Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ppZrIGFA6W.exe

Overview

General Information

Sample name:ppZrIGFA6W.exe
renamed because original name is a hash value
Original sample name:587f51d39a17424559aaeaf026d20635.exe
Analysis ID:1615990
MD5:587f51d39a17424559aaeaf026d20635
SHA1:8a637b6fab8ddaf2fcc6fcc28956ca9e7db58ad2
SHA256:153dfe43d602c377bcfaa7276cfe7de03b213490105bda91b9e8f3069bbb392e
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ppZrIGFA6W.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\ppZrIGFA6W.exe" MD5: 587F51D39A17424559AAEAF026D20635)
    • schtasks.exe (PID: 7444 cmdline: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msbook.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" MD5: 587F51D39A17424559AAEAF026D20635)
      • schtasks.exe (PID: 7540 cmdline: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msbook.exe (PID: 7684 cmdline: "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" MD5: 587F51D39A17424559AAEAF026D20635)
  • msbook.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" MD5: 587F51D39A17424559AAEAF026D20635)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": ["wqo9.firewall-gateway.de:9792", "bz-frnd1.ydns.eu:2484"], "SubDirectory": "SubDir", "InstallName": "msbook.exe", "MutexName": "34fre6531-dcva6-4314-b1be5-acf372ee34155", "StartupKey": "MicroSoft", "Tag": "TR", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ppZrIGFA6W.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    ppZrIGFA6W.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
    • 0x28ee9d:$x1: Quasar.Common.Messages
    • 0x29f1c6:$x1: Quasar.Common.Messages
    • 0x2ab81a:$x4: Uninstalling... good bye :-(
    • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
    ppZrIGFA6W.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
    • 0x2aadcc:$f1: FileZilla\recentservers.xml
    • 0x2aae0c:$f2: FileZilla\sitemanager.xml
    • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
    • 0x2ab09a:$b1: Chrome\User Data\
    • 0x2ab0f0:$b1: Chrome\User Data\
    • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
    • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
    • 0x2fd478:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
    • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
    • 0x2ab6d6:$b5: YandexBrowser\User Data\
    • 0x2ab744:$b5: YandexBrowser\User Data\
    • 0x2ab418:$s4: logins.json
    • 0x2ab14e:$a1: username_value
    • 0x2ab16c:$a2: password_value
    • 0x2ab458:$a3: encryptedUsername
    • 0x2fd3bc:$a3: encryptedUsername
    • 0x2ab47c:$a4: encryptedPassword
    • 0x2fd3da:$a4: encryptedPassword
    • 0x2fd358:$a5: httpRealm
    ppZrIGFA6W.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
    • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
    • 0x2ab904:$s3: Process already elevated.
    • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
    • 0x278c58:$s5: GetKeyloggerLogsDirectory
    • 0x29e925:$s5: GetKeyloggerLogsDirectory
    • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
    • 0x2feaa6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\SubDir\msbook.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
      C:\Users\user\AppData\Roaming\SubDir\msbook.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ee9d:$x1: Quasar.Common.Messages
      • 0x29f1c6:$x1: Quasar.Common.Messages
      • 0x2ab81a:$x4: Uninstalling... good bye :-(
      • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      C:\Users\user\AppData\Roaming\SubDir\msbook.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadcc:$f1: FileZilla\recentservers.xml
      • 0x2aae0c:$f2: FileZilla\sitemanager.xml
      • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab09a:$b1: Chrome\User Data\
      • 0x2ab0f0:$b1: Chrome\User Data\
      • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd478:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6d6:$b5: YandexBrowser\User Data\
      • 0x2ab744:$b5: YandexBrowser\User Data\
      • 0x2ab418:$s4: logins.json
      • 0x2ab14e:$a1: username_value
      • 0x2ab16c:$a2: password_value
      • 0x2ab458:$a3: encryptedUsername
      • 0x2fd3bc:$a3: encryptedUsername
      • 0x2ab47c:$a4: encryptedPassword
      • 0x2fd3da:$a4: encryptedPassword
      • 0x2fd358:$a5: httpRealm
      C:\Users\user\AppData\Roaming\SubDir\msbook.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab904:$s3: Process already elevated.
      • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c58:$s5: GetKeyloggerLogsDirectory
      • 0x29e925:$s5: GetKeyloggerLogsDirectory
      • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
      • 0x2feaa6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000000.1754872269.0000000000462000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Process Memory Space: ppZrIGFA6W.exe PID: 7388JoeSecurity_QuasarYara detected Quasar RATJoe Security
              Process Memory Space: msbook.exe PID: 7512JoeSecurity_QuasarYara detected Quasar RATJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.ppZrIGFA6W.exe.460000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  0.0.ppZrIGFA6W.exe.460000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                  • 0x28ee9d:$x1: Quasar.Common.Messages
                  • 0x29f1c6:$x1: Quasar.Common.Messages
                  • 0x2ab81a:$x4: Uninstalling... good bye :-(
                  • 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                  0.0.ppZrIGFA6W.exe.460000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x2aadcc:$f1: FileZilla\recentservers.xml
                  • 0x2aae0c:$f2: FileZilla\sitemanager.xml
                  • 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x2ab09a:$b1: Chrome\User Data\
                  • 0x2ab0f0:$b1: Chrome\User Data\
                  • 0x2ab3c8:$b2: Mozilla\Firefox\Profiles
                  • 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2fd478:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data
                  • 0x2ab6d6:$b5: YandexBrowser\User Data\
                  • 0x2ab744:$b5: YandexBrowser\User Data\
                  • 0x2ab418:$s4: logins.json
                  • 0x2ab14e:$a1: username_value
                  • 0x2ab16c:$a2: password_value
                  • 0x2ab458:$a3: encryptedUsername
                  • 0x2fd3bc:$a3: encryptedUsername
                  • 0x2ab47c:$a4: encryptedPassword
                  • 0x2fd3da:$a4: encryptedPassword
                  • 0x2fd358:$a5: httpRealm
                  0.0.ppZrIGFA6W.exe.460000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                  • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                  • 0x2ab904:$s3: Process already elevated.
                  • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
                  • 0x278c58:$s5: GetKeyloggerLogsDirectory
                  • 0x29e925:$s5: GetKeyloggerLogsDirectory
                  • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
                  • 0x2feaa6:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\SubDir\msbook.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ppZrIGFA6W.exe, ProcessId: 7388, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroSoft
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\msbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, ParentProcessId: 7512, ParentProcessName: msbook.exe, ProcessCommandLine: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, ProcessId: 7540, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ppZrIGFA6W.exe", ParentImage: C:\Users\user\Desktop\ppZrIGFA6W.exe, ParentProcessId: 7388, ParentProcessName: ppZrIGFA6W.exe, ProcessCommandLine: "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f, ProcessId: 7444, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-15T22:21:49.218908+010020355951Domain Observed Used for C2 Detected195.211.190.2272484192.168.2.449738TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-15T22:21:49.218908+010020276191Domain Observed Used for C2 Detected195.211.190.2272484192.168.2.449738TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ppZrIGFA6W.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                  Found malware configuration
                  Source: ppZrIGFA6W.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": ["wqo9.firewall-gateway.de:9792", "bz-frnd1.ydns.eu:2484"], "SubDirectory": "SubDir", "InstallName": "msbook.exe", "MutexName": "34fre6531-dcva6-4314-b1be5-acf372ee34155", "StartupKey": "MicroSoft", "Tag": "TR", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeReversingLabs: Detection: 75%
                  Multi AV Scanner detection for submitted file
                  Source: ppZrIGFA6W.exeVirustotal: Detection: 76%Perma Link
                  Source: ppZrIGFA6W.exeReversingLabs: Detection: 75%
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: ppZrIGFA6W.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1754872269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ppZrIGFA6W.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: msbook.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPED
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Sample uses string decryption to hide its real strings
                  Source: ppZrIGFA6W.exeString decryptor: 1.4.1
                  Source: ppZrIGFA6W.exeString decryptor: wqo9.firewall-gateway.de:9792;bz-frnd1.ydns.eu:2484;
                  Source: ppZrIGFA6W.exeString decryptor: SubDir
                  Source: ppZrIGFA6W.exeString decryptor: msbook.exe
                  Source: ppZrIGFA6W.exeString decryptor: 34fre6531-dcva6-4314-b1be5-acf372ee34155
                  Source: ppZrIGFA6W.exeString decryptor: MicroSoft
                  Source: ppZrIGFA6W.exeString decryptor: TR
                  Source: ppZrIGFA6W.exeString decryptor: Logs
                  Source: ppZrIGFA6W.exeString decryptor: XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=
                  Source: ppZrIGFA6W.exeString decryptor: MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble
                  Source: ppZrIGFA6W.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: ppZrIGFA6W.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 195.211.190.227:2484 -> 192.168.2.4:49738
                  Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 195.211.190.227:2484 -> 192.168.2.4:49738
                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 94.6.68.101:9792
                  Source: global trafficTCP traffic: 192.168.2.4:49738 -> 195.211.190.227:2484
                  Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                  Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                  Source: Joe Sandbox ViewASN Name: BSKYB-BROADBAND-ASGB BSKYB-BROADBAND-ASGB
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ipwho.is
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: wqo9.firewall-gateway.de
                  Source: global trafficDNS traffic detected: DNS query: bz-frnd1.ydns.eu
                  Source: global trafficDNS traffic detected: DNS query: ipwho.is
                  Source: msbook.exe, 00000003.00000002.4219055443.000000001BD34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: msbook.exe, 00000003.00000002.4209688025.0000000001547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabr)
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                  Source: msbook.exe, 00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: ppZrIGFA6W.exe, 00000000.00000002.1782304189.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, msbook.exe, 00000003.00000002.4210746779.00000000030C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: ppZrIGFA6W.exe, msbook.exe.0.drString found in binary or memory: https://api.ipify.org/
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                  Source: ppZrIGFA6W.exe, msbook.exe.0.drString found in binary or memory: https://ipwho.is/
                  Source: ppZrIGFA6W.exe, msbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: ppZrIGFA6W.exe, msbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: ppZrIGFA6W.exe, msbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49739 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\msbook.exeJump to behavior

                  E-Banking Fraud

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: ppZrIGFA6W.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1754872269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ppZrIGFA6W.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: msbook.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAF9BD13_2_00007FFD9BAF9BD1
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAF92713_2_00007FFD9BAF9271
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAFAFDD3_2_00007FFD9BAFAFDD
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAF55D63_2_00007FFD9BAF55D6
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAF621F3_2_00007FFD9BAF621F
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB011D03_2_00007FFD9BB011D0
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB0269B3_2_00007FFD9BB0269B
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BCE23213_2_00007FFD9BCE2321
                  Source: ppZrIGFA6W.exe, 00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs ppZrIGFA6W.exe
                  Source: ppZrIGFA6W.exeBinary or memory string: OriginalFilenameClient.exe. vs ppZrIGFA6W.exe
                  Source: ppZrIGFA6W.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: ppZrIGFA6W.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@3/3
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\34fre6531-dcva6-4314-b1be5-acf372ee34155
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                  Source: ppZrIGFA6W.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ppZrIGFA6W.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ppZrIGFA6W.exeVirustotal: Detection: 76%
                  Source: ppZrIGFA6W.exeReversingLabs: Detection: 75%
                  Source: ppZrIGFA6W.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeFile read: C:\Users\user\Desktop\ppZrIGFA6W.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ppZrIGFA6W.exe "C:\Users\user\Desktop\ppZrIGFA6W.exe"
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\msbook.exe "C:\Users\user\AppData\Roaming\SubDir\msbook.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\msbook.exe "C:\Users\user\AppData\Roaming\SubDir\msbook.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\msbook.exe "C:\Users\user\AppData\Roaming\SubDir\msbook.exe"
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\msbook.exe "C:\Users\user\AppData\Roaming\SubDir\msbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: ppZrIGFA6W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: ppZrIGFA6W.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: ppZrIGFA6W.exeStatic file information: File size 3266048 > 1048576
                  Source: ppZrIGFA6W.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
                  Source: ppZrIGFA6W.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9B76D2A5 pushad ; iretd 3_2_00007FFD9B76D2A6
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9B887963 push ebx; retf 3_2_00007FFD9B88796A
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB05373 push cs; retf 3_2_00007FFD9BB05374
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BAF336E push eax; ret 3_2_00007FFD9BAF340C
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB05363 push cs; retf 3_2_00007FFD9BB05364
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB05353 push cs; retf 3_2_00007FFD9BB05354
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB05ABB pushad ; retf 3_2_00007FFD9BB05B0B
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB0520B push es; retf 3_2_00007FFD9BB0520C
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB051FB push es; retf 3_2_00007FFD9BB051FC
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB051EB push es; retf 3_2_00007FFD9BB051EC
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB054D3 push ss; retf 3_2_00007FFD9BB054D4
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB054C3 push ss; retf 3_2_00007FFD9BB054C4
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB054B2 push ss; retf 3_2_00007FFD9BB054B4
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BB054A3 push ss; retf 3_2_00007FFD9BB054A4
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeCode function: 3_2_00007FFD9BCE2321 push edx; retf 5F13h3_2_00007FFD9BCE5A3B
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeFile created: C:\Users\user\AppData\Roaming\SubDir\msbook.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /f
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicroSoftJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicroSoftJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeFile opened: C:\Users\user\Desktop\ppZrIGFA6W.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\msbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\msbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeMemory allocated: 1AA90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: 1B090000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: 1AAB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeMemory allocated: 1B1A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWindow / User API: threadDelayed 7895Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWindow / User API: threadDelayed 1963Jump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exe TID: 7408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 7616Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 7616Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 7628Thread sleep count: 7895 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 7628Thread sleep count: 1963 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 7704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: msbook.exe, 00000003.00000002.4217968255.000000001BAC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvX.
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\msbook.exe "C:\Users\user\AppData\Roaming\SubDir\msbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "MicroSoft" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\msbook.exe" /rl HIGHEST /fJump to behavior
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 21:33 UTC</b>]</p><br><p class="
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmp, msbook.exe, 00000003.00000002.4210746779.000000000342F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [<p class="h"><br><br>[<b>Program Manager - 21:33 UTC</b>]</p><br><p class="h">[Win + R]</p>
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on Saturday, 15 February 2025 21:36 UTC<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 21:33 UTC</b>]</p><br><p class="h">[Win + R]</p>@
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: A<p class="h"><br><br>[<b>Program Manager - 21:33 UTC</b>]</p><br>
                  Source: msbook.exe, 00000003.00000002.4210746779.000000000342F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2y
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1><br>[<b>Program Manager - 21:33 UTC</b>]</p><br>
                  Source: msbook.exe, 00000003.00000002.4210746779.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on Saturday, 15 February 2025 21:36 UTC<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 21:33 UTC</b>]</p><br><p class="h">[Win + R]</p>
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeQueries volume information: C:\Users\user\Desktop\ppZrIGFA6W.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\msbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\msbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\msbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\msbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ppZrIGFA6W.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: ppZrIGFA6W.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1754872269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ppZrIGFA6W.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: msbook.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: ppZrIGFA6W.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ppZrIGFA6W.exe.460000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1755254471.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4210746779.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1754872269.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ppZrIGFA6W.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: msbook.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\msbook.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Masquerading                  		11
                  Input Capture                  		111
                  Security Software Discovery                  		Remote Services11
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Registry Run Keys / Startup Folder                  		41
                  Virtualization/Sandbox Evasion                  		Security Account Manager41
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		12
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials23
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615990 Sample: ppZrIGFA6W.exe Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 39 wqo9.firewall-gateway.de 2->39 41 bz-frnd1.ydns.eu 2->41 43 ipwho.is 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 9 ppZrIGFA6W.exe 1 5 2->9         started        13 msbook.exe 2 2->13         started        15 msbook.exe 3 2->15         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\...\msbook.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\...\ppZrIGFA6W.exe.log, CSV 9->31 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 9->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->63 17 msbook.exe 14 4 9->17         started        21 schtasks.exe 1 9->21         started        signatures6 process7 dnsIp8 33 bz-frnd1.ydns.eu 195.211.190.227, 2484, 49738 PITLINE-ASUA Ukraine 17->33 35 wqo9.firewall-gateway.de 94.6.68.101, 49731, 9792 BSKYB-BROADBAND-ASGB United Kingdom 17->35 37 ipwho.is 195.201.57.90, 443, 49739 HETZNER-ASDE Germany 17->37 45 Antivirus detection for dropped file 17->45 47 Multi AV Scanner detection for dropped file 17->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->49 51 Installs a global keyboard hook 17->51 23 schtasks.exe 1 17->23         started        25 conhost.exe 21->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.