB210AB1A04244DFDB25CF10D9C0F36BB65FB98324F24C569E9064B246C73AEC56CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D04C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511187310.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c7d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11760516f6f6a63b9796b319e68132ef7fbb3ea4b1824b24c5f8346bc43667a4
                                    • Instruction ID: bfd02d560444822ba306781617c0a5f88482e4cc47db5966fd5958f9abda05ed
                                    • Opcode Fuzzy Hash: 11760516f6f6a63b9796b319e68132ef7fbb3ea4b1824b24c5f8346bc43667a4
                                    • Instruction Fuzzy Hash: 4621C2B5604244DFDB14DF20D9C0B2ABB75FF84324F24C6A9E90E4B246C77AE846CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C6D50F Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511121836.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c6d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                    • Instruction ID: f58c93dad0017c2c7bad8dff7c1fca58f9d13246c2976a5794626bf3f476c5c8
                                    • Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                    • Instruction Fuzzy Hash: 0B11E9B6904280CFCF11CF14D5C4B16BF71FB94324F24C5A9D8464B616C33AD956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C6D423 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511121836.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c6d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                    • Instruction ID: cae78465b5853e516174a6b4843b6089e82740cc21afedf03b90aa537b443cf9
                                    • Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                    • Instruction Fuzzy Hash: 1E11E976904280DFCF11CF10D5C4B16BF71FB94324F24C5A9D8464B616C33AD956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D047 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.511187310.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c7d000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                    • Instruction ID: aac1d78ffb7c68be7d9f656ed89ea795c5933477cb3bb7423c29e1fafba2a9e6
                                    • Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                    • Instruction Fuzzy Hash: DE119D75504280DFDB11CF10DAD4B19BFB1FF84324F28C6AAD84A4B656C33AD94ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066C3020 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.516092291.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66c0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 441f6bcd7a3dfda030381649a2c16e1be55afd25667a1c22088beb0be3ca4794
                                    • Instruction ID: f7f720359c59bc959263ca1a3d959be0176c74aa6f2905baf7ea1b00ba878ab0
                                    • Opcode Fuzzy Hash: 441f6bcd7a3dfda030381649a2c16e1be55afd25667a1c22088beb0be3ca4794
                                    • Instruction Fuzzy Hash: 5211753830691A9F8709AB2BE15881EB7A2FBCC6523108255EC0687B44CF78BD528AD5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0620E2ED Relevance: 3.4, Strings: 2, Instructions: 856COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !$?
                                    • API String ID: 0-2168469854
                                    • Opcode ID: 3eb414bbe799b7a9f4f4a8a800f3e8eba5b2da6ad33c500988f0c3536a4a6797
                                    • Instruction ID: e5c5616bb2a89269d2181c3836039b40de8a582bfa919c96be33849f4c43d043
                                    • Opcode Fuzzy Hash: 3eb414bbe799b7a9f4f4a8a800f3e8eba5b2da6ad33c500988f0c3536a4a6797
                                    • Instruction Fuzzy Hash: 33729330A106598FEB61CF58C8C06ADFBB6FF85314F298959D8999B297C330E9C1CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0620AD80 Relevance: .4, Instructions: 396COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5957e4fdc1a16a6441824e22482b649b963c680981db93a46b3908cd7d33b352
                                    • Instruction ID: 7ea67bd35f06f14b44c95ecc1d1e5efc85f9d036bcd9aa6dce0339276cef397e
                                    • Opcode Fuzzy Hash: 5957e4fdc1a16a6441824e22482b649b963c680981db93a46b3908cd7d33b352
                                    • Instruction Fuzzy Hash: 80F18030E10209CFEB64DFA5C948B9DBBF1FF48314F158569E805AF2A6DB719945CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06204BA0 Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b9abb4aacdbb249d8a4e1b1b9509eab5c436d28f2e3a47efa793b1b9755be94
                                    • Instruction ID: 68f2ac3f170f3f2b23b48547def852a825a15c195897c3ce1ea9c49b6835e9b9
                                    • Opcode Fuzzy Hash: 2b9abb4aacdbb249d8a4e1b1b9509eab5c436d28f2e3a47efa793b1b9755be94
                                    • Instruction Fuzzy Hash: 4612E9F1C99B468BD3D0CF65E4981A93BA0B741329FD24A08D3616FAD0D7B485BACF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06203078 Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c7c28c40b2049b9eecacadbb79d506c2abf0682350429792bef18029161525bf
                                    • Instruction ID: df43f015440861c10669283b55a2ae5304fc9abad8e3a98c81d72c9561916451
                                    • Opcode Fuzzy Hash: c7c28c40b2049b9eecacadbb79d506c2abf0682350429792bef18029161525bf
                                    • Instruction Fuzzy Hash: 89A18E32E2061ACFDF45CFA5C8445DEBBB2FF89300B15856AE815AB262DB31A915CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06204B9A Relevance: .2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.515964674.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6200000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c11a313f15edf55f7f48afb1be633629bf31a4e596b40d2b8e3410bd37a36ed
                                    • Instruction ID: f09b1048c44adffa1e76e20e91c42d29b830c048e887c048d6e7abdafc06b38f
                                    • Opcode Fuzzy Hash: 8c11a313f15edf55f7f48afb1be633629bf31a4e596b40d2b8e3410bd37a36ed
                                    • Instruction Fuzzy Hash: 16C14AF1C997068BD7D0CF65E8881A93BB1BB85328FD24A08D3616B6D0D7B454BACF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:10.5%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:20
                                    Total number of Limit Nodes:1
                                    execution_graph 12641 4bc0448 12642 4bc0452 12641->12642 12644 4bc1dab 12641->12644 12645 4bc1dc5 12644->12645 12649 4bc1ea0 12645->12649 12653 4bc1e90 12645->12653 12650 4bc1ec7 12649->12650 12652 4bc1fa4 12650->12652 12657 4bc158c 12650->12657 12654 4bc1ec7 12653->12654 12655 4bc158c CreateActCtxA 12654->12655 12656 4bc1fa4 12654->12656 12655->12656 12658 4bc2f30 CreateActCtxA 12657->12658 12660 4bc2ff3 12658->12660 12661 4bcabc0 12662 4bcabde 12661->12662 12665 4bca79c 12662->12665 12664 4bcac15 12667 4bcc6e0 LoadLibraryA 12665->12667 12668 4bcc7d9 12667->12668

                                    Executed Functions

                                    Function 04BC2F2B Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 4bc2f2b-4bc2f2d 1 4bc2f2f-4bc2ff1 CreateActCtxA 0->1 2 4bc2ef1 0->2 7 4bc2ffa-4bc3054 1->7 8 4bc2ff3-4bc2ff9 1->8 3 4bc2efa-4bc2f1b 2->3 4 4bc2ef3-4bc2ef9 2->4 4->3 15 4bc3056-4bc3059 7->15 16 4bc3063-4bc3067 7->16 8->7 15->16 17 4bc3078 16->17 18 4bc3069-4bc3075 16->18 20 4bc3079 17->20 18->17 20->20
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 04BC2FE1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.283894590.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_4bc0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: fc154ed2214e10b4493600a41537178477c96105b46f9001e212dfa05969333e
                                    • Instruction ID: 74567a4b5c18edacc39ed0a003ff7a3a42a972ab6714c246bdb8a0ba558c2012
                                    • Opcode Fuzzy Hash: fc154ed2214e10b4493600a41537178477c96105b46f9001e212dfa05969333e
                                    • Instruction Fuzzy Hash: F6410371C04219CBEB24DFA9C9847DDBBF1FF48318F2080AAD419AB251D7B56946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04BCA79C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 21 4bca79c-4bcc737 23 4bcc739-4bcc75e 21->23 24 4bcc78b-4bcc7d7 LoadLibraryA 21->24 23->24 29 4bcc760-4bcc762 23->29 27 4bcc7d9-4bcc7df 24->27 28 4bcc7e0-4bcc811 24->28 27->28 34 4bcc821 28->34 35 4bcc813-4bcc817 28->35 31 4bcc764-4bcc76e 29->31 32 4bcc785-4bcc788 29->32 36 4bcc770 31->36 37 4bcc772-4bcc781 31->37 32->24 40 4bcc822 34->40 35->34 39 4bcc819 35->39 36->37 37->37 38 4bcc783 37->38 38->32 39->34 40->40
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 04BCC7C7
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.283894590.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_4bc0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: b70f054b1bfcbf8e48608e0aabe2c445dec7669384f904f40e2621c301d8ec9b
                                    • Instruction ID: 92208b597c6e8b3d6c93ec86d63951d2cf45d70f99847a528566985bc33825d0
                                    • Opcode Fuzzy Hash: b70f054b1bfcbf8e48608e0aabe2c445dec7669384f904f40e2621c301d8ec9b
                                    • Instruction Fuzzy Hash: F24147B1D002589FEB10CFA9C88579EBFF1EB49304F14816AE819EB350D774A846CF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04BC158C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 41 4bc158c-4bc2ff1 CreateActCtxA 44 4bc2ffa-4bc3054 41->44 45 4bc2ff3-4bc2ff9 41->45 52 4bc3056-4bc3059 44->52 53 4bc3063-4bc3067 44->53 45->44 52->53 54 4bc3078 53->54 55 4bc3069-4bc3075 53->55 57 4bc3079 54->57 55->54 57->57
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 04BC2FE1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.283894590.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_4bc0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 3cfbc58796c000c3ce80a22a0023eb3792bc129a08e47b9df2c92c7c157b2240
                                    • Instruction ID: 0287b492d5e0001fa4daced952d105d0018a2655387a52267fa0a22fe341e8dd
                                    • Opcode Fuzzy Hash: 3cfbc58796c000c3ce80a22a0023eb3792bc129a08e47b9df2c92c7c157b2240
                                    • Instruction Fuzzy Hash: 5541E2B1C04219CBDB24DFA9C984BDDBBB1BF48308F1080AAD409AB251DBB56945CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04BCC6D6 Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 58 4bcc6d6-4bcc737 59 4bcc739-4bcc75e 58->59 60 4bcc78b-4bcc7d7 LoadLibraryA 58->60 59->60 65 4bcc760-4bcc762 59->65 63 4bcc7d9-4bcc7df 60->63 64 4bcc7e0-4bcc811 60->64 63->64 70 4bcc821 64->70 71 4bcc813-4bcc817 64->71 67 4bcc764-4bcc76e 65->67 68 4bcc785-4bcc788 65->68 72 4bcc770 67->72 73 4bcc772-4bcc781 67->73 68->60 76 4bcc822 70->76 71->70 75 4bcc819 71->75 72->73 73->73 74 4bcc783 73->74 74->68 75->70 76->76
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 04BCC7C7
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.283894590.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_4bc0000_XIiRHEaA9R.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 809d303e883a624bcca68419aa038369baa3da68302e7ddefde692459baa4240
                                    • Instruction ID: 9384b1e44db2a68cd6961653d75ad6147a802dfbd3512338abf2b8a221d5d113
                                    • Opcode Fuzzy Hash: 809d303e883a624bcca68419aa038369baa3da68302e7ddefde692459baa4240
                                    • Instruction Fuzzy Hash: 964135B5D002588FEB10CFA8C88579EBFF1EB48304F14816AD819EB390D774A846CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%