Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
STlUEqhwpx.exe

Overview

General Information

Sample name:STlUEqhwpx.exe
renamed because original name is a hash value
Original sample name:0a8cfbcfffa98cb54b6746fec4981101.exe
Analysis ID:1528478
MD5:0a8cfbcfffa98cb54b6746fec4981101
SHA1:9394653bbd0ca684970c5d482e26a89f60d4e975
SHA256:2a4751457c3ab5125478cfebea685b92046e047dedc07ecb0b32f2d6c6293a0f
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • STlUEqhwpx.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\STlUEqhwpx.exe" MD5: 0A8CFBCFFFA98CB54B6746FEC4981101)
    • RegAsm.exe (PID: 7288 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7296 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "165.22.194.189:5613;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "2bdefbcb-91d1-48c0-8f2f-5de6eed0f91f", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "BEptALBhH5iqs6kuwXGFbjWTfhmu3jqDNxidblxNc7YNmZ1dcYk8+am/FW8Q8CaWGmDYsZgofDY9/EkmkR9twEqN2zJXxlk/IAyFVeplXHr1ASrzJw1fjLWkYnnvYaUnCpnlnTqiwp5G6eNHC05biuc2lmE288xAjlH4KS5cqmzLqxQXtC55kZE/UNkS1SutybT2XAIuZLGkvnnIWBgPaoO40hRViMu0Df4FTh/Kx+kyqlCW96IYdV6ep3eZR7p/EW0DoOVPRlZKADarQr3MGVyPFckBFhHsd4H9ChC2wtP4/ncJpbZ5HJogXkP1t6FMsecwFhJX0BGigE7sGLlQNwYbR8ZKe44AtguZUnHfKrJPOns+LObM9QTsfR77fOfCXBvmAGlWIWkvZbaZSZTDgXsiyIcsJJF3kHJaYAq+pq0S5fVbTc4JQ6z6kXsdk4Dk7MmsxaRecNcH27oCosU4V6kuAONgww2crG61ocYtNQ2qtwPvbFPVWg8L5uVKfXw1rYxCtpWNZQWdnz8FBn3UBRS2ytU+in1uLJlxgLdeww8I/AF/yJrxTGZYwwAneiC6AQ9FQCgF4ozJBNa6P1u7pJZYPZjIKX+zKRYGAUBfJH4DqyV6gEeDO262Y15PZ8yxeqLMWo072K4VH4Q/PmzwHWwxqU+Xb8D4CvbjxVqBLz8=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJG/dLBFXHlkEi08lEISZTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDkyOTA1NDczOVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhlizYr3H9pDXXpfhAUm/Ps9PkjoUjbktI1Esb5628jdrNnufpWksSb+sl0YI/ru1hyfa43QrdoHV89W0kMXEgrGuR4qBaDQGdKlBQl2a6N0ufqoLiNshG0D7peW24ykLN4pwC2Mt4gLgyZvyKilv4fljl8pzpoHcZDt5vTaFGvAZM58kHKwogJ5DLBXiFy8dL0H2o/AZ0Cwcjl5oPuuQPhot752WlwfyVWWjc5hIZ72JKn4WrieBXlr9ndlOcOAqvzaTfFHC3qXR9J3L1uazTawTYqiVuypX6hsL5z+YTWfnAz5ssoFQo3p3g0RNGFB85UDQbWWL/RxcQ2zd2MfuhaUaIf2Kls3gzUxwJf1Sla7F+YkH9jq9f/grm+Clk4O72dvh/oHE/B+dJkJ0twNpVR6fLMomn1qJWy2ig5BdfoZFHDidHIhWx4r+Y6p0WiN7bHlvTrgXPt55es3gZUEMS9hU9xFmvY4wTmWpBd7UdfvLxUL+h4Hw3f6GZD5BkhYrjOr4juvVdHAmqBKYw/xoW8ShxOck9oBV897bETY1c3dk0N9OjqGu4BumbfUmixZ5xQjcEYIP3cWL1BO56+xYMFOWxB9cWk8ae/CPQQi1FffwivxllWpPECRv9o6KyAzqgrTLuJPcVSQdqldd4tCJSU0kHv/e300AVJZtg70yD7MCAwEAAaMyMDAwHQYDVR0OBBYEFLU0Q9c5LNTkXI5WjAt0mzl2hMwfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFHr4hVgpandM+0AiCyXl9DosOuW4my2BaDqjISsR8/E6yy+RrHidE4m/P99tHlW8PkB0564CzgGC25SX8vDnJuGnzMCjOLdunVObNOj/ZOHRQMK2r0Eax8q0R5/57V5kmwOkxJIfqBQdg7R2ikiLc0t0JH3z5uIU8hG+0fHlR/dlFKxGB1LAXqndF4N02bomYrPkwcRB4S2Avp9BPcEEHuHWSKHyCp7YAuY/xPp+YUgRJdAUTRPhF5Mm9+mQa3A7/mw8RhMAX2nsWRmF4+Ag/s7Ca+WMsNZ1iTkef0tSViNaqP8Ab99NTW90kVzUmhNNEvHA4ohd60XwMolmI0+ZwdvVzhuPI6MK8bNV0XK9dY1NEyPz0b3X85LavDHiZLpNH9gR0VMfmHCQ0yVg2VNjwHFREBa7esnv48NhUTZKjTDLEMst6HdTp2Mskoi3/Cus1Ao8PjRfJLm8Fs2IXyoshStth29EHtZW2TbbiHUQQu+R8WWFXh5E7KL9HGurw0L0Rya470vjJRlYm043tu4quqBsMdf3e0ko5/sQBweJSDZN17eVKXLSWvRZI1GYXuvTTPITVCkarPy14fjIC9+51DFFw9EPyVKiFMsj5/5Ea0GlIbOxxP6PuV8nAn1wqIy4CDMtYTC3dt5P5eivh4d3xFNsYQ0ecSY/P/gXIuQlJOY"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.STlUEqhwpx.exe.3aa29a0.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              0.2.STlUEqhwpx.exe.3dbfdd0.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                0.2.STlUEqhwpx.exe.3aa29a0.1.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28d113:$x1: Quasar.Common.Messages
                • 0x29d43c:$x1: Quasar.Common.Messages
                • 0x2a99f6:$x4: Uninstalling... good bye :-(
                • 0x2ab1eb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                0.2.STlUEqhwpx.exe.3dbfdd0.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28d113:$x1: Quasar.Common.Messages
                • 0x29d43c:$x1: Quasar.Common.Messages
                • 0x2a99f6:$x4: Uninstalling... good bye :-(
                • 0x2ab1eb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                0.2.STlUEqhwpx.exe.3aa29a0.1.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2a8fa8:$f1: FileZilla\recentservers.xml
                • 0x2a8fe8:$f2: FileZilla\sitemanager.xml
                • 0x2a902a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2a9276:$b1: Chrome\User Data\
                • 0x2a92cc:$b1: Chrome\User Data\
                • 0x2a95a4:$b2: Mozilla\Firefox\Profiles
                • 0x2a96a0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fb624:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2a97f8:$b4: Opera Software\Opera Stable\Login Data
                • 0x2a98b2:$b5: YandexBrowser\User Data\
                • 0x2a9920:$b5: YandexBrowser\User Data\
                • 0x2a95f4:$s4: logins.json
                • 0x2a932a:$a1: username_value
                • 0x2a9348:$a2: password_value
                • 0x2a9634:$a3: encryptedUsername
                • 0x2fb568:$a3: encryptedUsername
                • 0x2a9658:$a4: encryptedPassword
                • 0x2fb586:$a4: encryptedPassword
                • 0x2fb504:$a5: httpRealm
                Click to see the 18 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T00:08:00.035013+020020355951Domain Observed Used for C2 Detected165.22.194.1895613192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T00:08:00.035013+020020276191Domain Observed Used for C2 Detected165.22.194.1895613192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: STlUEqhwpx.exeAvira: detected
                Found malware configuration
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "165.22.194.189:5613;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "2bdefbcb-91d1-48c0-8f2f-5de6eed0f91f", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "BEptALBhH5iqs6kuwXGFbjWTfhmu3jqDNxidblxNc7YNmZ1dcYk8+am/FW8Q8CaWGmDYsZgofDY9/EkmkR9twEqN2zJXxlk/IAyFVeplXHr1ASrzJw1fjLWkYnnvYaUnCpnlnTqiwp5G6eNHC05biuc2lmE288xAjlH4KS5cqmzLqxQXtC55kZE/UNkS1SutybT2XAIuZLGkvnnIWBgPaoO40hRViMu0Df4FTh/Kx+kyqlCW96IYdV6ep3eZR7p/EW0DoOVPRlZKADarQr3MGVyPFckBFhHsd4H9ChC2wtP4/ncJpbZ5HJogXkP1t6FMsecwFhJX0BGigE7sGLlQNwYbR8ZKe44AtguZUnHfKrJPOns+LObM9QTsfR77fOfCXBvmAGlWIWkvZbaZSZTDgXsiyIcsJJF3kHJaYAq+pq0S5fVbTc4JQ6z6kXsdk4Dk7MmsxaRecNcH27oCosU4V6kuAONgww2crG61ocYtNQ2qtwPvbFPVWg8L5uVKfXw1rYxCtpWNZQWdnz8FBn3UBRS2ytU+in1uLJlxgLdeww8I/AF/yJrxTGZYwwAneiC6AQ9FQCgF4ozJBNa6P1u7pJZYPZjIKX+zKRYGAUBfJH4DqyV6gEeDO262Y15PZ8yxeqLMWo072K4VH4Q/PmzwHWwxqU+Xb8D4CvbjxVqBLz8=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJG/dLBFXHlkEi08lEISZTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDkyOTA1NDczOVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhlizYr3H9pDXXpfhAUm/Ps9PkjoUjbktI1Esb5628jdrNnufpWksSb+sl0YI/ru1hyfa43QrdoHV89W0kMXEgrGuR4qBaDQGdKlBQl2a6N0ufqoLiNshG0D7peW24ykLN4pwC2Mt4gLgyZvyKilv4fljl8pzpoHcZDt5vTaFGvAZM58kHKwogJ5DLBXiFy8dL0H2o/AZ0Cwcjl5oPuuQPhot752WlwfyVWWjc5hIZ72JKn4WrieBXlr9ndlOcOAqvzaTfFHC3qXR9J3L1uazTawTYqiVuypX6hsL5z+YTWfnAz5ssoFQo3p3g0RNGFB85UDQbWWL/RxcQ2zd2MfuhaUaIf2Kls3gzUxwJf1Sla7F+YkH9jq9f/grm+Clk4O72dvh/oHE/B+dJkJ0twNpVR6fLMomn1qJWy2ig5BdfoZFHDidHIhWx4r+Y6p0WiN7bHlvTrgXPt55es3gZUEMS9hU9xFmvY4wTmWpBd7UdfvLxUL+h4Hw3f6GZD5BkhYrjOr4juvVdHAmqBKYw/xoW8ShxOck9oBV897bETY1c3dk0N9OjqGu4BumbfUmixZ5xQjcEYIP3cWL1BO56+xYMFOWxB9cWk8ae/CPQQi1FffwivxllWpPECRv9o6KyAzqgrTLuJPcVSQdqldd4tCJSU0kHv/e300AVJZtg70yD7MCAwEAAaMyMDAwHQYDVR0OBBYEFLU0Q9c5LNTkXI5WjAt0mzl2hMwfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFHr4hVgpandM+0AiCyXl9DosOuW4my2BaDqjISsR8/E6yy+RrHidE4m/P99tHlW8PkB0564CzgGC25SX8vDnJuGnzMCjOLdunVObNOj/ZOHRQMK2r0Eax8q0R5/57V5kmwOkxJIfqBQdg7R2ikiLc0t0JH3z5uIU8hG+0fHlR/dlFKxGB1LAXqndF4N02bomYrPkwcRB4S2Avp9BPcEEHuHWSKHyCp7YAuY/xPp+YUgRJdAUTRPhF5Mm9+mQa3A7/mw8RhMAX2nsWRmF4+Ag/s7Ca+WMsNZ1iTkef0tSViNaqP8Ab99NTW90kVzUmhNNEvHA4ohd60XwMolmI0+ZwdvVzhuPI6MK8bNV0XK9dY1NEyPz0b3X85LavDHiZLpNH9gR0VMfmHCQ0yVg2VNjwHFREBa7esnv48NhUTZKjTDLEMst6HdTp2Mskoi3/Cus1Ao8PjRfJLm8Fs2IXyoshStth29EHtZW2TbbiHUQQu+R8WWFXh5E7KL9HGurw0L0Rya470vjJRlYm043tu4quqBsMdf3e0ko5/sQBweJSDZN17eVKXLSWvRZI1GYXuvTTPITVCkarPy14fjIC9+51DFFw9EPyVKiFMsj5/5Ea0GlIbOxxP6PuV8nAn1wqIy4CDMtYTC3dt5P5eivh4d3xFNsYQ0ecSY/P/gXIuQlJOY"}
                Multi AV Scanner detection for submitted file
                Source: STlUEqhwpx.exeReversingLabs: Detection: 79%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: STlUEqhwpx.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7296, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: STlUEqhwpx.exeJoe Sandbox ML: detected
                Source: STlUEqhwpx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: STlUEqhwpx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 165.22.194.189:5613 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 165.22.194.189:5613 -> 192.168.2.4:49730
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 165.22.194.189
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 165.22.194.189:5613
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownTCP traffic detected without corresponding DNS query: 165.22.194.189
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: RegAsm.exe, 00000002.00000002.2926778262.0000000005931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                Source: RegAsm.exe, 00000002.00000002.2920963808.00000000012D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: RegAsm.exe, 00000002.00000002.2920591615.0000000001271000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegAsm.exe, 00000002.00000002.2926778262.000000000593E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4&Z
                Source: RegAsm.exe, 00000002.00000002.2920591615.0000000001271000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
                Source: RegAsm.exe, 00000002.00000002.2920963808.00000000012D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enE
                Source: RegAsm.exe, 00000002.00000002.2922324215.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: RegAsm.exe, 00000002.00000002.2922324215.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: RegAsm.exe, 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: RegAsm.exe, 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: RegAsm.exe, 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: RegAsm.exe, 00000002.00000002.2922324215.0000000003347000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2922324215.0000000003347000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2922324215.0000000003197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: STlUEqhwpx.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7296, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02F4F03C2_2_02F4F03C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07C899802_2_07C89980
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07C860E82_2_07C860E8
                Source: STlUEqhwpx.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs STlUEqhwpx.exe
                Source: STlUEqhwpx.exe, 00000000.00000002.1670228558.000000000084E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs STlUEqhwpx.exe
                Source: STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs STlUEqhwpx.exe
                Source: STlUEqhwpx.exe, 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs STlUEqhwpx.exe
                Source: STlUEqhwpx.exeBinary or memory string: OriginalFilenameruns1.exe4 vs STlUEqhwpx.exe
                Source: STlUEqhwpx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: STlUEqhwpx.exe, by-unknown-------------------------.csBase64 encoded string: 'QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XFJlZ0FzbS5leGU='
                Source: classification engineClassification label: mal100.troj.evad.winEXE@5/3@1/2
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\STlUEqhwpx.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Local\2bdefbcb-91d1-48c0-8f2f-5de6eed0f91f
                Source: STlUEqhwpx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: STlUEqhwpx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: STlUEqhwpx.exeReversingLabs: Detection: 79%
                Source: unknownProcess created: C:\Users\user\Desktop\STlUEqhwpx.exe "C:\Users\user\Desktop\STlUEqhwpx.exe"
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                Source: STlUEqhwpx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: STlUEqhwpx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: STlUEqhwpx.exeStatic file information: File size 3309568 > 1048576
                Source: STlUEqhwpx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x327600
                Source: STlUEqhwpx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07C86C62 push 0000005Eh; iretd 2_2_07C86CD6

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 458Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 738Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7372Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegAsm.exe, 00000002.00000002.2920963808.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2933816999.0000000006D80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2926778262.0000000005963000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: STlUEqhwpx.exe, by-unknown-------------------------.csReference to suspicious API methods: ReadProcessMemory(by_002Dunknown_26A7_FFFD_FFFD_FFFD_2642_FFFD_FE0F_FFFD_D83D_DD35_D83D_DD14_D83E_DE33_FFFD_FFFD_FFFD_FE0F_200D_FFFD_D83D_DEA0_FFFD_FFFD_FFFD.ProcessHandle, num3 + 4 + 4, ref by_002Dunknown_FFFD_D83D_DF2B_FFFD_FFFD_FFFD_200D_FFFD_FFFD_D83E_DCA3_26A7_FFFD_FE0F_200D_FFFD_D83D_DC98_D83D_DCAB_FFFD_FFFD_FFFD_200D_FFFD, 4, ref by_002Dunknown_26A7_FE0F_FE0F_FFFD_FFFD_FFFD_FFFD_FE0F_FFFD_FFFD_FFFD_FE0F_2642_FFFD_FFFD_D83E_DD74_FFFD_FFFD_FE0F_FFFD_FFFD_200D_FFFD_FFFD)
                Source: STlUEqhwpx.exe, by-unknown-------------------------.csReference to suspicious API methods: VirtualAllocEx(by_002Dunknown_26A7_FFFD_FFFD_FFFD_2642_FFFD_FE0F_FFFD_D83D_DD35_D83D_DD14_D83E_DE33_FFFD_FFFD_FFFD_FE0F_200D_FFFD_D83D_DEA0_FFFD_FFFD_FFFD.ProcessHandle, num2, num4, 12288, 64)
                Source: STlUEqhwpx.exe, by-unknown-------------------------.csReference to suspicious API methods: WriteProcessMemory(by_002Dunknown_26A7_FFFD_FFFD_FFFD_2642_FFFD_FE0F_FFFD_D83D_DD35_D83D_DD14_D83E_DE33_FFFD_FFFD_FFFD_FE0F_200D_FFFD_D83D_DEA0_FFFD_FFFD_FFFD.ProcessHandle, num6, by_002Dunknown_FFFD_200D_200D_FFFD_FFFD_FFFD_D83D_DEA0_FFFD_FFFD_FFFD_D83C_DD70_FFFD_FFFD_FFFD_200D_FFFD_FE0F_200D_FFFD_FFFD_200D_D83C_DCA3, num5, ref by_002Dunknown_26A7_FE0F_FE0F_FFFD_FFFD_FFFD_FFFD_FE0F_FFFD_FFFD_FFFD_FE0F_2642_FFFD_FFFD_D83E_DD74_FFFD_FFFD_FE0F_FFFD_FFFD_200D_FFFD_FFFD)
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 720000Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 722000Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E2F008Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeQueries volume information: C:\Users\user\Desktop\STlUEqhwpx.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\STlUEqhwpx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: STlUEqhwpx.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7296, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3dbfdd0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.STlUEqhwpx.exe.3aa29a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: STlUEqhwpx.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7296, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping11
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Obfuscated Files or Information                		Cached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                STlUEqhwpx.exe79%ReversingLabsByteCode-MSIL.Hacktool.ResInject
                STlUEqhwpx.exe100%AviraTR/Dropper.Gen
                STlUEqhwpx.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.org/0%URL Reputationsafe
                https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipwho.is
                		195.201.57.90
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  165.22.194.189true
                    		unknown
                    https://ipwho.is/false
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/dRegAsm.exe, 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://stackoverflow.com/q/14436606/23354STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2922324215.0000000003197000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microRegAsm.exe, 00000002.00000002.2920963808.00000000012D9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.datacontract.org/2004/07/RegAsm.exe, 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://stackoverflow.com/q/11564914/23354;STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ipwho.isdRegAsm.exe, 00000002.00000002.2922324215.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://ipwho.isRegAsm.exe, 00000002.00000002.2922324215.0000000003347000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://stackoverflow.com/q/2152978/23354sCannotSTlUEqhwpx.exe, 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, STlUEqhwpx.exe, 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ipwho.isRegAsm.exe, 00000002.00000002.2922324215.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.miRegAsm.exe, 00000002.00000002.2926778262.0000000005931000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      165.22.194.189
                                      		unknownUnited States
                                      		14061DIGITALOCEAN-ASNUStrue
                                      195.201.57.90
                                      		ipwho.isGermany
                                      		24940HETZNER-ASDEfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1528478
                                      Start date and time:2024-10-08 00:07:05 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 58s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:7
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:STlUEqhwpx.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:0a8cfbcfffa98cb54b6746fec4981101.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@5/3@1/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 60
                                      • Number of non-executed functions: 2
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 93.184.221.240
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: STlUEqhwpx.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      18:08:00API Interceptor1x Sleep call for process: RegAsm.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                      • /?output=json
                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                      • /?output=json
                                      ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                      • ipwhois.app/xml/
                                      cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json
                                      Clipper.exeGet hashmaliciousUnknownBrowse
                                      • /?output=json
                                      cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ipwho.ishttps://thiiirrrrddddddd-30x.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                      • 195.201.57.90
                                      https://2204three.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                      • 195.201.57.90
                                      sj9eYmr725.exeGet hashmaliciousQuasarBrowse
                                      • 108.181.98.179
                                      payload.cmdGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      1 (2).cmdGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      rbx-CO2.batGet hashmaliciousUnknownBrowse
                                      • 147.135.36.89
                                      SC.cmdGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      1.cmdGet hashmaliciousUnknownBrowse
                                      • 108.181.98.179
                                      2.cmdGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      download_2.exeGet hashmaliciousQuasarBrowse
                                      • 147.135.36.89

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      DIGITALOCEAN-ASNUShttps://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secuGet hashmaliciousHTMLPhisherBrowse
                                      • 138.197.99.28
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcrGet hashmaliciousHTMLPhisherBrowse
                                      • 162.243.189.2
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 206.189.6.247
                                      https://www.masonpost.com:443/cgi-bin/redir?https://ctrk.klclick3.com/l/01J9K8KGETH6JCWEWSWY0Z1M23_0?upn=u001.itvpsDR1UD2k9ruxjm0OAspgqcVOQ2hpn9lpb50VxZJdbi9nOzDV7HSnhKeIcaLQsgzZhAfJ867-2F8IcC-2BBYACBF80J8eA0O7PKeZKrlC1Q54Fj-2FS5ho91OPbLHjsGsZQWTyMbbJfNaQPKh9-2FKW31wr-2BMvAwYD85cdCTmlJyLauY-3D1xqt_Zis0fkz6H88oOTECUjdmAu-2FGkDDLbhQT-2B-2B9-2BD8-2Fn-2BuGRBn47ofPUerdduk-2BghIIr31LJs6iNd0rpuOZI5rlm3TOpkCWZ1eNCAWCuASI4dMP9Tv6jbA2UWTI2YWLmFZqgYeVzSc0Fb4o9iKg-2BzjSlX63m5ZgVPzXZ0W3SrrpOTDVmr8Vwd0xwSjxu9efo9kpJLVs7HOh7Cib6eG0OHldiYrljs5jy-2BsmDgNausa6sMCHSoHHj10FI3IfGuCnAD3e6jEbbsHVD11-2FD9cWADvkKxwETdgNpgixeie55jSwivWDLRKcdIczYG3CyTpA1Y18cj-2FBGLZEHTJvF1rd5yfWClPzV1Xw6x2CQgpVVbtrTE5NXtV8WFomzmraH-2FRE0uCvY#QE5lb19IYWNrZXJAb2ZmaWNlLmNvbQ==Get hashmaliciousUnknownBrowse
                                      • 134.209.147.227
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 162.243.19.47
                                      HETZNER-ASDEhttps://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==Get hashmaliciousUnknownBrowse
                                      • 46.4.98.169
                                      out.exeGet hashmaliciousVidarBrowse
                                      • 49.12.106.214
                                      down.exeGet hashmaliciousUnknownBrowse
                                      • 116.203.9.188
                                      BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                      • 188.40.141.211
                                      https://cloud.list.lu/index.php/s/znw4dNSttiDzHTBGet hashmaliciousUnknownBrowse
                                      • 85.10.195.17
                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                      • 188.40.141.211
                                      PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                      • 148.251.114.233
                                      zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                      • 116.203.9.188
                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                      • 188.40.141.211
                                      na.elfGet hashmaliciousUnknownBrowse
                                      • 116.203.104.203

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eEUYIlr7uUX.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 195.201.57.90
                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                      • 195.201.57.90
                                      T6l6gPxwQU.exeGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                      • 195.201.57.90
                                      https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==Get hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      SecuriteInfo.com.Win64.TrojanX-gen.22573.8055.exeGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                      • 195.201.57.90
                                      scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                      • 195.201.57.90
                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                      • 195.201.57.90
                                      shipping.exeGet hashmaliciousAgentTeslaBrowse
                                      • 195.201.57.90

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                      Category:dropped
                                      Size (bytes):71954
                                      Entropy (8bit):7.996617769952133
                                      Encrypted:true
                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):328
                                      Entropy (8bit):3.1440865988908953
                                      Encrypted:false
                                      SSDEEP:6:kKZn9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:4DnLNkPlE99SNxAhUe/3
                                      MD5:930066F1D097F01253AA964B1855BE1C
                                      SHA1:4A95680FC6100A1FED6A39200A464FABEB660213
                                      SHA-256:599D280E7621177C01A5E6CDAF42490B483172C6759FC28F4F34983DE72D9F71
                                      SHA-512:D722DBDE341116A44E5DBF11080507F4EB2E0B95818EF4020C004DB5596BBAE158947BFFFC243CF9015E67F31F7FD8ED5677209C64744B1B7C13E9EB7357EDA8
                                      Malicious:false
                                      Reputation:low
                                      Preview:p...... .........E._....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\STlUEqhwpx.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\STlUEqhwpx.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):226
                                      Entropy (8bit):5.360398796477698
                                      Encrypted:false
                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                      MD5:3A8957C6382192B71471BD14359D0B12
                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.998434189083879
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:STlUEqhwpx.exe
                                      File size:3'309'568 bytes
                                      MD5:0a8cfbcfffa98cb54b6746fec4981101
                                      SHA1:9394653bbd0ca684970c5d482e26a89f60d4e975
                                      SHA256:2a4751457c3ab5125478cfebea685b92046e047dedc07ecb0b32f2d6c6293a0f
                                      SHA512:b6b37161737d582f885bcba9685ad5badc8116e8c46c2f6c888908e6ac44613a85a34cae93915832ac660204fb99dbc23e5b354dfc2b4999d1ca45bb7193753b
                                      SSDEEP:49152:soe3aWG7CWXpqWNSCsaY3CvuNC9RKb0r0OucozUNXFsnlVIE9z:sh3NGOQzd7EeuFb05uF3nl+EV
                                      TLSH:50E5330B18C1382ED077203B118B5F11A66ABD937C4FDBA211B50B4D6B656CEE51AFE3
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................v2...........2.. ....2...@.. ........................2...........@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x7294ee
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66FD8F0A [Wed Oct 2 18:20:58 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3294980x53.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x32a0000x542.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x32c0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x3274f40x327600c2cda2f17cae7fb1b1b700e5bed7123aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x32a0000x5420x600def116b2d3ea08f0e27a74f821008310False0.4049479166666667data3.9039212694753482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x32c0000xc0x20043a00802d736bf93eacbb559f2622f6fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x32a0a00x2b8COM executable for DOS0.45977011494252873
                                      RT_MANIFEST0x32a3580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-08T00:08:00.035013+02002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1165.22.194.1895613192.168.2.449730TCP
                                      2024-10-08T00:08:00.035013+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1165.22.194.1895613192.168.2.449730TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 8, 2024 00:07:59.408647060 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:07:59.413793087 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:07:59.413876057 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:07:59.421200037 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:07:59.426131010 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:00.023108959 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:00.023163080 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:00.023338079 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:00.029933929 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:00.035012960 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:00.198863029 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:00.246985912 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:01.501506090 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:01.501594067 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:01.501679897 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:01.503978014 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:01.504012108 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.380373001 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.380508900 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:02.384138107 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:02.384166956 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.384691000 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.417081118 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:02.463397026 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.604368925 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.604526043 CEST44349732195.201.57.90192.168.2.4
                                      Oct 8, 2024 00:08:02.604605913 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:02.692287922 CEST49732443192.168.2.4195.201.57.90
                                      Oct 8, 2024 00:08:02.814096928 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:02.819341898 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:02.819442034 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:02.824575901 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:03.100800037 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:03.153028011 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:03.230510950 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:03.278143883 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:28.231337070 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:28.236488104 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:08:53.247076035 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:08:53.252062082 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:09:18.262586117 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:09:18.267725945 CEST561349730165.22.194.189192.168.2.4
                                      Oct 8, 2024 00:09:43.278276920 CEST497305613192.168.2.4165.22.194.189
                                      Oct 8, 2024 00:09:43.283344984 CEST561349730165.22.194.189192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 8, 2024 00:08:01.433872938 CEST5579253192.168.2.41.1.1.1
                                      Oct 8, 2024 00:08:01.441819906 CEST53557921.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 8, 2024 00:08:01.433872938 CEST192.168.2.41.1.1.10x4e94Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 8, 2024 00:08:01.441819906 CEST1.1.1.1192.168.2.40x4e94No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ipwho.is

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449732195.201.57.904437296C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-07 22:08:02 UTC150OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                      Host: ipwho.is
                                      Connection: Keep-Alive
                                      2024-10-07 22:08:02 UTC223INHTTP/1.1 200 OK
                                      Date: Mon, 07 Oct 2024 22:08:02 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Server: ipwhois
                                      Access-Control-Allow-Headers: *
                                      X-Robots-Tag: noindex
                                      2024-10-07 22:08:02 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                      Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:18:07:56
                                      Start date:07/10/2024
                                      Path:C:\Users\user\Desktop\STlUEqhwpx.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\STlUEqhwpx.exe"
                                      Imagebase:0x10000
                                      File size:3'309'568 bytes
                                      MD5 hash:0A8CFBCFFFA98CB54B6746FEC4981101
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1672389499.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1672479758.0000000004184000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1672479758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:18:07:56
                                      Start date:07/10/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      Wow64 process (32bit):false
                                      Commandline:#system32
                                      Imagebase:0x620000
                                      File size:65'440 bytes
                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:18:07:56
                                      Start date:07/10/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      Wow64 process (32bit):true
                                      Commandline:#system32
                                      Imagebase:0xd20000
                                      File size:65'440 bytes
                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2918490153.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2922324215.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2922324215.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2918490153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:42%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:48
                                        Total number of Limit Nodes:2
                                        execution_graph 514 2571441 515 2571494 Wow64SetThreadContext 514->515 516 257148a 514->516 517 25714c2 515->517 516->515 525 2570b81 526 2570b8c 525->526 527 2570cd1 7 API calls 526->527 528 2570bd5 527->528 528->528 518 257120c 519 2571218 CreateProcessW 518->519 521 2571369 519->521 529 25715b9 530 2571610 WriteProcessMemory 529->530 531 2571608 529->531 532 257164b 530->532 531->530 480 2570848 481 2570852 480->481 486 25709c2 481->486 482 257089d 485 2570c17 7 API calls 482->485 483 25708c9 485->483 487 2570a09 486->487 490 2570cd1 487->490 489 2570bd5 489->489 491 2570cf3 490->491 510 2570548 491->510 493 2570d74 494 2570554 Wow64SetThreadContext 493->494 497 2570ffa 493->497 495 2570dcc 494->495 496 2570560 ReadProcessMemory 495->496 495->497 498 2570e0a 496->498 500 257056c WriteProcessMemory 497->500 509 2571018 497->509 498->497 499 2570e9e VirtualAllocEx 498->499 501 2570ee5 499->501 500->497 501->497 502 257056c WriteProcessMemory 501->502 503 2570f1c 502->503 503->497 504 257056c WriteProcessMemory 503->504 505 2570f6e 504->505 505->497 506 2570578 Wow64SetThreadContext 505->506 507 2570fb8 506->507 507->497 508 2570fc0 ResumeThread 507->508 508->497 509->489 511 2571218 CreateProcessW 510->511 513 2571369 511->513 522 25714f8 523 2571500 ReadProcessMemory 522->523 524 2571580 523->524

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_02570554 1 Function_0257045C 2 Function_02570158 3 Function_02570258 4 Function_02571441 5 Function_0257004D 6 Function_02570148 7 Function_02570548 8 Function_02570848 22 Function_02570C17 8->22 62 Function_025709C2 8->62 9 Function_02570474 10 Function_02570070 11 Function_02570270 12 Function_0257027C 13 Function_02570178 14 Function_02570578 15 Function_02570C78 16 Function_02570264 17 Function_02570060 18 Function_02570560 19 Function_0257056C 20 Function_02570168 21 Function_02570468 55 Function_02570CD1 22->55 98 Function_025711BE 22->98 23 Function_02570515 24 Function_02570511 25 Function_0257021D 26 Function_0257051D 27 Function_0257061C 28 Function_0257011C 29 Function_02570519 30 Function_02570505 31 Function_02570C02 32 Function_02570501 33 Function_02570600 34 Function_02570100 35 Function_0257050D 36 Function_0257120C 37 Function_0257060C 38 Function_0257010C 39 Function_02570509 40 Function_02570C09 41 Function_02570434 42 Function_02570533 43 Function_02570230 44 Function_02570138 45 Function_02570638 46 Function_02570525 47 Function_02570521 48 Function_0257052D 49 Function_0257012C 50 Function_0257062C 51 Function_02570529 52 Function_025700D4 53 Function_025701D4 54 Function_025704D4 55->0 55->7 55->14 55->18 55->19 56 Function_025705D0 57 Function_025713DF 58 Function_025705DC 59 Function_02570BDC 60 Function_025713D8 61 Function_025701C4 62->2 62->20 62->55 63 Function_025708CF 64 Function_025713CF 65 Function_025700C8 66 Function_025704C8 67 Function_025704F5 68 Function_025705F4 69 Function_025704F1 70 Function_025700F0 71 Function_025701F0 72 Function_02570BFF 73 Function_025704FD 74 Function_025701FC 75 Function_025704F9 76 Function_025714F8 77 Function_025701E4 78 Function_025700E4 79 Function_025704E0 80 Function_025704ED 81 Function_025705E8 82 Function_02570294 83 Function_02570090 84 Function_02570190 85 Function_0257019C 86 Function_02570498 87 Function_02570598 88 Function_02570184 89 Function_02570584 90 Function_02570B81 90->55 91 Function_02570480 92 Function_02570080 93 Function_0257048C 94 Function_02570C88 95 Function_02570288 96 Function_025704B5 97 Function_025700B0 98->89 99 Function_025700BC 100 Function_025704BC 101 Function_025715B9 102 Function_025701B8 103 Function_025702B8 104 Function_025709A7 105 Function_02570BA5 106 Function_025704A4 107 Function_025700A0 108 Function_025702A0 109 Function_025702AC 110 Function_02570BAC 110->55 111 Function_025701A8

                                        Executed Functions

                                        Function 02570CD1 Relevance: 3.4, APIs: 2, Instructions: 359memorythreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 2570cd1-2570d76 call 2570548 9 2571124-2571137 0->9 10 2570d7c-2570db5 0->10 16 257113e 9->16 10->16 17 2570dbb-2570dce call 2570554 10->17 19 2571143-2571176 16->19 21 2570dd4-2570dde 17->21 22 257110a-257111d 17->22 35 25711b5-25711b8 19->35 36 2571178-25711a8 call 257056c 19->36 21->16 24 2570de4-2570e0c call 2570560 21->24 22->9 29 2570e12-2570e20 24->29 30 25710f0-2571103 24->30 33 2570e22-2570e5d 29->33 34 2570e80-2570ee3 VirtualAllocEx 29->34 30->22 44 2570e66-2570e7a 33->44 45 2570e5f-2570e65 33->45 50 2570ee5-2570eeb 34->50 51 2570eec-2570f03 34->51 39 25711e0-25711ff 35->39 53 25711ad-25711af 36->53 44->34 46 25710d6-25710e9 44->46 45->44 46->30 50->51 54 25710bc-25710cf 51->54 55 2570f09-2570f1e call 257056c 51->55 53->35 57 257103a-257104d 53->57 54->46 64 2570f24-2570f4b 55->64 65 25710a2-25710b5 55->65 72 2571054-2571067 57->72 64->19 70 2570f51-2570f70 call 257056c 64->70 65->54 70->72 78 2570f76-2570f8d 70->78 79 257106e-2571081 72->79 81 2570f95-2570fa4 78->81 82 2570f8f-2570f92 78->82 89 2571088-257109b 79->89 81->16 84 2570faa-2570fba call 2570578 81->84 82->81 84->79 88 2570fc0-2570ff8 ResumeThread 84->88 90 2571001-2571016 88->90 91 2570ffa-2571000 88->91 89->65 90->89 92 2571018-2571026 90->92 91->90 92->39 94 257102c-2571035 92->94 94->39
                                        APIs
                                          • Part of subcall function 02570548: CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                          • Part of subcall function 02570554: Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                          • Part of subcall function 02570560: ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                        • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02570ECF
                                        • ResumeThread.KERNELBASE(?), ref: 02570FE4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: ProcessThread$AllocContextCreateMemoryReadResumeVirtualWow64
                                        • String ID:
                                        • API String ID: 2498194165-0
                                        • Opcode ID: e554882d28bd18111cd9983304393ef6977997ab2f0018c136668b050ad6c835
                                        • Instruction ID: 6965b31edbad04da3a9cd7c40313b4d831d54e923c1a0e45c0e0a1c0ef19f9e3
                                        • Opcode Fuzzy Hash: e554882d28bd18111cd9983304393ef6977997ab2f0018c136668b050ad6c835
                                        • Instruction Fuzzy Hash: 2DD18071E002198FDB14DFA5D850BAEBBF2BF84344F248159D40AAB395DF34AD85CB98
                                        Function 0257120C Relevance: 1.6, APIs: 1, Instructions: 142processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 147 257120c-2571291 149 2571293-2571296 147->149 150 2571299-25712a0 147->150 149->150 151 25712a2-25712a8 150->151 152 25712ab-25712c1 150->152 151->152 153 25712c3-25712c9 152->153 154 25712cc-2571367 CreateProcessW 152->154 153->154 156 2571370-25713e4 154->156 157 2571369-257136f 154->157 165 25713f6-25713fd 156->165 166 25713e6-25713ec 156->166 157->156 167 2571414 165->167 168 25713ff-257140e 165->168 166->165 170 2571415 167->170 168->167 170->170
                                        APIs
                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: dcef326152ea12d596fc75f0b10f7412b79e6d8249440e2abe970a58e3732075
                                        • Instruction ID: 668fbd9896f48b323a2f6bd94dd2a6e16f2604a565892ad7e1b030e7d30034b9
                                        • Opcode Fuzzy Hash: dcef326152ea12d596fc75f0b10f7412b79e6d8249440e2abe970a58e3732075
                                        • Instruction Fuzzy Hash: A8513471900629DFDF20CFA9D940BDEBBB6BF49304F1480AAE508AB250D7749A88CF51
                                        Function 02570548 Relevance: 1.6, APIs: 1, Instructions: 140processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 171 2570548-2571291 173 2571293-2571296 171->173 174 2571299-25712a0 171->174 173->174 175 25712a2-25712a8 174->175 176 25712ab-25712c1 174->176 175->176 177 25712c3-25712c9 176->177 178 25712cc-2571367 CreateProcessW 176->178 177->178 180 2571370-25713e4 178->180 181 2571369-257136f 178->181 189 25713f6-25713fd 180->189 190 25713e6-25713ec 180->190 181->180 191 2571414 189->191 192 25713ff-257140e 189->192 190->189 194 2571415 191->194 192->191 194->194
                                        APIs
                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02571354
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: dc49782372cd14408d2066f5a5ee7288d68613b4773f3cabac493c2f49cfacb9
                                        • Instruction ID: 6ecf45530e23ddc046e31b92855ba78e9e9f06d039a663d26bcd0f2b151285c5
                                        • Opcode Fuzzy Hash: dc49782372cd14408d2066f5a5ee7288d68613b4773f3cabac493c2f49cfacb9
                                        • Instruction Fuzzy Hash: E0512771900729DFDF24CF99D940BDEBBB6BF49304F1480AAE908A7250D7759A88CF91
                                        Function 0257056C Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 195 257056c-2571606 197 2571610-2571649 WriteProcessMemory 195->197 198 2571608-257160e 195->198 199 2571652-2571673 197->199 200 257164b-2571651 197->200 198->197 200->199
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,025711AD,?,?,00000000), ref: 0257163C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 8a90a6203a9bbd40315020990c92e77949e8049e062569f1c6eacc5ca32e836b
                                        • Instruction ID: 21280a35e369b5b2e09eda552a9312298ce8976a6ee542513b30df30d609a20e
                                        • Opcode Fuzzy Hash: 8a90a6203a9bbd40315020990c92e77949e8049e062569f1c6eacc5ca32e836b
                                        • Instruction Fuzzy Hash: CC2107B5900759DFCB10CF9AD884BDEBBF4FB48310F54842AE918A7250D378A944CFA4
                                        Function 025715B9 Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 202 25715b9-2571606 203 2571610-2571649 WriteProcessMemory 202->203 204 2571608-257160e 202->204 205 2571652-2571673 203->205 206 257164b-2571651 203->206 204->203 206->205
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,025711AD,?,?,00000000), ref: 0257163C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: ba727b92c1316492be62021ff8b7f42faa5a3b94a23c3041fdb8320d2df5b823
                                        • Instruction ID: d31c857ba151e7cb988a6c088cf39fc6d5047aa99148eb3b79499150fe8cc28c
                                        • Opcode Fuzzy Hash: ba727b92c1316492be62021ff8b7f42faa5a3b94a23c3041fdb8320d2df5b823
                                        • Instruction Fuzzy Hash: 832104B1900259DFDB10CF99D984BDEFBF4FB48310F14842AE558A7250C378A944CF64
                                        Function 025714F8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 208 25714f8-257157e ReadProcessMemory 210 2571587-25715a8 208->210 211 2571580-2571586 208->211 211->210
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: fa264ad77237856b611f3a67518e64d0036c83d90a24901fe74ff301a6fa184c
                                        • Instruction ID: 0224b07e0688a1226dd322354c97650a257f6b2760e13a967106761544c85e5b
                                        • Opcode Fuzzy Hash: fa264ad77237856b611f3a67518e64d0036c83d90a24901fe74ff301a6fa184c
                                        • Instruction Fuzzy Hash: 6321E4B59002599FDB10CF9AD985BDEFBF4FB48320F10846AE958A7250C378A944CFA5
                                        Function 02570560 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 213 2570560-257157e ReadProcessMemory 215 2571587-25715a8 213->215 216 2571580-2571586 213->216 216->215
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02570E0A,?,00000004,?), ref: 02571571
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 2dbee0dc8272d1964ffed76a31aa69c3f703272eb267449896a33da05491be78
                                        • Instruction ID: f50baac6e0a0a829d6843d1c7bcefa96cc95ac5a030243120584e513266f5f63
                                        • Opcode Fuzzy Hash: 2dbee0dc8272d1964ffed76a31aa69c3f703272eb267449896a33da05491be78
                                        • Instruction Fuzzy Hash: 8E21E4B59007599FCB10CF9AD984BDEFBF4FB48320F10842AE958A7250D374A944CFA5
                                        Function 02570554 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 218 2570554-2571488 220 2571494-25714c0 Wow64SetThreadContext 218->220 221 257148a-2571492 218->221 222 25714c2-25714c8 220->222 223 25714c9-25714ea 220->223 221->220 222->223
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: a5ae51c7f9b0b4de1fe8a4601d6c8b83e83cf060689ce98e77a2b0e8f50d5809
                                        • Instruction ID: 6c670707260636010b9a9597d0479a167102af45c60b885362b5c093900db1c6
                                        • Opcode Fuzzy Hash: a5ae51c7f9b0b4de1fe8a4601d6c8b83e83cf060689ce98e77a2b0e8f50d5809
                                        • Instruction Fuzzy Hash: E81112B19006498FCB10CF9AD945BEEFBF9FB88320F14C469E458A7200D378A544CFA5
                                        Function 02570578 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 225 2570578-2571488 227 2571494-25714c0 Wow64SetThreadContext 225->227 228 257148a-2571492 225->228 229 25714c2-25714c8 227->229 230 25714c9-25714ea 227->230 228->227 229->230
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: f50f42a794b50f70bc5f08185615ea0eddac3953dae0bf1ab798c4ac16460ea6
                                        • Instruction ID: 7e981e59eae37acf4407b770599102089eb79d54dd6cc760518b4ff468836c4f
                                        • Opcode Fuzzy Hash: f50f42a794b50f70bc5f08185615ea0eddac3953dae0bf1ab798c4ac16460ea6
                                        • Instruction Fuzzy Hash: 6A1112B19006498FCB10CF9AD944BEEFBF9FB88324F14C469E458A7200D778A544CFA5
                                        Function 02571441 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 232 2571441-2571488 233 2571494-25714c0 Wow64SetThreadContext 232->233 234 257148a-2571492 232->234 235 25714c2-25714c8 233->235 236 25714c9-25714ea 233->236 234->233 235->236
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02570DCC), ref: 025714B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1672315236.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2570000_STlUEqhwpx.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 325e066aafb1579a3ad0e3d8a29b5d8a1b110746146a9f4f7fc852d5a96242f8
                                        • Instruction ID: 6ee35c78f2f05386b5a202097e84b82651084226c15b49dfb7ff82f087dfa153
                                        • Opcode Fuzzy Hash: 325e066aafb1579a3ad0e3d8a29b5d8a1b110746146a9f4f7fc852d5a96242f8
                                        • Instruction Fuzzy Hash: 081100B2D006498FCB10CFAAD944BEEFBF5AB88320F14C56AD459A3250D378A545CFA5

                                        Execution Graph

                                        Execution Coverage:8.8%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:120
                                        Total number of Limit Nodes:15
                                        execution_graph 23291 2f46788 23292 2f467dc DuplicateHandle 23291->23292 23293 2f4681e 23292->23293 23294 2f44668 23295 2f44676 23294->23295 23306 2f45050 23295->23306 23311 2f45041 23295->23311 23316 2f44ff9 23295->23316 23321 2f451d8 23295->23321 23326 2f45480 23295->23326 23296 2f446af 23330 2f46de0 23296->23330 23299 2f44704 23308 2f45069 23306->23308 23307 2f450a7 23307->23296 23308->23307 23339 2f44e90 23308->23339 23312 2f45050 23311->23312 23313 2f44e90 4 API calls 23312->23313 23315 2f450a7 23312->23315 23314 2f454ad 23313->23314 23314->23296 23315->23296 23317 2f45002 23316->23317 23318 2f44e90 4 API calls 23317->23318 23320 2f450a7 23317->23320 23319 2f454ad 23318->23319 23319->23296 23320->23296 23322 2f4520a 23321->23322 23323 2f44e90 4 API calls 23322->23323 23325 2f45313 23322->23325 23324 2f454ad 23323->23324 23324->23296 23325->23296 23327 2f45490 23326->23327 23328 2f454ad 23327->23328 23329 2f44e90 4 API calls 23327->23329 23328->23296 23329->23328 23331 2f46e05 23330->23331 23349 2f46ef0 23331->23349 23353 2f46edf 23331->23353 23332 2f446e9 23335 2f4421c 23332->23335 23336 2f44227 23335->23336 23361 2f48560 23336->23361 23338 2f48806 23338->23299 23340 2f44e9b GetCurrentProcess 23339->23340 23342 2f465d1 23340->23342 23343 2f465d8 GetCurrentThread 23340->23343 23342->23343 23344 2f46615 GetCurrentProcess 23343->23344 23345 2f4660e 23343->23345 23346 2f4664b 23344->23346 23345->23344 23347 2f46673 GetCurrentThreadId 23346->23347 23348 2f454ad 23347->23348 23348->23296 23350 2f46f17 23349->23350 23351 2f46ff4 23350->23351 23357 2f46414 23350->23357 23354 2f46f17 23353->23354 23355 2f46ff4 23354->23355 23356 2f46414 CreateActCtxA 23354->23356 23356->23355 23358 2f47370 CreateActCtxA 23357->23358 23360 2f47433 23358->23360 23362 2f4856b 23361->23362 23365 2f48580 23362->23365 23364 2f488dd 23364->23338 23366 2f4858b 23365->23366 23369 2f485b0 23366->23369 23368 2f489ba 23368->23364 23370 2f485bb 23369->23370 23373 2f485e0 23370->23373 23372 2f48aad 23372->23368 23374 2f485eb 23373->23374 23376 2f49e93 23374->23376 23380 2f4bed1 23374->23380 23375 2f49ed1 23375->23372 23376->23375 23386 2f4df70 23376->23386 23391 2f4df60 23376->23391 23381 2f4beda 23380->23381 23383 2f4be91 23380->23383 23396 2f4bef8 23381->23396 23399 2f4bf08 23381->23399 23382 2f4bee6 23382->23376 23383->23376 23387 2f4df91 23386->23387 23388 2f4dfb5 23387->23388 23407 2f4e120 23387->23407 23413 2f4e110 23387->23413 23388->23375 23392 2f4df70 23391->23392 23393 2f4dfb5 23392->23393 23394 2f4e120 8 API calls 23392->23394 23395 2f4e110 8 API calls 23392->23395 23393->23375 23394->23393 23395->23393 23402 2f4bff0 23396->23402 23397 2f4bf17 23397->23382 23400 2f4bf17 23399->23400 23401 2f4bff0 GetModuleHandleW 23399->23401 23400->23382 23401->23400 23403 2f4c034 23402->23403 23404 2f4c011 23402->23404 23403->23397 23404->23403 23405 2f4c238 GetModuleHandleW 23404->23405 23406 2f4c265 23405->23406 23406->23397 23408 2f4e12d 23407->23408 23409 2f45480 4 API calls 23408->23409 23410 2f4e15b 23409->23410 23411 2f4e166 23410->23411 23419 2f4c464 23410->23419 23411->23388 23416 2f4e120 23413->23416 23414 2f45480 4 API calls 23415 2f4e15b 23414->23415 23417 2f4e166 23415->23417 23418 2f4c464 8 API calls 23415->23418 23416->23414 23417->23388 23418->23417 23420 2f4c46f 23419->23420 23422 2f4e1d8 23420->23422 23423 2f4c498 23420->23423 23422->23422 23424 2f4c4a3 23423->23424 23425 2f485e0 8 API calls 23424->23425 23426 2f4e247 23425->23426 23427 2f4e256 23426->23427 23430 2f4e2b0 23426->23430 23436 2f4e2c0 23426->23436 23427->23422 23431 2f4e2ee 23430->23431 23432 2f4c530 GetFocus 23431->23432 23433 2f4e317 23431->23433 23435 2f4e3bf 23431->23435 23432->23433 23434 2f4e3ba KiUserCallbackDispatcher 23433->23434 23433->23435 23434->23435 23437 2f4e2ee 23436->23437 23438 2f4c530 GetFocus 23437->23438 23439 2f4e3bf 23437->23439 23440 2f4e317 23437->23440 23438->23440 23440->23439 23441 2f4e3ba KiUserCallbackDispatcher 23440->23441 23441->23439

                                        Executed Functions

                                        Function 07C89980 Relevance: 3.2, Strings: 2, Instructions: 711COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 922 7c89980-7c8999c 923 7c899a2-7c899a5 922->923 924 7c89a26-7c89a68 922->924 1082 7c899a7 call 7c89980 923->1082 1083 7c899a7 call 7c89970 923->1083 936 7c89a0c-7c89a23 924->936 941 7c89a6a 924->941 925 7c899ad-7c899af 927 7c899b1-7c899c4 925->927 928 7c899c6-7c899d2 925->928 932 7c89a03-7c89a09 927->932 934 7c899fa 928->934 935 7c899d4-7c899f8 928->935 932->936 934->932 935->932 935->934 942 7c89a6c-7c89a71 941->942 943 7c89a73-7c89a7f 941->943 942->943 944 7c89b40-7c89b95 943->944 945 7c89a85-7c89a8b 943->945 962 7c89b9d-7c89ba1 944->962 946 7c89a8d-7c89a90 945->946 947 7c89ab5 945->947 948 7c89b0b-7c89b39 946->948 949 7c89a92-7c89ab4 946->949 1080 7c89ab7 call 7c89980 947->1080 1081 7c89ab7 call 7c89970 947->1081 948->944 951 7c89abd-7c89ac6 953 7c89ac8 951->953 954 7c89ace-7c89ad2 951->954 956 7c89ada-7c89b0a 953->956 957 7c89aca-7c89acc 953->957 954->956 957->954 957->956 964 7c89bcb-7c89c19 962->964 965 7c89ba3-7c89bca 962->965 970 7c89c29-7c89c2d 964->970 971 7c89c1b-7c89c24 call 7c89828 964->971 973 7c89c2f-7c89c3e 970->973 974 7c89c43-7c89c54 970->974 971->970 977 7c89fd8-7c89fdf 973->977 975 7c89c5a-7c89c6f 974->975 976 7c8a152-7c8a15a 974->976 978 7c89c7b-7c89c8e 975->978 979 7c89c71-7c89c76 975->979 984 7c8a15c-7c8a160 976->984 985 7c8a163-7c8a172 976->985 980 7c89fe0-7c89ffe 978->980 981 7c89c94-7c89ca0 978->981 979->977 991 7c8a005-7c8a023 980->991 981->976 983 7c89ca6-7c89cdd 981->983 986 7c89ce9-7c89ced 983->986 987 7c89cdf-7c89ce4 983->987 984->985 992 7c8a18b-7c8a1d6 985->992 993 7c8a174-7c8a178 985->993 990 7c89cf3-7c89cff 986->990 986->991 987->977 990->976 994 7c89d05-7c89d3c 990->994 1003 7c8a02a-7c8a048 991->1003 1025 7c8a1d8-7c8a1e4 992->1025 1026 7c8a1e5-7c8a1ea 992->1026 996 7c8a188-7c8a18a 993->996 997 7c8a17a-7c8a185 993->997 999 7c89d48-7c89d4c 994->999 1000 7c89d3e-7c89d43 994->1000 997->996 999->1003 1004 7c89d52-7c89d5e 999->1004 1000->977 1012 7c8a04f-7c8a06d 1003->1012 1004->976 1005 7c89d64-7c89d9b 1004->1005 1008 7c89d9d-7c89da2 1005->1008 1009 7c89da7-7c89dab 1005->1009 1008->977 1009->1012 1013 7c89db1-7c89dbd 1009->1013 1023 7c8a074-7c8a092 1012->1023 1013->976 1015 7c89dc3-7c89dfa 1013->1015 1019 7c89dfc-7c89e01 1015->1019 1020 7c89e06-7c89e0a 1015->1020 1019->977 1022 7c89e10-7c89e1c 1020->1022 1020->1023 1022->976 1028 7c89e22-7c89e59 1022->1028 1037 7c8a099-7c8a0b7 1023->1037 1029 7c8a228-7c8a22c 1026->1029 1030 7c8a1ec-7c8a1ef 1026->1030 1031 7c89e5b-7c89e60 1028->1031 1032 7c89e65-7c89e69 1028->1032 1035 7c8a21d-7c8a226 1030->1035 1031->977 1032->1037 1038 7c89e6f-7c89e7b 1032->1038 1035->1029 1040 7c8a1f1-7c8a205 1035->1040 1047 7c8a0be-7c8a0dc 1037->1047 1038->976 1039 7c89e81-7c89eb8 1038->1039 1043 7c89eba-7c89ebf 1039->1043 1044 7c89ec4-7c89ec8 1039->1044 1051 7c8a21c 1040->1051 1052 7c8a207-7c8a21b call 7c816a0 1040->1052 1043->977 1044->1047 1048 7c89ece-7c89eda 1044->1048 1058 7c8a0e3-7c8a101 1047->1058 1048->976 1049 7c89ee0-7c89f17 1048->1049 1053 7c89f19-7c89f1e 1049->1053 1054 7c89f23-7c89f27 1049->1054 1051->1035 1053->977 1057 7c89f2d-7c89f39 1054->1057 1054->1058 1057->976 1061 7c89f3f-7c89f76 1057->1061 1067 7c8a108-7c8a126 1058->1067 1063 7c89f78-7c89f7d 1061->1063 1064 7c89f7f-7c89f83 1061->1064 1063->977 1064->1067 1068 7c89f89-7c89f92 1064->1068 1071 7c8a12d-7c8a14b 1067->1071 1068->976 1070 7c89f98-7c89fcd 1068->1070 1070->1071 1072 7c89fd3 1070->1072 1071->976 1072->977 1080->951 1081->951 1082->925 1083->925
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (oq$(oq
                                        • API String ID: 0-3207256227
                                        • Opcode ID: c2ed01159e8f5c7d4ce65436b1bcc85fbf78ef59b49822e1a1582f9974125b2c
                                        • Instruction ID: c1e219da953495d276d19995aca2e92e03b410eee91adbf138ecbcd26ee96d63
                                        • Opcode Fuzzy Hash: c2ed01159e8f5c7d4ce65436b1bcc85fbf78ef59b49822e1a1582f9974125b2c
                                        • Instruction Fuzzy Hash: 33426BB1B006168FCB59DF69C49466EBBF2FF88304F24852AD55ADB390DB34E901CB91
                                        Function 02F46518 Relevance: 6.1, APIs: 4, Instructions: 142threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 536 2f46518-2f46531 538 2f46533-2f46588 536->538 539 2f4658c-2f465cf GetCurrentProcess 536->539 538->539 542 2f465d1-2f465d7 539->542 543 2f465d8-2f4660c GetCurrentThread 539->543 542->543 544 2f46615-2f46649 GetCurrentProcess 543->544 545 2f4660e-2f46614 543->545 547 2f46652-2f4666d call 2f4670f 544->547 548 2f4664b-2f46651 544->548 545->544 551 2f46673-2f466a2 GetCurrentThreadId 547->551 548->547 552 2f466a4-2f466aa 551->552 553 2f466ab-2f4670d 551->553 552->553
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 02F465BE
                                        • GetCurrentThread.KERNEL32 ref: 02F465FB
                                        • GetCurrentProcess.KERNEL32 ref: 02F46638
                                        • GetCurrentThreadId.KERNEL32 ref: 02F46691
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 9129c7c759198c55afd34faba0b572be7c146e424cbeb5cf0b48d148a47fd3de
                                        • Instruction ID: 9bb88d3c857d6ccb2a830b6ef965ffd7b4b4ff95318cbe9d99d3424ca9062b3f
                                        • Opcode Fuzzy Hash: 9129c7c759198c55afd34faba0b572be7c146e424cbeb5cf0b48d148a47fd3de
                                        • Instruction Fuzzy Hash: 2B5155B190024ACFDB14CFA9D64879EBFF1AF49314F24C45AE109AB3A0DB749984CF65
                                        Function 02F44E90 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 560 2f44e90-2f465cf GetCurrentProcess 566 2f465d1-2f465d7 560->566 567 2f465d8-2f4660c GetCurrentThread 560->567 566->567 568 2f46615-2f46649 GetCurrentProcess 567->568 569 2f4660e-2f46614 567->569 571 2f46652-2f4666d call 2f4670f 568->571 572 2f4664b-2f46651 568->572 569->568 575 2f46673-2f466a2 GetCurrentThreadId 571->575 572->571 576 2f466a4-2f466aa 575->576 577 2f466ab-2f4670d 575->577 576->577
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 02F465BE
                                        • GetCurrentThread.KERNEL32 ref: 02F465FB
                                        • GetCurrentProcess.KERNEL32 ref: 02F46638
                                        • GetCurrentThreadId.KERNEL32 ref: 02F46691
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 985a90b900cd10adc3f6996ad1b00de90fd6288cd04b58689a931c068b9ea96f
                                        • Instruction ID: d283c9aeec31d2ca80b1eb7d820d096bf262a6850e2b589b3bc5750bbbf380ba
                                        • Opcode Fuzzy Hash: 985a90b900cd10adc3f6996ad1b00de90fd6288cd04b58689a931c068b9ea96f
                                        • Instruction Fuzzy Hash: 445144B0910209CFDB14CFA9D648BAEBFF5EB49304F20C459E509A73A0DB74A984CF65
                                        Function 07C871E0 Relevance: 4.3, Strings: 3, Instructions: 529COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 584 7c871e0-7c871f2 585 7c871f8-7c871fc 584->585 586 7c872e5-7c8730a 584->586 587 7c87311-7c873e5 585->587 588 7c87202-7c87206 585->588 586->587 590 7c873ec-7c87410 587->590 588->590 591 7c8720c-7c87211 588->591 607 7c87417-7c87472 590->607 593 7c8723f-7c87242 591->593 594 7c87213-7c8723c 591->594 597 7c8726e-7c872de 593->597 598 7c87244-7c87248 593->598 597->586 599 7c8725a-7c8726b 598->599 600 7c8724a-7c8724e 598->600 600->599 603 7c87250-7c87254 600->603 603->599 603->607 632 7c8747b-7c87496 607->632 633 7c87474-7c87479 607->633 635 7c874c8-7c874ca 632->635 636 7c87498-7c8749c 632->636 633->632 637 7c874cd-7c874e6 635->637 638 7c8749e-7c874b2 636->638 639 7c874b4-7c874bf 636->639 640 7c874e8-7c874f8 637->640 641 7c8752f-7c87542 637->641 638->635 638->639 639->635 640->637 644 7c874fa-7c87504 640->644 648 7c8754b-7c87562 641->648 649 7c87544-7c87546 641->649 644->641 646 7c87506-7c8752e 644->646 650 7c875a8-7c875cd 648->650 651 7c87564-7c87568 648->651 649->648 654 7c875d4-7c87620 650->654 653 7c8756a-7c87581 651->653 651->654 662 7c87587-7c87593 653->662 667 7c87780-7c877a5 654->667 668 7c87626-7c87630 654->668 665 7c8759e-7c875a5 662->665 672 7c877ac-7c877d0 667->672 669 7c8763a-7c8763e 668->669 670 7c87632 668->670 669->672 673 7c87644-7c8764c 669->673 670->669 682 7c877d7-7c8783f 672->682 674 7c87771-7c87779 673->674 675 7c87652 673->675 674->667 675->674 677 7c87659-7c87678 675->677 678 7c8767b-7c87690 675->678 679 7c876f5-7c876fb 675->679 683 7c876c1-7c876f2 678->683 684 7c87692-7c87696 678->684 681 7c87701-7c8770f 679->681 679->682 686 7c87740-7c8776e 681->686 687 7c87711-7c87715 681->687 689 7c87698-7c876ae 684->689 690 7c876b0-7c876b9 684->690 693 7c8772f-7c87738 687->693 694 7c87717-7c8772d 687->694 689->683 689->690 690->683 693->686 694->686 694->693
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (oq$(oq$(oq
                                        • API String ID: 0-3965398577
                                        • Opcode ID: dc3d8a638c736fb9551ed7dccdba7f3ebcb85bf085e0750033667152c8572d25
                                        • Instruction ID: 49439ba69ff62b42c8d8524c18436467edabc37dec54861812aca6a701444863
                                        • Opcode Fuzzy Hash: dc3d8a638c736fb9551ed7dccdba7f3ebcb85bf085e0750033667152c8572d25
                                        • Instruction Fuzzy Hash: E812C070B006099FCB55EFA9C49465EBBF2FF88300B248969D44ADB794DB34ED02CB95
                                        Function 07C80730 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 703 7c80730-7c80740 704 7c80859-7c8087e 703->704 705 7c80746-7c8074a 703->705 707 7c80885-7c808aa 704->707 706 7c80750-7c80759 705->706 705->707 709 7c8075f-7c80786 706->709 710 7c808b1-7c808e7 706->710 707->710 720 7c8078c-7c8078e 709->720 721 7c8084e-7c80858 709->721 727 7c808ee-7c808fa 710->727 723 7c807af-7c807b1 720->723 724 7c80790-7c80793 720->724 725 7c807b4-7c807b8 723->725 726 7c80799-7c807a3 724->726 724->727 728 7c80819-7c80825 725->728 729 7c807ba-7c807c9 725->729 726->727 731 7c807a9-7c807ad 726->731 734 7c808fc-7c808fe 727->734 735 7c80903-7c80906 727->735 728->727 733 7c8082b-7c80848 728->733 729->727 740 7c807cf-7c80816 729->740 731->723 731->725 733->720 733->721 737 7c80900-7c80902 734->737 738 7c80907 734->738 735->738 737->735 741 7c8090b-7c8094d 737->741 738->741 740->728 749 7c8094f-7c80963 741->749 750 7c80971-7c80988 741->750 804 7c80966 call 7c80f28 749->804 805 7c80966 call 7c80f38 749->805 806 7c80966 call 7c80e58 749->806 807 7c80966 call 7c80cc8 749->807 808 7c80966 call 7c80cb7 749->808 758 7c80a78-7c80a88 750->758 759 7c8098e-7c80a73 750->759 755 7c8096c 757 7c80b9a-7c80ba5 755->757 763 7c80bd4-7c80bf5 757->763 764 7c80ba7-7c80bb7 757->764 765 7c80a8e-7c80b67 758->765 766 7c80b75-7c80b91 758->766 759->758 772 7c80bb9-7c80bbf 764->772 773 7c80bc7-7c80bcd 764->773 801 7c80b69 765->801 802 7c80b72 765->802 766->757 772->773 773->763 801->802 802->766 804->755 805->755 806->755 807->755 808->755
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (oq$(oq$Hoq
                                        • API String ID: 0-3836682603
                                        • Opcode ID: fc88afdae30144a941b319fd9b9b8b69474bcea8610e73dfaec80d8703888974
                                        • Instruction ID: b3f69bbff7ac69c44350431259b7059c7a3f72fdb40488b71359ce647f9d41e9
                                        • Opcode Fuzzy Hash: fc88afdae30144a941b319fd9b9b8b69474bcea8610e73dfaec80d8703888974
                                        • Instruction Fuzzy Hash: 2EE16574B11209DFCB44EFA4D8949ADBBB2FF89310F508569E815AB364DB30ED85CB90
                                        Function 07C85BB0 Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1084 7c85bb0-7c85bb2 1085 7c85bbb 1084->1085 1086 7c85bb4-7c85bb6 1084->1086 1088 7c85bbf-7c85bc1 1085->1088 1087 7c85bb8 1086->1087 1086->1088 1089 7c85b3a-7c85b5c 1087->1089 1090 7c85bba 1087->1090 1091 7c85bc3-7c85c0c 1088->1091 1098 7c85b5e-7c85b7f 1089->1098 1099 7c85b81-7c85b8a 1089->1099 1090->1085 1090->1091 1100 7c85c15-7c85c20 1091->1100 1098->1099 1102 7c85c28-7c85c61 1100->1102 1107 7c85c6a-7c85cac 1102->1107 1108 7c85c63-7c85c68 1102->1108 1109 7c85caf-7c85cb9 1107->1109 1108->1109 1111 7c85cbf-7c85dad 1109->1111 1112 7c85db5-7c85e9a 1109->1112 1111->1112 1150 7c85e9c-7c85ed1 1112->1150 1151 7c85ede-7c85f49 1112->1151 1150->1151 1162 7c85ed3-7c85ed6 1150->1162 1165 7c85f4b 1151->1165 1166 7c85f54 1151->1166 1162->1151 1165->1166 1167 7c85f55 1166->1167 1167->1167
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'kq$4'kq
                                        • API String ID: 0-4171853269
                                        • Opcode ID: cbda23fc283aced94013eb4d6b91ce6d9ca6223aeb6f0c8cda249449b19dc559
                                        • Instruction ID: 40e02559645100fb132d307f1e859a5424332087704f7d85eceb1b724ab980b8
                                        • Opcode Fuzzy Hash: cbda23fc283aced94013eb4d6b91ce6d9ca6223aeb6f0c8cda249449b19dc559
                                        • Instruction Fuzzy Hash: 69D11D74B10218CFC744EFA8D994AADB7B2FF89300F514169E915AB3A4DB71EC42CB50
                                        Function 07C85BC0 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1168 7c85bc0-7c85c20 1174 7c85c28-7c85c61 1168->1174 1178 7c85c6a-7c85cac 1174->1178 1179 7c85c63-7c85c68 1174->1179 1180 7c85caf-7c85cb9 1178->1180 1179->1180 1182 7c85cbf-7c85dad 1180->1182 1183 7c85db5-7c85e9a 1180->1183 1182->1183 1221 7c85e9c-7c85ed1 1183->1221 1222 7c85ede-7c85f49 1183->1222 1221->1222 1233 7c85ed3-7c85ed6 1221->1233 1236 7c85f4b 1222->1236 1237 7c85f54 1222->1237 1233->1222 1236->1237 1238 7c85f55 1237->1238 1238->1238
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'kq$4'kq
                                        • API String ID: 0-4171853269
                                        • Opcode ID: b44272ce865fec4370a19b3478bc75ce99f2d7d7890166c7456e8104b10fc472
                                        • Instruction ID: 96acf98046af19b70970200b5382b19abf7d210d931380ba97ce6c3d9dd9ed01
                                        • Opcode Fuzzy Hash: b44272ce865fec4370a19b3478bc75ce99f2d7d7890166c7456e8104b10fc472
                                        • Instruction Fuzzy Hash: 21C1C674B10218CFCB44EFA8C994A9DB7B6FF89300F514169E916AB3A5DB71EC42CB50
                                        Function 02F4BFF0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1239 2f4bff0-2f4c00f 1240 2f4c011-2f4c01e call 2f4af60 1239->1240 1241 2f4c03b-2f4c03f 1239->1241 1247 2f4c034 1240->1247 1248 2f4c020 1240->1248 1243 2f4c041-2f4c04b 1241->1243 1244 2f4c053-2f4c094 1241->1244 1243->1244 1250 2f4c096-2f4c09e 1244->1250 1251 2f4c0a1-2f4c0af 1244->1251 1247->1241 1294 2f4c026 call 2f4c698 1248->1294 1295 2f4c026 call 2f4c689 1248->1295 1250->1251 1252 2f4c0b1-2f4c0b6 1251->1252 1253 2f4c0d3-2f4c0d5 1251->1253 1255 2f4c0c1 1252->1255 1256 2f4c0b8-2f4c0bf call 2f4af6c 1252->1256 1258 2f4c0d8-2f4c0df 1253->1258 1254 2f4c02c-2f4c02e 1254->1247 1257 2f4c170-2f4c230 1254->1257 1260 2f4c0c3-2f4c0d1 1255->1260 1256->1260 1289 2f4c232-2f4c235 1257->1289 1290 2f4c238-2f4c263 GetModuleHandleW 1257->1290 1261 2f4c0e1-2f4c0e9 1258->1261 1262 2f4c0ec-2f4c0f3 1258->1262 1260->1258 1261->1262 1265 2f4c0f5-2f4c0fd 1262->1265 1266 2f4c100-2f4c109 call 2f4af7c 1262->1266 1265->1266 1270 2f4c116-2f4c11b 1266->1270 1271 2f4c10b-2f4c113 1266->1271 1272 2f4c11d-2f4c124 1270->1272 1273 2f4c139-2f4c146 1270->1273 1271->1270 1272->1273 1275 2f4c126-2f4c136 call 2f4af8c call 2f4af9c 1272->1275 1280 2f4c148-2f4c166 1273->1280 1281 2f4c169-2f4c16f 1273->1281 1275->1273 1280->1281 1289->1290 1291 2f4c265-2f4c26b 1290->1291 1292 2f4c26c-2f4c280 1290->1292 1291->1292 1294->1254 1295->1254
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02F4C256
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 2887d7c4a427bec12718aab85389ff11650baefe0262b1a8a76cdeba50a247c7
                                        • Instruction ID: c50c046092c4c9080981329991b96be1b5e21dba91d5e20518eee3150370c4c9
                                        • Opcode Fuzzy Hash: 2887d7c4a427bec12718aab85389ff11650baefe0262b1a8a76cdeba50a247c7
                                        • Instruction Fuzzy Hash: 1A8155B0A01B058FD724DF69D54075ABBF1BF88744F008A2ED58ADBB50DBB5E845CB90
                                        Function 02F46414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1296 2f46414-2f47431 CreateActCtxA 1299 2f47433-2f47439 1296->1299 1300 2f4743a-2f47494 1296->1300 1299->1300 1307 2f47496-2f47499 1300->1307 1308 2f474a3-2f474a7 1300->1308 1307->1308 1309 2f474b8 1308->1309 1310 2f474a9-2f474b5 1308->1310 1312 2f474b9 1309->1312 1310->1309 1312->1312
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02F47421
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 61f4c846b6d5029490100810534cbbddfbe7371ccc9cb2cde241a719911dcee9
                                        • Instruction ID: 465323a5e5f036a5c7b38ffa5080e7aa5e73c09bb36f471bede706f12bc83099
                                        • Opcode Fuzzy Hash: 61f4c846b6d5029490100810534cbbddfbe7371ccc9cb2cde241a719911dcee9
                                        • Instruction Fuzzy Hash: F941FFB1D00619CBDB24DFA9C944B9EFFB5BF48304F20806AD508AB264DBB56985CF90
                                        Function 02F47364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1313 2f47364-2f47431 CreateActCtxA 1315 2f47433-2f47439 1313->1315 1316 2f4743a-2f47494 1313->1316 1315->1316 1323 2f47496-2f47499 1316->1323 1324 2f474a3-2f474a7 1316->1324 1323->1324 1325 2f474b8 1324->1325 1326 2f474a9-2f474b5 1324->1326 1328 2f474b9 1325->1328 1326->1325 1328->1328
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02F47421
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: cb3aec8a7756b4b12c28f601f3ad71335fae748fbbacf76e39325db4d29258fe
                                        • Instruction ID: 00d8618bf90c403fca138c356564839d233fd6517eb07b6941a09f96b033e126
                                        • Opcode Fuzzy Hash: cb3aec8a7756b4b12c28f601f3ad71335fae748fbbacf76e39325db4d29258fe
                                        • Instruction Fuzzy Hash: 3F41F2B1C00619CEDB24DFA9C9447DDFFB5BF48314F2480AAD408AB265DB755949CF90
                                        Function 02F46780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1329 2f46780-2f46781 1330 2f46783-2f467d9 1329->1330 1331 2f467dc-2f4681c DuplicateHandle 1329->1331 1330->1331 1333 2f46825-2f46842 1331->1333 1334 2f4681e-2f46824 1331->1334 1334->1333
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F4680F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 07b50efd80702d38b268a20f8dda328d0855ffc527eb52b4f81a63dafdf8a93d
                                        • Instruction ID: 3b97551148864d47129eff106e552c845002cb7d405466fdb199ef3cc86c31d2
                                        • Opcode Fuzzy Hash: 07b50efd80702d38b268a20f8dda328d0855ffc527eb52b4f81a63dafdf8a93d
                                        • Instruction Fuzzy Hash: 2621E5B6D002589FDB10CF99D984ADEBFF8EB48324F14841AE954A3310D774A944CFA5
                                        Function 02F46788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F4680F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 3f320b55d5536f2db1211f4493d068e40c848f2435df28badcfdd763990d0bee
                                        • Instruction ID: 02c028b76a6e09dff9f2948bf6a7cdc7ec593a0c2f643f54bbbd00ce0be92e1a
                                        • Opcode Fuzzy Hash: 3f320b55d5536f2db1211f4493d068e40c848f2435df28badcfdd763990d0bee
                                        • Instruction Fuzzy Hash: B921E4B5D002489FDB10CFAAD984ADEBFF8EB48324F14841AE954A3310D778A944CFA5
                                        Function 07C84920 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Plkq
                                        • API String ID: 0-177148220
                                        • Opcode ID: 75bcab036b1fd1d6d008d4fc66ad62e9d5c57cb9ae40db2472d4f532de80b5bb
                                        • Instruction ID: a9402f45b205d4bbbfe39a376eca13269af76be90a8bcf036ac4c0c6d50ff601
                                        • Opcode Fuzzy Hash: 75bcab036b1fd1d6d008d4fc66ad62e9d5c57cb9ae40db2472d4f532de80b5bb
                                        • Instruction Fuzzy Hash: 1CD11E74B112189FCB44EFA5D994E9EB7B6FF88700F508068E815AB3A5CB35ED41CB90
                                        Function 02F4C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02F4C256
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: ff2ff400877c16fc8ee7d0d86ee124e2fe6c490ab669090803d2758303afc62e
                                        • Instruction ID: 15651c626edf142269a5cd1e9a5d06cad91ea2e159ebdaf0bd630e428301b567
                                        • Opcode Fuzzy Hash: ff2ff400877c16fc8ee7d0d86ee124e2fe6c490ab669090803d2758303afc62e
                                        • Instruction Fuzzy Hash: DE1113B6D006498FCB10CF9AC544ADEFBF4AB88724F10855AD959B7210C7B4A545CFA1
                                        Function 07C80CC8 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (oq
                                        • API String ID: 0-3175707579
                                        • Opcode ID: fbc96097b39be84ba308c5b2d483652d966604a3e0641ec6025c73c5d149ecc8
                                        • Instruction ID: cf5d5359204307eb84cd8c33fb94cca1392a1e14738e0a4ac52b360e7a4296ea
                                        • Opcode Fuzzy Hash: fbc96097b39be84ba308c5b2d483652d966604a3e0641ec6025c73c5d149ecc8
                                        • Instruction Fuzzy Hash: EFA1C0713002019FD7559F64D894A2A7BA3FF89314F1584AAE6458F3B2CA36EC86CB50
                                        Function 07C84913 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Plkq
                                        • API String ID: 0-177148220
                                        • Opcode ID: d08d4a8068e9357f3976ff9f187e5b74f6d1c4de019362d76499fa9d3b8593d3
                                        • Instruction ID: 7135a6c6e43db4d8fd9de6f2717e748c24f1f0fc354e274b7bc1d6ecb6f319c1
                                        • Opcode Fuzzy Hash: d08d4a8068e9357f3976ff9f187e5b74f6d1c4de019362d76499fa9d3b8593d3
                                        • Instruction Fuzzy Hash: 43B13274B102189FC748EFA5D994E9EB7B6BF88700F108468E815AB3A5CB35ED41CB90
                                        Function 07C81AA0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'kq
                                        • API String ID: 0-3255046985
                                        • Opcode ID: 12a67da6ab6dec78235cb9939668110565c202bd76e978005bee5d4e9290247a
                                        • Instruction ID: f57445b4a81afa4de7f412010bb0edd6ff1804b2bdec698092f5d0b06de674ad
                                        • Opcode Fuzzy Hash: 12a67da6ab6dec78235cb9939668110565c202bd76e978005bee5d4e9290247a
                                        • Instruction Fuzzy Hash: C751D1B13402449FD345AB38C954B6A7BE6AF89714F1844AAE505CF3A2DA35EC82C7A1
                                        Function 07C81B41 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'kq
                                        • API String ID: 0-3255046985
                                        • Opcode ID: 96245e9de38f50005d3a39a49e8015d912c897e8cf49f603a822488cb3ee859e
                                        • Instruction ID: 92a735e77c98f142818c8b3bcbc0f60904cffe8d0a7a3d56b63d08e358f157dc
                                        • Opcode Fuzzy Hash: 96245e9de38f50005d3a39a49e8015d912c897e8cf49f603a822488cb3ee859e
                                        • Instruction Fuzzy Hash: 8141CFB13406048FD345EB29C954B2A7BE6AFC9704F1484A9E50ACF3A6CE35EC42C791
                                        Function 07C81B68 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'kq
                                        • API String ID: 0-3255046985
                                        • Opcode ID: 50eee69d14f5137083712c3caef49cf5425e3bf1bcff3f34296201fb4bdd8370
                                        • Instruction ID: 240c393d67dadf18ecf2e4efaefe1216e73757af730366c60ac184a3926e8b90
                                        • Opcode Fuzzy Hash: 50eee69d14f5137083712c3caef49cf5425e3bf1bcff3f34296201fb4bdd8370
                                        • Instruction Fuzzy Hash: 6C318C713406149FD358EB69C994F2B77EAAFCC704F108468E60A8B3A5CE75EC42C790
                                        Function 07C88F58 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (oq
                                        • API String ID: 0-3175707579
                                        • Opcode ID: cb9396f642464dfc48567a1012e51c47289465db8f2282bb81ebc102e391cd83
                                        • Instruction ID: 736492fea8751dab5d2b6eb882a5113a8bd13f3f86fc82d0e604ae41b37aa05d
                                        • Opcode Fuzzy Hash: cb9396f642464dfc48567a1012e51c47289465db8f2282bb81ebc102e391cd83
                                        • Instruction Fuzzy Hash: 4B3126763042156FDB05AF69D89096EBFA7EFCA360705807AE908CB3A9DE31CC01C791
                                        Function 07C88E59 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x
                                        • API String ID: 0-2363233923
                                        • Opcode ID: 5b2c2671bd76d772dadeed9bb48ad412971a1a3fa4f08cbe5c026c584fae0586
                                        • Instruction ID: fad0ac157eb5f3819338d25242309478e5d552b603b9538e210b9e8c42efa106
                                        • Opcode Fuzzy Hash: 5b2c2671bd76d772dadeed9bb48ad412971a1a3fa4f08cbe5c026c584fae0586
                                        • Instruction Fuzzy Hash: A5217C75A102099FCB05DFA8C444ADD7FF2AF8D324F14912AE411BB394CB359881CB60
                                        Function 07C887F1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xoq
                                        • API String ID: 0-2982640460
                                        • Opcode ID: eb1451902db281ba569a438c8ecac084cbddba6bbaf2f15565be39afb7924d74
                                        • Instruction ID: d0ca21863b3a4ef408302da1b6ba7343f92d83d5cca5e2038d8f659f86bf2163
                                        • Opcode Fuzzy Hash: eb1451902db281ba569a438c8ecac084cbddba6bbaf2f15565be39afb7924d74
                                        • Instruction Fuzzy Hash: DFF0E5357401009FDB44CB19D940A5ABBE5FF88314F158099E5099F362D731FC018F90
                                        Function 07C80040 Relevance: .4, Instructions: 437COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b625e4a269d03606d2534a97b7aee83396a982eb340f2b558538eeeb2a0a7be3
                                        • Instruction ID: 44082d92aa02014399e46b62c6433d7788d239313a051862eaf7aabf05a0606f
                                        • Opcode Fuzzy Hash: b625e4a269d03606d2534a97b7aee83396a982eb340f2b558538eeeb2a0a7be3
                                        • Instruction Fuzzy Hash: 5F122C74B102198FCB54EF64C894A9DBBB2BF89300F5185A8D859AB365DF30ED89CF50
                                        Function 07C89560 Relevance: .3, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58435fd1652e25690d1cd215d1c8c7d6e94c165f35e6c704e7acf322daf0a930
                                        • Instruction ID: cb8a762209736bf4dbe86ac69ddaaae209fc73744ddcffc5cfab039bd178f8fd
                                        • Opcode Fuzzy Hash: 58435fd1652e25690d1cd215d1c8c7d6e94c165f35e6c704e7acf322daf0a930
                                        • Instruction Fuzzy Hash: B1C1B2B1A046468FCB65DF29C494A3ABBF2FF85318F19855DE4878B692CB30F941CB41
                                        Function 07C84DB4 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f368352ca094e83ab52b3d2afd984c5173ef0ce2340bcbfdd267c17a746f1de
                                        • Instruction ID: 63cbe0f8b5fea7ae21b0d041a821e0542222e2f005e5c5ff7c6ab798ce63dada
                                        • Opcode Fuzzy Hash: 4f368352ca094e83ab52b3d2afd984c5173ef0ce2340bcbfdd267c17a746f1de
                                        • Instruction Fuzzy Hash: 6FB1A2747106058FCB85EF74C8509AE7BB2AF89700F508569E8269F3A8DF35ED42CB91
                                        Function 07C84DE8 Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0336c829b89902b78c2991aa19e4292906ab612eec35f3c4a2862c2b543b441
                                        • Instruction ID: 8641d7e215b239259141d5d92a24c5721616470bbc83d8217ecbca99fffbab17
                                        • Opcode Fuzzy Hash: d0336c829b89902b78c2991aa19e4292906ab612eec35f3c4a2862c2b543b441
                                        • Instruction Fuzzy Hash: 6CA180747106188FCB44EF74C85096E77B2AFC9700F508968E8269B3A8DF75ED42CB91
                                        Function 07C80006 Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51a3edfa7ff1f0a2a4826f66e67f2461d3859a74b01e25d30c4745b49461af1a
                                        • Instruction ID: 2535a266a8e707992e4628f25245c8579a39e4b7254ad842c31fd35b57f310dd
                                        • Opcode Fuzzy Hash: 51a3edfa7ff1f0a2a4826f66e67f2461d3859a74b01e25d30c4745b49461af1a
                                        • Instruction Fuzzy Hash: 27B15B74B002158FCB54EF64C894B99BBB2BF89314F5581A8E849AB366DF30DD89CF50
                                        Function 07C848F0 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee82bc541b91b64012b0a1996a80ac80ed053fa8e93724840720bd1e07bbaf5f
                                        • Instruction ID: a65d2a7d66a7ce6de7b202aeb2ce135d907a9876e959e1bdb1fa74cfcaebcd10
                                        • Opcode Fuzzy Hash: ee82bc541b91b64012b0a1996a80ac80ed053fa8e93724840720bd1e07bbaf5f
                                        • Instruction Fuzzy Hash: 12A14374B112199FCB44EFA5D994E9EB7B6FF89700F108068E811AB3A5CB35ED41CB90
                                        Function 07C81000 Relevance: .2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a6a35f5dd5cab1415e6d01ebf9d6c64073be5e31c44d9ef0a641a9235573b2b
                                        • Instruction ID: dfa6ae31ff0ad59347f98775dde6469c37d3d7dada760ddeb34296eb0dcb75e1
                                        • Opcode Fuzzy Hash: 1a6a35f5dd5cab1415e6d01ebf9d6c64073be5e31c44d9ef0a641a9235573b2b
                                        • Instruction Fuzzy Hash: D4914D74710219CFCB84EF68D894A6D77F6AF89710F1481A9E916DB3A5CB30ED42CB90
                                        Function 07C8896B Relevance: .2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 869a89089664355927af2663a5341fedfa04fb6c160f0dbced48979dd754bae7
                                        • Instruction ID: d917d35d6720b03a698f45b80e0bad92a4ac7e473d2ec456892c5f3318af7b4d
                                        • Opcode Fuzzy Hash: 869a89089664355927af2663a5341fedfa04fb6c160f0dbced48979dd754bae7
                                        • Instruction Fuzzy Hash: A88110B4A21229AFCB94DF98D980EADB7F2BF88314F514159E901AB366D731EC41CB40
                                        Function 07C80FF1 Relevance: .2, Instructions: 169COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ff8f75f33f02ed2166d5631ee530f8d6d1ce8dc002dd35ae58e8f5e49f444fa
                                        • Instruction ID: db1646ff58a36a59bf35f7dfaf6f9b338b9ee452877e58971d3ea0239b67c0a0
                                        • Opcode Fuzzy Hash: 6ff8f75f33f02ed2166d5631ee530f8d6d1ce8dc002dd35ae58e8f5e49f444fa
                                        • Instruction Fuzzy Hash: A2615E74710205DFCB44EF64D894A6DB7F6BF89710F5481A9E8169B3A5CB30ED42CB90
                                        Function 07C83904 Relevance: .1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eadf6bc42168271761fce1d11423f87fe8e2e3208b7029468e39390b62c1e16d
                                        • Instruction ID: feacb51fc39b36c885b8d0aed598806f6010f9f8cc26af4a8984dca0b29f122b
                                        • Opcode Fuzzy Hash: eadf6bc42168271761fce1d11423f87fe8e2e3208b7029468e39390b62c1e16d
                                        • Instruction Fuzzy Hash: 4241B071B002069FC745EB69D850A5ABBF6FFC9310B2485AAE109DB361DA31AD01CB80
                                        Function 07C893F8 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1c3213d5d33a1bb54361fb445c4c08db3415e946850f03ee95c8e835338dd60
                                        • Instruction ID: deef3f264c58ae2dd38fa585e4bed275d5982f3b84615a599b7a0478f9e21a2c
                                        • Opcode Fuzzy Hash: a1c3213d5d33a1bb54361fb445c4c08db3415e946850f03ee95c8e835338dd60
                                        • Instruction Fuzzy Hash: F8419FB1B007198FCBA5DB78D5802AABBF1FFC4214B14896ED55AC7A54DB30F940CB81
                                        Function 07C81328 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61a3a78f461c8bf3caa6b782fb344e1e04ca8771858715864f1993113b3b9b9b
                                        • Instruction ID: 2e3f92bfe6b8a300b5fe466c0d5887b3474cb1b08c1b21aa44de5949b0e6124f
                                        • Opcode Fuzzy Hash: 61a3a78f461c8bf3caa6b782fb344e1e04ca8771858715864f1993113b3b9b9b
                                        • Instruction Fuzzy Hash: DA316B75A001099BDF44EFA5DC94AEEB7B6FF88310F148029E801B73A4CB319D15CBA0
                                        Function 0151D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921281225.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_151d000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1851c7cec184cee00c1af5c7f20908f765ba4347c5ca4bc26246530add28afa1
                                        • Instruction ID: 0d5f278beebf7fceb46b26a378b172bce29f85558cb4ed8aa16f2176019881c4
                                        • Opcode Fuzzy Hash: 1851c7cec184cee00c1af5c7f20908f765ba4347c5ca4bc26246530add28afa1
                                        • Instruction Fuzzy Hash: 00210075604200DFEB16DF58D988B2ABBB1FB84314F20C96DD8094F25AD33AD846CA61
                                        Function 07C88E68 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f4351f0779d3273715426d6843409e56e36083200b64ecd0b893c184ca88173
                                        • Instruction ID: 7611ddcc9f8e2e42d588521e964ac0fcbabf4ddede2366d5329ffec94dcbf897
                                        • Opcode Fuzzy Hash: 3f4351f0779d3273715426d6843409e56e36083200b64ecd0b893c184ca88173
                                        • Instruction Fuzzy Hash: 83217C71A102099FCB05DFA9C8549DEBFB6EF8D320F149129E811B7390CB319881CBA0
                                        Function 0151D006 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921281225.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_151d000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da411e93a22195a852d0a6b745c00cef95ecc7dd9d8ad91505b93300a4b090aa
                                        • Instruction ID: 6691653f443efe6f513e41f9bc9c821948cd5b0316a820a5269d60db0563a4c1
                                        • Opcode Fuzzy Hash: da411e93a22195a852d0a6b745c00cef95ecc7dd9d8ad91505b93300a4b090aa
                                        • Instruction Fuzzy Hash: 97219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F667C33A984ACB62
                                        Function 07C893C0 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 436676f4c9d265517a00a3d19c7cb0837b6a655bad411c5e4181cb22fb04e357
                                        • Instruction ID: 3892f9ca5f0431f34ca122ab7f18a085c0711a6df92956ee06bd2d5f93139c8a
                                        • Opcode Fuzzy Hash: 436676f4c9d265517a00a3d19c7cb0837b6a655bad411c5e4181cb22fb04e357
                                        • Instruction Fuzzy Hash: 6F0104F2509B815FC3629760D8C00E6BFB0DF43208719889BD099C74A3D235B94AD391
                                        Function 07C81461 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e3f32c7ac5596bf2f81e2ca61bd998fa103ab95e6cfb087102f6e64d1b7c114
                                        • Instruction ID: b6c22633d01bc41ccf99bf5caf18ab3b4fc880d306f11ca01d48cc1195c2cb50
                                        • Opcode Fuzzy Hash: 7e3f32c7ac5596bf2f81e2ca61bd998fa103ab95e6cfb087102f6e64d1b7c114
                                        • Instruction Fuzzy Hash: 6C0104B53007448FC365AB30C944A7A3BE2ABC6314F1C896DE4568B6E5DB35DC43C791
                                        Function 07C88AE2 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67e3b812cbc51632d1551b3a8ab5b6e98df6ee263d6bfe3e968ce52f363393d2
                                        • Instruction ID: 16f650912f4e0b5432cb84ea475570e299a82138af5daf9814a194a287ef5c0b
                                        • Opcode Fuzzy Hash: 67e3b812cbc51632d1551b3a8ab5b6e98df6ee263d6bfe3e968ce52f363393d2
                                        • Instruction Fuzzy Hash: B6110470A20228DFCB54DF58DD94EADB7F1BF84324F150059E902AB3A2CB349C41DB50
                                        Function 07C89970 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94d4be09a13b99aa3f9e88c43ef906bee6c7360f7ab91753a5b129378c887e01
                                        • Instruction ID: c8a6f67344b4aad6c911b660b2eade4fee55dff03099033529c0bf15ebb551f1
                                        • Opcode Fuzzy Hash: 94d4be09a13b99aa3f9e88c43ef906bee6c7360f7ab91753a5b129378c887e01
                                        • Instruction Fuzzy Hash: 9111C8B5D00609EFC751DFA9D9049EDBBF4EF8A310B00855AE159E7210EB30AA05CB61
                                        Function 07C88B6B Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6905f2743cfdfa871c2edc7b2dd6de02e2c21c259a4aeeba91bcb1db2420827
                                        • Instruction ID: dc5a57213ce5b2b5054ed190c7520494aeecc694c97801fe2958398b407d3944
                                        • Opcode Fuzzy Hash: f6905f2743cfdfa871c2edc7b2dd6de02e2c21c259a4aeeba91bcb1db2420827
                                        • Instruction Fuzzy Hash: 6A112A70A21228DFCB55DB58DC94EADBBF1BF88324F154159F912AB3A2CB749C41CB50
                                        Function 07C81470 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4128a3e148d56cee10c9a4ed3856824c56500344eff05fcd5c7199f9b2fffa2
                                        • Instruction ID: f54a7b64c34fb1d6b653ee60b93a0f147afd1918f43368c2c426772ff9fd8410
                                        • Opcode Fuzzy Hash: c4128a3e148d56cee10c9a4ed3856824c56500344eff05fcd5c7199f9b2fffa2
                                        • Instruction Fuzzy Hash: 43019E753002088FD764AA25C884A2A77E2ABC9315F18896CE8664B694DB75EC43CB80
                                        Function 0150D603 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921240406.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_150d000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45d7c36c762ece40c24740b89d027499b5b017244792530611c6919e884e16d
                                        • Instruction ID: ffcb888e17fde21c3a38169124d0995530e477316d6b96e82e7481b3e5bc35a9
                                        • Opcode Fuzzy Hash: d45d7c36c762ece40c24740b89d027499b5b017244792530611c6919e884e16d
                                        • Instruction Fuzzy Hash: 71F04976200A40AFD3208F4ACD84C27FBB9FBC4634319C59AEC4A5B651C631EC42CEA0
                                        Function 0150D5F4 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921240406.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_150d000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 522aa6a7c379a3bf7e85dc3440b748af933bb2e54638cb0dba3e7d7d048e0965
                                        • Instruction ID: 61e536267bac5314e1a8556215d419e3bf6114d7a496aedfadc5b5ab99f080c7
                                        • Opcode Fuzzy Hash: 522aa6a7c379a3bf7e85dc3440b748af933bb2e54638cb0dba3e7d7d048e0965
                                        • Instruction Fuzzy Hash: 23F03775104A80AFD326CF56CD84C22BFB9FF8566071A8489EC4A9B362C634FC42CF60
                                        Function 07C8170F Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d16d5906f26f5dbfd528bb65160ce5ef5c1858e06fd2b1445011e7075b766aac
                                        • Instruction ID: 299bc3140fff17e8603b6c94521add800eb8de4f687cc72e84a7001a27ea932f
                                        • Opcode Fuzzy Hash: d16d5906f26f5dbfd528bb65160ce5ef5c1858e06fd2b1445011e7075b766aac
                                        • Instruction Fuzzy Hash: 74E04F3144E2C59FCB478F70ECE56C87F709F13250B1980EBE8989A0B3C62544AAC722
                                        Function 07C88CC0 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 831c50884b209392aa5b8207b79763f68eb5d40a3bb4de92d8e5ce1fd16a71e7
                                        • Instruction ID: f485887c40021d4b04ab9e96724c580b71826cfaecd9f7299b58c071c9595a8a
                                        • Opcode Fuzzy Hash: 831c50884b209392aa5b8207b79763f68eb5d40a3bb4de92d8e5ce1fd16a71e7
                                        • Instruction Fuzzy Hash: 7DE086A16462800BC745E3B459741F96F938B8651031580D7D04ACB759C8704C468766
                                        Function 07C88CD0 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6c764a8d9f48b971ad540cb25d8a8f153de2648cfa06d33a0f698d319e56826
                                        • Instruction ID: f1b63b70e71eccb87801cfcba02191cf6def6bb4883cb99d3f0560e7fd412a6e
                                        • Opcode Fuzzy Hash: c6c764a8d9f48b971ad540cb25d8a8f153de2648cfa06d33a0f698d319e56826
                                        • Instruction Fuzzy Hash: CDD0C97570021857CB08E6BAA42057FB6DF9BC9A50B05806ADA0AC3744CDB59C014AAA
                                        Function 07C892A0 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                        • Instruction ID: c12b2347baa4506d4b9b0775252a941ea42cb00b0745f27be9e95f8055e2471b
                                        • Opcode Fuzzy Hash: 0517a0be6a414d4e8f5e70e243f5ed2176308ab4ae07ce465eec3fda36e79a12
                                        • Instruction Fuzzy Hash: F0C0023B3500149F87009B6DF884C99B7B9EBD9675320816BF209CB230C67298159B50
                                        Function 07C81740 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acce728a79ab3cf2058b5511c4904abd6a7374fdb9943cf90738fee5a5c3801e
                                        • Instruction ID: 785416983ea2a8f4845e871ff155bb8cb76107ad861914675e4a963c4bfc910d
                                        • Opcode Fuzzy Hash: acce728a79ab3cf2058b5511c4904abd6a7374fdb9943cf90738fee5a5c3801e
                                        • Instruction Fuzzy Hash: 62B0923600020CAB87009A84EC04895BB69AB98611700C025BA09061258B72A862DB98

                                        Non-executed Functions

                                        Function 02F4F03C Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2921587900.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2f40000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31711ae56094709f1c4b2e0ab9bfe89965babd2c8c581a3ca7d289da28d29648
                                        • Instruction ID: 13a0342216b19f200c2fbf2a664318bf4ac259e037baca9e111c321875b45489
                                        • Opcode Fuzzy Hash: 31711ae56094709f1c4b2e0ab9bfe89965babd2c8c581a3ca7d289da28d29648
                                        • Instruction Fuzzy Hash: 16A16032E002058FCF15DFB4C8445AEBBB2FF89744B15466AEA06AB225DFB1E955CF40
                                        Function 07C860E8 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2936650417.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7c80000_RegAsm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1743a811a3a722c885dae5df6c93cb63305b9875a6834a1fb79e5bca741f1383
                                        • Instruction ID: 8ff645b97d446fb41d9407653c419c860eb345557574ad3055ceb6d672588b9f
                                        • Opcode Fuzzy Hash: 1743a811a3a722c885dae5df6c93cb63305b9875a6834a1fb79e5bca741f1383
                                        • Instruction Fuzzy Hash: 1B913A743402058FDB44EF39D990A6A77A6EFC9740F1080A8EA11CF3B9DA35EC42CB90